The Bureau of Industry and Security (BIS) has amended the definition of the term “release” in the Export Administration Regulations (EAR) so that it does not not apply to the provision of access information that would unlock “object code” software, causing the provision of access information to trigger licensing requirements in a wider range of situations. (With respect to software, the EAR’s definition of “version” continues to be limited to “source code.”)
- BIS has stated that this means that the transfer of “access information” (e.g., a key) that would provide access to “object code” or “source code” requires a license to the same extent as would exporting the object code or the source code itself.
- The change means, for example, that the provision of keys, passwords or other access information to allow a foreign person to access object code software that he or she has lawfully received before a An export license being required would require a license if the EAR was later amended, and a license would be required to export to the foreign person the same software that he already owned.
- Companies that provide keys to unlock object code software (and not just the source code) will therefore need to ensure that their practices comply with the rule. That is, if a license were required to export “object code” software, then providing a key to access the same object code on a server in the United States or a third country would also require a license.
The “final rule; technical correction” notice issued by the Bureau of Industry and Security (BIS) of the Ministry of Commerce is short and can be read at: 2023-20128.pdf (govinfo.gov).
The context of the Notice is that, with respect to software, the AER’s definitions of deemed exports (§ 734.13(a)(2)) and deemed re-exports (§ 734.14(a)(2)) are limited in scope to “source code” subject to the EAR and do not apply to the provision of object code software. So, for example, the “release” of controlled object code to a foreign person cannot be considered a deemed export or re-export, but the “release” of controlled source code to a foreign person could be. These rules have not changed.
The EAR defines the term “release” in section 734.15. With respect to software, the definition also excludes references to “object code” and is limited in scope to (i) visual or other inspection by a foreign person that reveals “source code”; or (ii) oral or written exchanges with a foreign person of “source code” (in the United States or abroad). Until the issuance of the BIS Notice, the only section of the EAR where this definition did not apply was the section 734.18, which is a list of activities that are not exports, re-exports or transfers. The BIS notice adds a section 734.19 EIR provisions where the definition of “release” in section 734.15 does not apply.
The rule also adds a note to the otherwise unchanged section 734.19, which states that “to the extent that authorization would be required to transfer ‘technology’ or ‘software,’ comparable authorization is required to transfer access information if doing so is done with ‘knowing’ that such transfer would result in the disclosure of this “technology”. ” or “software” without the required authorization.” The note states that “For purposes of this section, a version of ‘software’ includes source code and object code.
This means that with respect to deemed exports and re-exports of software, the EAR’s definition of “version” is limited to “source code.” With respect to the EAR’s application of the word “release” (but without quotation marks) to provide keys or other access information to unlock or access software, the word applies to both “object code” and “source code”. In other words, the EAR now has two definitions of “distribution”, one in section 734.15 (limited to “source code” but not applicable in the context of sharing “access information”) and one in the note to section 734.19 (applicable to both “object code” and “source code”, if in the context of sharing access information).
BIS has not changed the EAR’s generic definition of transfer (without quotation marks and as used in section 734.19) in section 772.1, which “means a shipment, transmission, or release of items subject to the EAR either within the United States or outside the United States. » (This is different from the EAR section 734.16 definition of “transfer (in country)”, which is a “change in end use or end user of an item within the same foreign country.” “)
So, for example, if a company in Russia or on the Entity List legally received an uncontrolled object code subject to the EAR prior to the imposition of sanctions or registration, the BIS notice clearly states that a Export license would be required to send a key. , password or other access information to unlock object code software that the company already owned if exporting the same software to the same person for the same end use would now require, following a change of rule, a license. Another example of a potentially affected event would be the provision of a key allowing access – even without downloading – to an updated version of controlled software that did not fall within the scope of application. a previously issued license to export the previous version of the software.
Finally, companies that provide keys, passwords, or other access information to unlock object code software so that customers can use the software remotely on servers in the United States or third countries should review the notice and its implications to ensure compliance with the EAR.