An advisory opinion recently issued by the U.S. Bureau of Industry and Security (BIS) reaffirms its prior position that purely cloud-based technology services are generally not subject to export regulations, but a number of common practices of cloud-based service providers may still unwittingly subject services to compliance requirements under U.S. export control laws.
The Exemption for Cloud Computing
In general, cloud-based services, specifically described as services “providing computational capacity through grid or cloud computing,” are not subject to export restrictions and licensing requirements because the service provider is not shipping or transmitting any commodity, software, or technology to the user. In the case of a cloud-based software offering, where a user sends data to the cloud service for processing and causes the processed data to return to the user, rather than download the software and process data locally, the cloud-based software is not exported and, accordingly, is not subject to export licensing requirements that might otherwise apply.
When Cloud Services Can Become Exports
The exemption from export regulations for any given cloud-based service depends on whether that service conforms to the purely cloud-based model described by BIS in its opinions: cloud-based services that are effectively a black box to their users by taking in user data as inputs and outputting processed data. If a service provider transfers any commodity, software, or technology, as opposed to hosting it solely as a cloud service, that provider becomes subject to export regulations.
Certain common features of cloud computing services will adulterate the black box computing model of the exemption and subject the service provider to regulation. Providing user manuals, technical information, instructions, and plans that are not publicly available may constitute an "export" of technology subject to export regulations. Providing technical assistance in the form of instructions or consulting services may also constitute an export of technology. "Technology" is broadly defined in the export regulations as information necessary for the development, production, or use of a product, so any proprietary materials transmitted or made available for download in connection with the service should be considered as subject to any applicable compliance requirements.
A service provider may also be subject to compliance requirements by providing or executing any proprietary software in connection with the cloud-based service that the user downloads or executes locally, including in the form of proprietary browser plug-ins or software routines uploaded and executed locally. In each case, these constitute software subject to export regulations. Any software installed or executed locally should therefore be evaluated for applicable compliance requirements.
Deemed Export of Cloud Services
When considering whether export regulations apply to a cloud-based service, it is important to note that limiting access to cloud services and related software and materials to users located in the United States may not be sufficient to escape the application of export regulations to those services. Under the regulations, an export of technology may also be deemed to have taken place when it is released to a foreign national within the United States. Any restrictions or license requirements that would apply to an export of the software or technology outside the United States can apply equally to a deemed export to a foreign national within the United States.