The export of certain categories of software, and particularly encryption software, is controlled by export control regulations in the UK and the EU. Breaching export controls is a criminal offence.
Now that the UK has left the EU but with the benefit of a transition period under the Withdrawal Agreement, EU law will continue to apply in and in relation to the UK until the end of the transition period - scheduled to end on December 31st 2020.
After the end of the transition period the EU Treaties, EU free movement rights and the general principles of EU law (such as the single market and the customs union) will cease to apply in the UK. Prior EU regulations will continue to apply in UK law until they are modified or revoked by UK regulations.
For the purposes of EU export controls at the end of the transition period the UK will immediately be regarded as being a 'third country' and the UK will establish its own separate export controls regime. Exporters of software (whether the software is transmitted electronically or stored on physical exports) and providers of software as a service (SaaS) will need to consider the compliance requirements of exports of controlled software from the EU to the UK and the separate UK export control regime.
What is the EU export control regime?
EU export controls generally apply to items (including software and technology) that:
• are specially designed or modified for military use, and
• are designed for civilian use but which have potential military uses (‘dual-use’ items)
Additional controls apply to certain specific sanctions lists. This analysis focusses on the regime applicable to dual-use items, which is the export control regime most likely to be relevant to commercial software.
The categories of software that are subject to EU export control on dual-use items are listed in Annex 1 of Council Regulation (EC) 428/2009 (EU Dual-Use Regulation) (as amended, including by Council Regulation (EU) No 1232/2011). These include cryptography for data confidentiality having in excess of 56 bits of symmetric key length and the use of an asymmetric algorithm where the factorisation of integers is in excess of 512 bits. Most commonly-used encryption protocols use key lengths which exceed these levels (e.g. AES 128, 1024 RSA and 1024 DH). Certain product categories, focussing on consumer, mobile phone and end-user banking products, are excluded from export control as further set out in that Annex.
The definition of ‘export’ under the EU Dual-Use Regulation is broad and in addition to physical exports includes:
• transmission of software or technology by electronic media, including by fax, telephone, email or any other electronic means to a destination outside the EU and also includes making available in an electronic form such software and technology to legal and natural persons and partnerships outside the EU
• oral transmission of technology when the technology is described over the telephone
The burden of compliance under the EU Dual-Use Regulation falls on the ‘exporter’ as defined in the legislation.
The EU Commission has introduced a number of General Export Authorisations (GEA), including a GEA for the export of all dual-use items (including encryption software) to Australia, Canada, Japan, New Zealand, Norway, Switzerland (including Liechtenstein) and the USA (EU001). There is also a GEA to a wider range of countries for some but not all dual-use items (including some but not all encryption software protocols) (EU002). For details of other GEAs, including a conditional GEA specifically relating to certain telecommunications products (EU005), see UK government guidance.
Each of the EU GEAs sets out:
• the destinations to which exports are permitted
• the items that may be exported to those destinations
• conditions of use
GEAs are valid in all member states of the EU. A company established in one EU Member State may export from that or any other Member State under the GEA providing it complies with:
• the conditions of the GEA
• any additional requirements as specified by the competent authorities in the Member State where the exporter is established
• where appropriate, any additional requirements of the Member State from whose territory the export takes place (e.g. UK cryptographic reporting requirements)
In addition to GEAs, dual-use items may be exported under:
• national general export authorisations, such as the UK’s open general export licences (OGELs). OGELS are pre-published licences that the exporter needs to register for via the SPIRE licensing database. Holders of OGELs must meet all specified terms and conditions and are subject to compliance audits. The Export Control Joint Unit (ECJU), part of the Department of International Trade, administers the UK’s system of export controls and licensing for military and dual-use items and issues OGELs and undertakes compliance audits
• global licences, granted by competent authorities to one exporter and may cover multiple items to multiple countries of destination or end users (e.g. see the UK’s Open Individual Export Licences (OIEL))
• individual licenses, granted by national authorities to one exporter and covering exports of one or more dual-use items to one end-user or consignee in a third country (e.g. see the UK’s Standard Individual Export Licences (SIEL))
‘Dual-use’ products (such as encryption software) which circulate solely within the EU are not subject to any export controls between EU Member States, except for a small number of sensitive items.
In addition to the EU regime, Member State laws control certain dual-use items, for example the UK Strategic Export Control Lists (see Schedule 3 of the Export Control Order 2008 which, for example, prohibits the export of certain software and technology to Iran).
In relation to the export of products outside the EU, there are some complications arising due to differences in approach to export control between the US and the EU. For example, US export controls include an exemption for ‘mass market’ items (see US ‘Mass Market’ guidance) that is less restrictive than the EU exemption for products that are generally available to the public (see EU Guidance note 1/2016). This can mean that products can be covered by the US ‘mass market’ exemption but still be regarded as being subject to EU export control.
The export control regime after the end of the transition period
Exports of dual-use software from the EU to the UK
In order to deal with the need for export approvals for exports of dual-use items (including encryption software) from the EU to the UK, the EU will amend the GEA (EU001) for the export of all dual-use items (including encryption software) to include exports from the EU the UK (see Regulation (EU) 2019/496).
The EU Commission has commented that the UK should be added to the list of countries that dual-use items can be exported to under the GEA ‘in order to ensure a uniform and consistent application of controls throughout the Union, to promote a level playing field for Union exporters and to avoid an unnecessary administrative burden while protecting Union and international security’.
Exporters must notify the relevant national competent authorities of the first use of the GEA and EU Member States are entitled to require registration prior to first use of the GEA. As an example, details of the notification arrangements required for the use of the EU to UK GEA for exports from Ireland to the UK are set out in the section below headed ‘Using the EU to UK GEA’.
Exports of dual-use software from the EU to another third country
The EU regime will continue largely unchanged. However, organisations will need a licence, issued by a remaining EU Member State, for exporting dual-use items from EU Member States to a non-EU country. An export licence issued in the UK will no longer be valid to export dual-use items from an EU member state. Where specific export approvals have been granted before the end of the transition period to exporters for the export of software subject to export controls outside the EU, care will need to be taken after the end of the transition period that approvals have been given by the correct export authority.
Exports of dual-use software from the UK to the EU
At the end of the transition period, the EU Dual-Use Regulation will be incorporated into UK law under the European Union (Withdrawal) Act 2018 (Retained EU Dual-Use Regulation). The Trade etc. in Dual-Use Items, Firearms and Torture etc Goods (Amendment) (EU Exit) Regulations 2019 will make amendments to the Retained EU Dual-Use Regulation so that it operates in a UK context post-Brexit.
Other amendments to legislation in the field of customs and in particular, in relation to export and other trade controls on military and dual-use goods are made by the Export Control (Amendment) (EU Exit) Regulations 2019, SI 2019/137. See: LNB News 01/02/2019 113.
In order to deal with the export of dual-use items from the UK to the EU, the UK has issued an OGEL that will cover the export of all dual-use items (including encryption software) from the UK to the EU from the end of the transition period. Details of the registration process for the use of the OGEL are set out below. The OGEL has conditions and does not apply if the exporter is aware that the dual-use item is intended to be use in certain weapons systems. The exporter must include a note on the items that the items are being exported under the OGEL (unless the export is by means of electronic media) and records must be kept of each export under the OGEL. See also the UK government’s guidance Exporting controlled goods after EU exit.
Details of the registration arrangements required for the use of the UK to EU OGEL are set out in the section below headed ‘Applying to Use the UK to EU Open General Export Licence’.
Exports of dual-use software from the UK to countries outside the EU
Licences to export dual-use items to a non-EU country issued by the UK before the end of the transition period will remain valid for export from the UK (including those issued under the GEA).
Where specific export approvals have been granted before the end of the transition period to exporters for the export of software subject to export controls outside the EU, care will need to be taken after the end of the transition period that approvals have been given by the correct export authority. After the end of the transition period, export licences issued by EU Member States will no longer be valid for exports from the UK. A new licence will be required issued by the UK. See also the UK government’s guidance Exporting controlled goods after EU exit.
What practical issues need to be considered?
Software exported as goods
In many cases software will either be:
• embedded in physical goods which may themselves fall under export controls
• stored on a physical media (such as a storage disk or on a physical device) and are likely to therefore be treated in the same manner as physical goods
In such cases the general principles regarding the export of goods, which have been enforced for many years, are likely to apply and are relatively well understood.
Status of Electronic Software Downloads and SaaS Solutions
The export controls applicable under both the EU Dual-Use Regulation (in the remaining EU-27) and Retained EU Dual-Use Regulation (in the UK) will apply to ‘transmission’ and making ‘available’ software or technology in electronic form outside the UK or EU (as applicable). Since the definition of export includes making items ‘available’ the mere possibility of access (e.g. to data on a server) can bring items within the scope of the regime.
Difficult issues arise in that context as export controls were generally developed for a physical world. A number of conceptual difficulties arise when applying those more physically focused regimes to the online environment. For example, the responsible exporter is the entity which ‘decides’ to transmit or make available software or technology by electronic media to a destination outside the EU. Applying these concepts in the context of electronic downloads of software and SaaS solutions is not straightforward. There may be debate on whether companies providing electronic downloads of software, SaaS providers and/or their customers are ‘exporters’ for the purposes of the export controls. Unfortunately, there is a lack of guidance from relevant authorities on these issues.
As a result, the manner in which the export controls apply to electronic downloads of software and SaaS solutions needs careful consideration. In particular, companies providing these types of services will need to be aware of the location of their customers and where relevant data is stored and may be accessed from and take steps to ensure that they are compliant with the export controls.
For electronic downloads of software the export controls may be applicable to both the supplier and the customer. For electronic downloads of dual-use software to a customer outside the UK or EU (as applicable), when the software is made available by the supplier to that customer – generally through the provision of a download key to the customer - it is clear that an export will be made and it would seem likely that the export controls will become applicable to the supplier (since they have decided to make the software ‘available’). When the customer actually downloads the software to a location outside the UK or EU (as applicable) it may be argued that the customer is also subject to the export controls (eg on the basis they have ‘decided’ to transmit the software to their jurisdiction).
Similarly, for SaaS solutions the export controls may be applicable to both the supplier and the customer and, in addition, separate consideration needs to be given to both the software and data elements of the SaaS solution.
Where SaaS solutions are provided on a cross-border basis to users outside the UK or EU (as applicable), the SaaS software is made available by the SaaS solution provider to the customer. If the SaaS software is covered by the export controls both the SaaS supplier and the customer may be subject to the export controls:
• the supplier is likely to be regulated on the basis that the SaaS supplier makes available the SaaS solution in the marketplace and furthermore makes the SaaS solution available to customers outside the UK or EU (as applicable)
• SaaS customers (and users) may be regulated when they access SaaS software on a cross border basis based on a similar analysis as applied to electronic downloads (above). Of course, the customer may not have any awareness of the software solutions that are used within the service. For example, the customer may not be aware that encryption protocols are used within the service or may well be unaware of (or prevented by confidentiality constraints from knowing) the level of the sophistication of the encryption protocols and whether this is sufficient to bring the service within the scope of the export controls
There is particular uncertainty regarding the respective responsibilities of SaaS suppliers and customers if data that is subject to export controls is uploaded by a customer to the SaaS service. Once uploaded the data may be exported in breach of export controls if, for example the data is then:
• stored in other jurisdictions
• made ‘available’ or ‘transmitted’ to users in other jurisdictions
There may be debate as to whether the customer or supplier has ‘decided’ to ‘transfer’ or make ‘available’ the data and is therefore a responsible exporter, the outcome of which may depend on the specific circumstances.
If the SaaS solution or electronic download is provided on a purely domestic basis it will not be subject to the export controls.
What enforcement action might be taken?
Holders of most types of export licences, including general authorisations and licences, are subject to routine inspections. The frequency of inspections varies, but takes into account several factors, including the types of licences utilised and the knowledge and experience of the business in relation to export controls, and in the UK generally varies from once every six months to every three years. UK businesses are usually inspected within three months of first use of their licence(s). In 2018 less than half of UK businesses were compliant on their first inspection.
The sanctions available for breaches of the dual-use export controls include:
• seizure of goods, documents and electronic materials
• fines and penalties
• arrest and /or prosecution, with the possibility of prison for certain offences
In the UK, HMRC regularly uses its discretionary power contained in Section 152 of the Customs and Excise Management Act 1979 (CEMA 1979) to impose compound penalties. These allow HMRC to offer the exporter the chance to settle a case which would justify being referred to the CPS for prosecution, saving the taxpayer and company time and legal fees. They are usually imposed following the voluntary disclosure by UK exporters of an export breach. If disclosure is accepted by HMRC, the fine forms an administrative penalty in lieu of prosecution. In January 2019, HMRC announced that compound penalties ranging between £1,000 and £4,000 had been issued in the preceding seven months relating to three separate UK exporters in respect of the unlicensed export of dual use goods and export breaches controlled by the Export Control Order 2008.
Enforcement actions relating to dual-use software are rare since enforcement in this area generally tends to focus on goods, and especially on the export of unlicensed military goods. However, in September 2019 it was reported that German prospectors had launched an investigation into the FinFisher company in relation to the alleged export of the FinSpy surveillance software to Turkey without an export licence as required by EU and German laws on the export of dual-use items.
The financial penalties imposed for breaches of export controls are not insignificant. Recent enforcement actions by HMRC in the UK have included, in April 2018, a compound penalty of £109,312.50 for the export of military goods controlled by the Export Control Order 2008 and in April 2019, a further compound penalty totalling £82,152.33 was also imposed on another company in breach.
Section 68 of CEMA 1979 tends to be the main prosecution mechanism used in the UK. However, that section of CEMA 1979 relates only to goods, whereas the Export Control Order 2008 includes measures for the enforcement of controlled software and technology.
The enforcement issues are not only confined to breaches of UK or EU export controls. For companies listed on the US stock market, enforcement and possible penalties under the regime established by the Sarbanes-Oxley Act of 2002 (SOX) need to be taken into consideration. According to SOX regulations, companies must ensure that all business transactions are compliant with the law, and that transaction records are accurate so that financial statements can be prepared in accordance with GAAP rules. Because exports can be a key component in financial reporting, violations of export laws not only risks enforcement of the export controls, but may also risk enforcement in the US pursuant to SOX.
What are the practical implications?
The export control regimes are complex and far reaching and they apply regardless of:
• the nationality of the person exporting or the recipient
• whether the transfers is between member of a group or between a single organisation
• whether the recipient shares the exported items
• the purposes for which the recipient uses the exported items (e.g. regardless of whether it is for work or personal use)
Companies which license or use software on a pan-European basis after the end of the transition period will need to ensure that they comply with the regulatory regime for the export of software in both the UK and the EU. For example, a EU company transferring software for business purposes from the UK to an UK national working in Spain for the same company may be subject to export control laws post-Brexit.
• companies that export dual-use software from the UK to the EU will generally need to comply with the terms of the UK to EU OGEL which requires registration through SPIRE (see below), compliance with certain notice and record keeping obligations and potentially audits
• companies that export dual-use software from the EU to the UK will generally need to comply with the terms of the GEA, including notifying the relevant national competent authorities of the first use of the GEA and, if required by the member state, registration prior to first use of the GEA
SaaS solution providers that provide services between the UK and the EU (and vice versa) also need to ensure that they have the correct export authorisations in place issued by the correct national authorities and that (as appropriate) their users and customers are made aware of applicable export controls and the locations of data centres and are contractually required to act in ways designed to avoid the risk of a breach.
All organisations which may be subject to export controls should implement an Internal Compliance Program (ICP) and ensure that the correct export licences issued by the correct authority will be in place.
Applying to Use the UK to EU Open General Export Licence
Although the UK to EU Licence has been published it will only come into force at the end of the transition period (see government guidance). However, companies can already register to use the UK to EU OGEL.
Registrations should be made through SPIRE, the electronic licensing database of the UK Export Control Organisation (ECO). SPIRE is used to register for OGELs or to apply for export or trade licences issued by the ECO. The ECO has published guidance on the application process.
The SPIRE system works on the basis of one SPIRE registration per Companies House registration number so companies that currently export dual-use software outside the EU may already be registered with SPIRE.
The SPIRE registration process is primarily an online process (which requires the upload and submission of company registration documents, such as the Companies House Registration Certificate). Following the completion of the online stage, the ECO sends a hard copy letter to the Authorised Company Executive (e.g., company secretary) to the company's Registered Office.
This letter requires the company secretary to sign a declaration stating that the applicant that has set up the account is authorised to do so by the company, that they are further authorised to nominate additional users within the registration and at the required access levels. As a result, it is important that companies nominate a company representative who has a sufficient level of authority and can take responsibility for the SPIRE registration process.
Once the declaration has been returned to the ECO (in hard copy with an original signature) the registration is activated by the ECO, assuming the ECO is content with the application. Once the registration has been activated by the ECO, appropriate licence applications can be made on an online basis, such as for the UK to EU OGEL. Useful guidance on the UK to EU OGEL application process is available on the SPIRE website.
How should companies use the EU to UK GEA?
In order to obtain the benefit of the EU to UK GEA companies must notify the relevant national competent authorities of the first use of the GEA. Under the EU Dual-Use Regulation Member States are entitled to require registration prior to first use of the GEA.
As an example, Bird & Bird can provide a copy of a suggested draft notification letter for submission to the Irish Department of Business, Enterprise and Innovation in connection with a notification of the use of the EU to EU GEA (Ireland does not require companies to register in circumstances where the GEA is relied upon).
The issue of a notification letter to the Irish authorities would only be applicable if the first use of the EU to UK GEA after the end of the transition period is made through an export of dual-use software from Ireland to the UK. As the Irish approach is relatively straightforward, if companies need to make use of the EU to UK GEA on an on-going basis after the end of the transition period it may be sensible to ensure that the first reliance of the EU to UK GEA is from Ireland to the UK so that the initial notification can be made to the Irish authorities. Once the initial notification for the use of a GEA has been made for to one Member State the notification is valid for the use of the GEA on a pan-EU basis (i.e. for the export of dual-use software from any Member State to the UK).
Other EU Member States may make available their own pro-forma draft notification letters.
(This note was originally published by LexisNexis)