International Trade Today is a Warren News publication.
Subscriber Login

BIS Issues 2nd Advisory Option that Cloud Computing Service Provider Is Not Subject to EAR

February 25, 2011 by Barbara Chaves|Exports, OFAC and DoD

In a January 2011 advisory opinion, the Bureau of Industry and Security again concluded, with respect to the specific circumstances described in the request for its opinion, that a cloud computing service provider was not subject to the Export Administration Regulations.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

Start My Free Preview

BIS came to the same but more expansive conclusion in a January 2009 advisory opinion.

(The provider that requested the opinion defined “cloud computing” as a model in which IT applications allow users to access applications from the Internet (“in the cloud”) without needing to maintain the infrastructure that supports them. The data, software applications, and computer processing are accessed from “clouds” of online resources (including servers) rather than downloaded and stored locally on hard drives or local servers. These “clouds” consist of many computers spread out in multiple locations and include data stored and shared by the users of the service for applications such as e-mail, calendar, messaging, and video, via data loaded onto web-based programs.)

Service Provider Does Not Monitor User Content or Provide EAR-Subject Software

The cloud computing service provider stated that it does not monitor or screen user-generated content stored and/or shared in the cloud except when required to do so by law (pursuant to a valid law enforcement request). The service provider also does not ship or transmit any commodity, software, or technology subject to the EAR to the user. However, it stated that certain data stored in the cloud could constitute “technology” under the EAR.

As Provider Does Not Transmit EAR Content to User, It Is Not Subject to EAR

BIS concludes that because the service provider is not shipping or transmitting to the user any commodity, software or technology subject to the EAR, the service of providing computational capacity through grid or cloud computing is not subject to the EAR.

Because the cloud computing service provider is not an “exporter,” it would not be making a “deemed export” if a foreign national network administrator monitored or screened user generated technology subject to EAR as described in the request.

Answer Could be Different if Service Provider Transmits EAR Content to Foreign Employees

BIS notes however, that the above analysis only applies to the facts as presented by the requestor. The analysis does not apply to a cloud computing service provider’s release of technology subject to the EAR to its foreign national employees under other sets of facts. Such a release may constitute a “deemed export” or “deemed reexport,” depending on the location and may be subject to licensing requirements.

2009 Grid & Cloud Computing Advisory Opinion Similar, But More Detailed

BIS notes that it came to a similar conclusion in its 2009 Advisory Opinion on the applicability of the EAR to grid and cloud computing services. Among other things, BIS concluded the following in that opinion:

  • The service of providing computational capacity would not be subject to the EAR as the service provider is not shipping or transmitting any commodity, software, or technology to the user.
  • If the service provider ships or transmits software to enable use of the grid or cloud computing and that software is publicly available under 15 CFR 734.3(b)(3), the software is not subject to the EAR. However, if the service provider ships or transmits software that is subject to the EAR, an "export" would occur.
  • Similarly, if the service provider ships or transmits technology in the form of technical data (i.e., manuals, instructions, plans, etc.) or technical assistance (i.e., instructions, consulting services, etc.) that is not publicly available in order to give the user knowledge on how to access and use the computational capacity provided by grid or cloud computing, then that technology would be subject to the EAR.
  • Since the service of providing computational capacity through grid or cloud computing is not subject to the EAR, the service provider is not required to inquire about the nationality of the customer.
  • However, in order to comply with the 15 CFR 744.6(a)(2)(i) restriction affecting countries listed in Country Group D:4 (Cuba, Iran, North Korea, etc), the service provider should take into account the location of the user if the service provider knows that the user will be involved in certain missile activities.

(See ITT’s Online Archives or 04/16/09 news, 09041625, for BP summary of BIS’ January 2009 advisory opinion.)