 |
| New ITAR license exemptions for transfer
of defence articles to dual or third country national employees of companies in
the EU |
October 2011 |
New ITAR license exemptions for transfer of defence articles to
dual or third country national employees of companies in the EU
1. The Issue
This note reviews some of the
issues raised by the new exemption available under the U.S.
International Traffic in Arms Regulations ("ITAR") rules on
transfers of non-classified defence articles to employees who
are dual or third country nationals. As outlined below,
the new exemption is intended to provide for risk-based
assessment based on the risk of diversion of military articles
where employees without appropriate security clearance are
involved.
|
|
|
The risk-based screening provided for in the new exemption
involves collecting and keeping records on 'substantive
contacts' employees maintain with the proscribed countries.
These record keeping requirements raise substantial questions
under local laws regulating employment relationships, privacy
and discrimination in many countries. There may be scope for
raising national security exceptions to the obligations imposed
on end users of U.S. military articles by local laws but
invoking these exceptions cannot be taken for granted. This note
will focus on these issues as they arise in the UK, France and
Germany.
By way of background, the new
exemption operates in addition to the previously available exemption for
nationals of NATO and EU countries as well as Australia, New Zealand,
Switzerland and Japan, which continues to be available under the terms of the
final version of the amended ITAR. Further, the exemption is only needed
where the employee does not have security clearance from the end-user host
country, although the precise level or type of clearance required is not
specified and is reportedly under discussion with a number of governments in
affected countries.
The new exemption is intended to
move away from a strictly nationality-based assessment of employees to a
risk-based assessment that takes into account 'substantive contacts' with the
restricted or prohibited countries listed in ITAR 126.1. Companies using
this exemption must establish screening procedures that include collecting
information on each employee's substantive contacts with the countries concerned
and keeping records of the information collected for five years.
Substantive contacts with
restricted or prohibited countries that must be screened for include:
-
Regular travel to those
countries;
-
Recent or continuing contact
with agents, brokers and nationals;
-
Continued demonstrated
allegiance to any of those countries;
-
Maintenance of business
relationships with persons from the countries;
-
Maintenance of a residence in
the countries;
-
Receiving salary or other
compensation from the countries;
-
Other acts indicating a risk of
diversion of the military articles.
The U.S. State Department
Directorate of Defence Trade Controls (DDTC) published Guidance, dated 26 July,
on Implementation Considerations in applying these exemptions. The
Guidance included a sample questionnaire for use in assessing substantive
contacts. That Guidance, along with Licensing Guidelines published on 25
July and a Frequently Asked Questions document are all available on the DDTC
website and include useful information on a number of aspects of the application
of the exemption.
This note considers the legal
implications of compliance with the full risk-based screening required by
companies seeking to invoke the new exemption under ITAR 126.18.c.2. That
screening exercise may run into serious problems with employment, discrimination
and privacy/data protection laws in host jurisdictions, including the EU
countries. There continue to be problems with nationality based screening
under the familiar ITAR exemption but the new exemption raises new problems that
will be outlined below. There have been suggestions that the option for
relying on the exemption for local security cleared employees would be relied
upon. There have been reports of discussions among concerned governments
for using their own security clearance procedures to satisfy this option in the
new exemptions. The Baseline Personal Security Screening (BPSS) as used in
the UK has been raised as one possible option for invoking the security
clearance option. The potential for using security screening in this way
raises different issues that we will address in a future bulletin based on
experience with its application if it becomes a practical alternative.
2. Implementation of the exemptions under national laws in the EU
a. The UK
The collection of information for screening purposes in the UK is likely to
engage the Data Protection Act 1998 (DPA), placing a number of obligations on
any company collecting an employee's 'personal data'. Companies that operate
across the EEA should note that although data protection law is based on an EU
Directive (from which the DPA is itself derived), there is considerable
variation in the way it is applied and screening is likely to be more difficult
in many other countries.
The DPA
requires companies to notify individuals before a screening exercise takes
place. This should explain the purpose or purposes for which the employee's data
are intended to be processed as part of the screening and any further
information which is considered necessary in the circumstances.
It is unlikely that UK companies will require the consent of employees as there
are other data processing conditions which the companies could rely on under the
DPA. There are stricter conditions imposed on companies, however, if 'sensitive
personal data' are collected (for example, health data, or information on
religious or philosophical beliefs). Employee consent is likely to be required
for such data and could be sought by incorporating suitable wording in the
individual's employment contract.
Companies should be diligent in checking the accuracy of any information they
receive through the screening process and be aware of restrictions placed on the
use of automated decision-taking technology. The DPA also requires companies to
ensure that they don't process excessive or irrelevant data; consideration
should be given, therefore, to the amount of data that is considered necessary
to effectively screen individuals. It would be important to understand whether
the screening lists could be limited to an employee's basic identification (for
example, name and address) before a potential match was made and additional data
collection was required.
Companies will also need to be aware of DPA rules concerning the export of data
to the US (and any other countries outside the EEA). For example, where the
importing organisation is not 'Safe Harbor' certified, standard contractual
clauses may need to be agreed between the companies to ensure that there are
adequate protections in place for the data.
There is no requirement in the UK for companies to submit to the local data
protection authority (the ICO) for approval prior to implementation of the
screening process but companies would need to ensure that their ICO notification
is up-to-date.
There are notable
sanctions for data protection breaches in the UK; under new ICO powers, a
serious breach of the DPA can attract fines of up to £500,000.
From an employment law perspective, the main area of concern in the UK is that
compliance with ITAR exemptions under 126.18 may fall foul of the
anti-discrimination provisions contained in the Equality Act 2010.
Although it is made clear that nationality of itself will not of itself prohibit
access to defence articles, an employee who has substantive contacts with
prohibited countries may be denied access. The requirement that employees
do not have substantive contact with certain countries could amount to indirect
race discrimination, even in circumstances where employees are prepared to sign
a contract of employment accepting such a limitation.
Discrimination on the basis of race may be legally justified if it can be shown
that such discrimination is a proportionate way of achieving a legitimate aim.
However, making out such a case will depend on the particular circumstances of
each case.
There are in addition
certain exceptions to the application of the Equality Act. For example,
exceptions may be available on the grounds of national security or pursuant to a
ministerial order. The ability for employers to rely on such exceptions is
likely to be limited and ministerial orders may not be forthcoming in this area.
b. France
In France, the same data protection restrictions apply as in the UK and
processing should be notified to the French data protection authority (CNIL).
Transfers to the US where the importer is not "safe Harbor" certified are
subject to a prior authorisation of the French data protection authority (CNIL)
even when standard contractual clauses have been concluded with the importer.
It is uncertain whether employee consent, even inserted in employment contracts,
could permit the processing of sensitive data, since employee consent is
generally considered as invalid by the French data protection authority (CNIL)
based on the presumption that it cannot be freely given. Whereas
nationality is not considered under French data protection law as sensitive data
(unlike under employment law, see below), processing of other types of
information that might reveal, even indirectly, existing or presumed ethnic
origin or political opinions or other sensitive data would be subject to
caution.
Companies should be
particularly diligent in ensuring the objectivity and relevance of
questionnaires. The wording of questionnaires and the adequacy of answers should
be strictly defined. Furthermore, collection of information from other persons
than employees themselves could be considered as unfair or disproportionate in
case employees are not adequately informed and are not given a right to raise
legitimate objections to the processing of their data. In addition, companies
should pay close attention to measures for maintaining confidentiality and
security of data and they should strictly limit the categories of personnel
authorised to access data. Keeping data up to 5 years will also trigger
the necessity to put in place an adequate archiving process in compliance with
CNIL's guidelines.
In case
of a data protection breach, the French DP act gives the CNIL powers of
sanctions, including fines up to 300,000€ and powers to stop the processing, all
of which may be made public and result in adverse publicity. In addition,
processing of personal data without prior filing with the CNIL, or unfair
collection of personal data or processing of sensitive data in breach of data
protection law may constitute a criminal offense sanctioned by 5 years of
imprisonment and by a fine up to 1,500,000€.
c. Germany
From a German perspective the new ITAR exemptions raises issues with respect to
the German Data Protection Act and the General Equal Treatment Act as well as
general employment law.
Employee
data collection and transmission in Germany is subject to the German Data
Protection Act, which is – like the UK DPA – based on EU Law. Employee data
collection and transmission is only legitimate under German law if either the
employee has given his or her consent or a statutory regulation permits data
collection/transmission in a specific case.
It is questionable whether the employee's consent in this respect could be
obtained with suitable wording in the employment contract upfront but most
notably such consent can be withdrawn at any time by the employee at his/her
sole discretion. Without the employee's consent the screening could yet be
justified, if the collection of information and its export is necessary to
protect legitimate interests of a third party or for reasons of national and
public security. However, this would require an assessment of whether the
principle of proportionality is preserved with respect to each piece of
information and each step of the screening and exporting procedure. It seems
highly doubtful whether collection and/or export of information regarding
"substantial contacts" would be deemed generally proportionate and it is
therefore unlikely to be permitted.
The screening is also likely to
conflict with the General Equal Treatment Act, which is also derived from EU
Directives. The Act prohibits, among other restrictions, discrimination based on
race and ethnic origin. The screening of only those employees on the basis of
nationality under 126.1 could be deemed indirect discrimination. This could
still be justified if the screening and export of data pursues a lawful
intention and is proportionate and necessary, which would have to be assessed in
each particular case. A similar check to that required under data
protection law would be required.
The collection of information of employees in Germany would also trigger
co-determination rights of the works council. The consent of a works council
established in the company or respective business operation could be required
with respect to the content and the procedures of the data collection and any
transmission of employee data.
3. Conclusion
The new ITAR exemptions are a welcome addition to the exemptions available for
transfers of unclassified defence articles within end-user companies to dual
nationality or third-country national employees. Nevertheless, use of the
exemption will place a substantial administrative burden on companies and will
raise substantial issues under privacy, non-discrimination and general
employment laws in jurisdictions where end-user companies are operating.
Programmes intended to meet the requirements of the new exemption set out in
ITAR will need to be very carefully developed to balance the needs of both ITAR
and national laws. This brief outline of some of the issues raised by a few of
the national laws in the EU on privacy, data protection and employment provides
only a few examples of the considerations that will need to be incorporated into
development of such a compliance programme. Each country concerned will
have its own set of issues and legal restrictions that need to be considered in
implementing a compliance programme under these ITAR exemptions. The Bird
& Bird offices throughout the EU would be happy to discuss the best way of
avoiding compliance problems in each of their national jurisdictions.
Contact Us
You can also
contact your regular Bird & Bird advisor to be referred to an ITAR expert in
other jurisdictions than those listed.
The content of this update is of general interest and is not
intended to apply to specific circumstances. The content should
not, therefore, be regarded as constituting legal advice and
should not be relied on as such. In relation to any particular
problem which they may have, readers are advised to seek
specific advice. Further, the law may have changed since first
publication and the reader is cautioned accordingly.
BIRD & BIRD Bird & Bird is an international legal
practice comprising Bird & Bird LLP and its affiliated and
associated businesses. Bird & Bird LLP is a limited liability
partnership, registered in England and Wales with registered
number OC340318 and is regulated by the Solicitors Regulation
Authority. Its registered office and principal place of business
is at 15 Fetter Lane, London EC4A 1JP. For details of
Bird & Bird, our offices, our members, the use of e-mail and
regulatory information, please see
twobirds.com and, in particular,
twobirds.com/english/Legal_Notices.cfm. The word
"partner" is used to refer to a member of Bird & Bird LLP or an
employee or consultant, or to a partner, member, director,
employee or consultant in any of its affiliated businesses, who
has equivalent standing and qualifications. A list of members of
Bird & Bird LLP and of any non-members who are designated as
partners, and of their respective professional qualifications,
is open to inspection at our London office address. All
such persons are solicitors, registered foreign lawyers or
non-registered European lawyers.
|
|
|