07/06/15

Trade controls on cryptography products: how shall we deal with the Mass Market Exemption?

The EU Dual-Use Regulation (EC) No 428/2009 ("Dual Use Regulation") sets out the framework of EU dual-use controls and the list of controlled goods. If listed, a license will, in principle, be needed to export such items outside the EU. Controls do not apply to shipments between EU Member States (with limited exceptions for certain highly sensitive items), but the supplier is obliged to make a reference on the commercial documentation, (i.e.an invoice), indicating that it concerns a dual use item.

A particular group of products that falls within the scope of the Dual Use Regulation are cryptography items (Category 5, Part 2 of annex I) such as, for example, routers. EU dual-use export controls apply to these encryption products,
but include an exemption for exports of "mass market" items under the Cryptography Note included in the Dual-Use Regulation (note 3 of Category 5, Part 2).

Under the Cryptography Note, the export controls set out in 5A002 and 5D002 of the EU control list, do not apply to exports of goods or software that meet all of the following:
a) Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:

  1. Over-the-counter transactions;
  2. Mail order transactions;
  3. Electronic transactions; or
  4. Telephone call transactions;

b) The cryptographic function cannot easily be changed by the user;
c) Designed for installation by the user without further substantial support by the supplier; and
d) When necessary, details of the goods are accessible and will be provided, upon request to the competent authorities of the Member State in which the exporter is established, in order to ascertain compliance with conditions described in paragraphs a. to c. above.

Unfortunately there is only limited guidance available with respect to the interpretation of this mass market exemption. An additional complication is that each EU Member State has its own national regulator (or in the case of Belgium even three regional regulators) which are responsible for overseeing the licensing and enforcement in that jurisdiction. Needless to say that this can result in differences in interpretation between the Member states. This obliges exporters, in practice, to check the exact interpretation of a particular exemption in the EU Member State where it operates.

Another layer of complexity can be found in the fact that export control authorities outside the EU have sometimes broader exemptions, which can lead to situations where foreign companies that operate in the EU wrongly assume that because an export license for a particular item is not required in their home jurisdiction, an EU license is not required either. That could, for example, be the case for products that come under the ECCN-code 5A992 or EAR99 classification in the US e.g. waived from a license requirement for example because the item is considered "mass market"), but for which no equivalent classification exists in the EU. This can, in practice, easily lead to compliance gaps within a company's trade control compliance programme. It is, therefore, strongly recommended to check whether a decontrolled item in the US (or any other non-EU jurisdiction) will be similarly treated in the EU, and vice versa.

Lastly, it is important to note that US export control law, contrary to EU legislation, also applies to re-exports of US-origin goods from the EU, and that US economic sanctions and trade embargoes can also apply to conduct in the EU (particularly where US companies and individuals are involved).

What can this mean for business?
Companies that export goods from the EU should ensure that their export compliance procedures are updated to take account of EU export controls and any other controls that can impact their trade (for example US controls). Furthermore,
each EU Member State has its own regulator(s) and the interpretation of the EU Dual Use Regulation and the practical procedures can thus differ slightly. Especially for cryptographic products one should always carefully review whether their export requires a license or not.

dotted_texture