Commerce Revises Export Rules on Entity List Companies Involved in Standard-Related Activities
On September 9, 2022, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) published an interim final rule authorizing the release of certain U.S. technology and software in the context of standards-related activities to companies designated on its Entity List and otherwise subject to a U.S. export ban. The rule builds on BIS’s June 2020 interim final rule permitting U.S. companies to engage in certain low-level technical exchanges with Huawei Technologies Co., Ltd. (Huawei) and its affiliates if such exchanges occurred within a standards organization, as part of the process for revising or developing a standard. A summary of the 2020 rule is available here. The new rule became effective upon publication, and comments are due by November 8, 2022.
As detailed below, the new rule expands the June 2020 rule by (1) clarifying that covered technical exchanges with Entity List companies are authorized when they occur during a broad range of standards-related activities; (2) expanding the scope of authorized exports beyond low-level technology to also include low-level software as well as non-mass market encryption software and technology, in certain cases; and (3) universally applying the authorization to all Entity List companies, rather than limiting it to Huawei and its affiliates.
The new rule largely is a response to U.S. industry comments on the June 2020 rule, which highlighted unresolved uncertainties regarding exports that were and were not permissible in the context of industry participation in standards organizations, and more broadly, standards-related work, when Entity List companies were also participating. Recognizing that “[i]nternational standards serve as the building blocks for product development,” and in response to concerns raised by industry, BIS ultimately agreed that “additional actions are needed to protect U.S. technological leadership without discouraging, and indeed supporting and promoting, the full participation of U.S. actors in international standards development efforts. The national security threat that results from ceding U.S. participation and leadership in standards development and promulgation outweighs the risks related to the limited release of certain low-level technology and software to parties on the Entity List in the context of a ‘standards-related activity.’ Participation in standards-related activities is imperative in allowing the United States to continue to participate and lead in global standards settings environments.”
Authorized Activities Under the New Rule
Under the U.S. Export Administration Regulations (EAR), U.S. and non-U.S. persons generally are prohibited from exporting, reexporting, or transferring without a license U.S. hardware, software, and technology (including EAR99 items), as well as foreign-made items that contain greater than de minimis controlled U.S. content by value and certain foreign direct products of U.S. technology or software, to companies designated on BIS’s Entity List.
The new rule provides a carve-out to this general export ban and permits disclosure of certain low-level technology and software subject to the EAR – e.g., non-sensitive data and software that is not published or otherwise outside of the scope of the EAR’s export controls – to companies on BIS’s Entity List for standards setting and development in standards organizations, as follows:
- “Standards-Related Activity”: Any release of technology or software must be in the context of a “standards-related activity,” where there is an intent for the resulting standard to be published. A standards-related activity includes the development, adoption, or application of a standard (i.e., any document or other writing that provides, for common and repeated use, rules, guidelines, technical, or other characteristics for products or related processes and production methods, with which compliance is not mandatory), including conformity assessment procedures as well as any action taken for the purpose of developing, promulgating, revising, amending, reissuing, interpreting, implementing, or otherwise maintaining or applying such a standard. While this definition is quite broad, BIS cautioned that one-on-one technical exchanges with a representative of an Entity List company that fall outside of the scope of a standards-related activity likely will require a license.
Note that the June 2020 rule required that all releases of technology be for the purpose of contributing to the revision or development of a “standard” in a “standards organization,” as those terms are defined in Office of Management and Budget Circular A-119 (Rev. 2016). In response to comments industry asserting that these definitions created uncertainty and potentially did not cover critical activities such as conformity assessment procedures, BIS removed this requirement and deleted the definitions from its regulations.
- Scope of Authorized Technology and Software: The June 2020 rule permitted releases of EAR99 U.S. technology (the lowest level of control) as well as other low-level U.S. technology controlled only for anti-terrorism (AT) reasons to Huawei and its affiliates. Acknowledging that standards organizations may need to share software as part of developing codecs or implement reference software as part of a standard, BIS specifically expanded the authorization to also include EAR99 software and software controlled only for AT reasons, such as mass market encryption software.
Furthermore, recognizing that “without proper standardization in encryption functionality, vulnerabilities and issues in 5G security will pose a national security threat to the United States,” BIS’s new rule now permits the release of certain more restricted (non-mass market) encryption software and technology when specifically for the development, production, or use of cryptographic functionality. The encryption carve-out is designed to permit exchanges with Entity Listed companies of software and technology that encrypt and decrypt data and are regularly used in the development and production of products such as smartphones, printers, and other common devices. It covers, for example, software having the characteristics or performing/simulating the functions of (i) equipment designed to use cryptography for data confidentiality, (ii) a cryptographic activation token, and (iii) quantum cryptography items, along with certain related encryption technology. Nonetheless, U.S. exporters should take care before releasing encryption software or technology to ensure they remain within the bounds of the authorization. For example, the authorization does not permit exchanges of software or technology for more sensitive cryptographic ultra-wideband items, cryptographic spread spectrum items, or cryptanalytic items. Additionally, BIS warned that “[t]he specific software and technology authorized include only cryptographic functions needed to assist the development of security in a 5G network, not to develop 5G products or capacity.” Exporters also must ensure that they are complying with BIS’s normal classification, reporting, and licensing rules for encryption items.
- Permissible Parties: Perhaps the most important change from BIS’s prior authorization is that the new interim final rule expands the standards-related authorization to all Entity List companies; in other words, it is no longer limited to Huawei and its affiliates. This reduces the regulatory burden on U.S. industry and “mitigate[s] unintended consequences that could harm U.S. industry leadership and competitiveness in the telecommunications and information technology sector.”
Even so, keep in mind that the authorization only covers U.S. licensing requirements imposed as a result of a company’s designation on the Entity List. It does not cover other end use/end user restrictions in the EAR, such as the military and military-intelligence end use/user restrictions for certain countries (i.e., Belarus, Burma, Cambodia, China, Russia, and Venezuela). Accordingly, U.S. industry participants in standards organizations still must ensure that they do not run afoul of these other restrictions prior to any technology or software exchanges.
Public Comment Period
Although the interim final rule is effective immediately, stakeholders may submit comments to BIS by November 8, 2022, to address any questions or concerns about its coverage. BIS specifically has requested comments on the following areas:
- Industries Involved in Standards Development: BIS is requesting comments and additional information on whether the current scope of the authorization is adequate for the United States to retain its participation and lead in areas such as energy, artificial intelligence, biotech, aerospace, and transportation. For example, industry members are encouraged to provide comments and specific examples to the extent they believe the current scope of the authorization hinders U.S. participation and leadership in standards development in industries where there is or may be participation by Entity List companies.
- Impact of Other End Use/End User Controls: Additionally, BIS is requesting comments (and specific examples) on whether there are other provisions of the EAR that may negatively impact U.S. national security by limiting leadership and participation in standards-related activities, such as licensing requirements for other prohibited end uses or end users in the EAR like the controls on military and military-intelligence end users/uses mentioned above.
- Compliance Burdens: Further, BIS is requesting comments on industries and commercial sectors that are actively involved in standards development, including information on how they are affected by compliance burdens resulting from the changes promulgated in this rule and the June 2020 rule.
- International Participation and Scope of Standards-Related Activities: Finally, BIS is requesting comments on whether the definition of “standards-related activities” highlighted above allows for full and open participation by U.S. companies in the development of standards, or whether certain parts of the definition should be better-defined or excluded.
Our team has unparalleled experience and expertise representing a broad range of U.S. and multinational clients in export control matters, including exchanges with Entity List companies in the context of standards activities. Should you have any questions, please do not hesitate to contact one of the attorneys listed on this alert.