|Eric McClafferty, Esq.|
Fluid handling equipment and chemical equipment companies are now offering encryption capability as part of their wireless and wired products and control systems. However, these manufacturers often fail to fully understand the implications encryption presents for their own or their customers’ export compliance system. In the past, exporting encryption technology out of the United States required a complex mandatory review and classification by the U.S. Commerce Department (www.commerce.gov) and the National Security Agency (www.nsa.gov). However, new rules issued by the Department of Commerce, Bureau of Industry and Security (BIS, www.bis.doc.gov) allow some products with encryption to be exported without government review. For fluid handlers, it is important to know which products involving encryption require government review and which do not, as the penalties for illegal exports in this area are quite hefty.
Understanding the Need for Encryption
In today’s world of wireless communication, where messages can be transmitted through the air from a flowmeter or a control valve to a plant management system, for example, encryption is a key enabling technology. And while encryption is often a necessity in modern-day processing application scenarios, the export of such technologies often complicates the legally required product and software classification process. As such, it is important for manufacturers that operate globally to understand the export rules that affect their transactions internationally. Likewise, it is important for equipment producers to understand their own product development process when it comes to the export rules that govern encryption.
One might ask — do I need an export license to work with a software company in India if that company is working with encryption? The answer to this question will likely depend on the details of the working relationship between the two companies. While there have been recent changes in the rules for exporting plant equipment containing encryption (as noted earlier), the rules for processing plant network communication software and the computers running that software are likely to be unaffected by these new rules. This means there must be continuing compliance with, and understanding of, encryption export rules. Further, there are also some gray areas in between these categories that companies will have to clear up as they fully implement the U.S. government’s interim final rule. ?
New Encryption Rules???
Specifically, under the new encryption export rules, it is now possible to self-classify and readily export certain flowmeters, valves, pumps, control panels, skid packages and other pieces of process equipment that use encryption software without U.S. government reviews. In the past, many of these items had to undergo government review and classification in Commerce Control List Information Security Category (Category 5).
Also, prior to the new rule changes under consideration here, many items containing encryption could only be exported from the United States to a limited list of allied countries after filing a review request for BIS and NSA classification. Meanwhile, exports to many other countries under an export license exception could not be made unless the government review was complete (or 30 days had passed).
Sales of certain items to government entities were more likely to require an export license. Under the new rules, exporters are permitted to self-classify certain industrial items containing ancillary cryptography. In addition to the ancillary cryptography revision, manufacturers, distributors and other exporters should be aware of a partial “short range encryption” exception to the regulations that applies to certain products.
All export paperwork filed with the U.S. government must properly reflect accurate export control classification numbers of the products to be exported, as reflected in the Commerce Control List of the U.S. Export Administration Regulations (15 C.F.R. 730 et seq.; 774 Supplement 1). Penalties for failing to complete paperwork are enforceable from October 2008 at $10,000 per shipment paperwork error. ????
In addition to loosening the controls for some processing equipment, the U.S. government has dropped notification and reporting requirements for a number of products. In an Oct. 3, 2008 “Encryption Simplification” Federal Register notice, BIS (which controls the export of most non-military products) specifically identified a new class of products that use “ancillary cryptography.”
The rule states that items containing “ancillary cryptography’‘ are excepted from the standard review and reporting requirements for encryption items because the U.S. Government has determined that it is not necessary to review the encryption functionality of “industrial, manufacturing or mechanical systems,” among a number of other products.????
However, exporters of fluid handling, chemical and petrochemical processing equipment should avoid making certain assumptions about the types of products that qualify for classification exemptions. While the required government review process no longer applies to some products, it likely will continue to apply to the communication backbone of the network, which could include overall wireless encryption software and certain computers containing that software. Importantly, at a minimum, exporters are also still required to accurately self-classify products that include encryption in accordance with the requirements of the Export Administration Regulations. The time-consuming (for manufacturers and the government) U.S. government review process can be avoided, but that is not the end of the story. If companies decide not to seek government review, they must understand that they could be subject to significant penalties if their self-classification is wrong. ????
With an October 2007 increase in export penalties to $250,000 per export violation (or twice the value of the product, whichever is greater), and the October 2008 increase in enforcement authority regarding improperly completed export documentation ($10,000 potential penalties per violation), companies should weigh very carefully how to approach encryption product classification. Indeed, companies should consider all their product export classifications, including their “core” manufactured items and their “non-core” production equipment and purchased parts and related items that might be exported, given the numerous export penalties levied in recent years against fluid handling equipment companies.
Eric McClafferty, Esq. offers private practice counseling on export compliance and other international trade issues for individual fluid handling equipment companies. Mr. McClafferty is counsel to the Hydraulic Institute and Valve Manufacturers Association joint International Trade Task Force. He can be reached at 202 342-8841 or firstname.lastname@example.org.