Revisions to Definitions in the Export Administration Regulations, 35586-35608 [2016-12734]

Agencies

• DEPARTMENT OF COMMERCE
• Bureau of Industry and Security

[Federal Register Volume 81, Number 107 (Friday, June 3, 2016)]
[Rules and Regulations]
[Pages 35586-35608]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-12734]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Bureau of Industry and Security

15 CFR Parts 734, 740, 750, and 772

[Docket No. 141016858-6004-02]
RIN 0694-AG32


Revisions to Definitions in the Export Administration Regulations

AGENCY: Bureau of Industry and Security, Commerce.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule is part of the Administration's Export Control 
Reform (ECR) Initiative. The Initiative will enhance U.S. national and 
economic security, facilitate compliance with export controls, update 
the controls, and further the goal of reducing unnecessary regulatory 
burdens on U.S. exporters. As part of this effort, the Bureau of 
Industry and Security (BIS), in publishing this rule, makes revisions 
to the Export Administration Regulations (EAR) to include certain 
definitions to enhance clarity and consistency with terms also found in 
the International Traffic in Arms Regulations (ITAR), which is 
administered by the Department of State, Directorate of Defense Trade 
Controls (DDTC), or that DDTC expects to publish in proposed rules. 
This final rule also revises the Scope part of the EAR to update and 
clarify application of controls to electronically transmitted and 
stored technology and software, including by way of cloud computing. 
DDTC is concurrently publishing comparable amendments to certain ITAR 
definitions for the same reasons. Finally, this rule makes conforming 
changes to related provisions.

DATES: This rule is effective September 1, 2016.

ADDRESSES: Although there is no formal comment period, public comments 
on this final rule are welcome on a continuing basis. You may submit 
comments by either of the following methods:
     By email directly to publiccomments@bis.doc.gov. Include 
RIN 0694-AG32 in the subject line.
     By mail or delivery to Regulatory Policy Division, Bureau 
of Industry and Security, U.S. Department of Commerce, Room 2099B, 14th 
Street and Pennsylvania Avenue NW., Washington, DC 20230. Refer to RIN 
0694-AG32.
    Commerce's full plan for retrospective regulatory review can be 
accessed at: https://open.commerce.gov/news/2011/08/23/commerce-plan-retrospective-analysis-existing-rules.

[[Page 35587]]


FOR FURTHER INFORMATION CONTACT: For questions on application of 
controls to electronically transmitted and stored technology and 
software, contact Bob Rarog, Senior Advisor to the Assistant Secretary 
for Export Administration, Bureau of Industry and Security at (202) 
482-9089. For other questions, contact Hillary Hess, Director, 
Regulatory Policy Division, Office of Exporter Services, Bureau of 
Industry and Security at (202) 482-2440 or rpd2@bis.doc.gov.

SUPPLEMENTARY INFORMATION:

Background

    This final rule is part of the Administration's Export Control 
Reform (ECR) Initiative. The Initiative will enhance U.S. national and 
economic security, facilitate compliance with export controls, update 
the controls, and continue the process of reducing unnecessary 
regulatory burdens on U.S. exporters. As part of this effort, the 
Bureau of Industry and Security (BIS), in publishing this rule, makes 
revisions to the Export Administration Regulations (EAR) to include the 
definitions of ``access information,'' ``technology,'' ``required,'' 
``foreign person,'' ``proscribed person,'' ``published,'' results of 
``fundamental research,'' ``export,'' ``reexport,'' ``release,'' 
``transfer,'' and ``transfer (in-country)'' to enhance clarity and 
consistency with terms also found in the International Traffic in Arms 
Regulations (ITAR), which is administered by the Department of State, 
Directorate of Defense Trade Controls (DDTC). This final rule also 
revises the Scope part of the EAR to update and clarify application of 
controls to electronically transmitted and stored technology and 
software. DDTC is concurrently publishing comparable amendments to the 
ITAR's definitions of ``export,'' ``reexport,'' ``release,'' and 
``retransfer'' for the same reasons. Finally, this rule makes 
conforming changes to related provisions. DDTC anticipates publishing 
its comparable provisions pertaining to ``technical data,'' ``directly 
related,'' ``public domain,'' and the results of ``fundamental 
research'' in a separate proposed rule.
    One aspect of the ECR Initiative includes amending the export 
control regulations to facilitate enhanced compliance while reducing 
unnecessary regulatory burdens. For similar national security, foreign 
policy, including human rights, reasons, the EAR and the ITAR each 
control, inter alia, the export, reexport, and in-country transfer by 
U.S. and foreign persons of commodities, products or articles, 
technology, technical data, software, and services to various 
destinations, end users, and end uses. The two sets of regulations have 
been issued pursuant to different statutes, have been administered by 
different agencies with missions that are distinct from one another in 
certain respects, and have covered different items (or articles). For 
those reasons, and because each set of regulations has evolved 
separately over decades without much coordination between the two 
agencies regarding their structure and content, they often use 
different words, or the same words differently, to accomplish similar 
regulatory objectives.
    Many parties' export, reexport, and transfer transactions are 
regulated by both the Commerce Department's EAR and the State 
Department's ITAR, particularly now that regulatory jurisdiction over 
many types of military items has been transferred from the ITAR to the 
EAR. Using common terms and common definitions to regulate the same 
types of items or actions will facilitate enhanced compliance and 
reduce unnecessary regulatory burdens. Conversely, if different 
concerns between the two sets of export control regulations warrant 
different terms or different controls, the differences should be made 
clear for the same reason. Such clarity will benefit national security 
because it will be easier for exporters to comply with the regulations 
and for prosecutors to prosecute violations of the regulations. Such 
clarity will also enhance our economic security because it will reduce 
unnecessary regulatory burdens for exporters when attempting to 
determine the meaning of key words and phrases across similar sets of 
regulations. Finally, this rule and the rule DDTC is publishing 
concurrently address only a portion of the terms and phrases that 
warrant harmonization between the ITAR and the EAR. They are 
nonetheless a significant step toward accomplishing one of the ultimate 
objectives of the ECR initiative, which is the creation of a common 
export control list and common set of export control regulations.

Proposed Rule

    On June 3, 2015, BIS published a proposed rule entitled ``Revisions 
to Definitions in the Export Administration Regulations'' (80 FR 31505) 
(hereafter ``the June 3 proposed rule'' or ``the June 3 rule''). 
Simultaneously, the Department of State published a proposed rule 
entitled ``International Traffic in Arms: Revisions to Definitions of 
Defense Services, Technical Data, and Public Domain; Definition of 
Product of Fundamental Research; Electronic Transmission and Storage of 
Technical Data; and Related Definitions'' (80 FR 31525) (hereafter 
``the State June 3 rule'').
    BIS welcomed comments on all aspects of the June 3 rule. 
Additionally, in the preamble to the June 3 rule, BIS specifically 
solicited public comment with questions on eight issues. Two of those 
questions pertained to the definition of fundamental research; one 
pertained to whether the questions and answers in Supplement No. 1 to 
part 734 had criteria that should be retained in part 734; two 
pertained to encryption standards in the definition of ``Activities 
that are Not Exports, Reexports, or Transfers;'' and one pertained to 
the effectiveness of the proposed definition of ``peculiarly 
responsible.'' Public comments on these questions are addressed in 
their corresponding sections below.
    The two remaining questions were broadly applicable across the 
rule: Whether the proposed revisions created gaps, overlaps, or 
contradictions between the EAR and the ITAR or among various provisions 
within the EAR; and whether a 30-day delayed effective date was 
appropriate for the final rule.
    Eleven commenters cited the difference between the EAR and ITAR 
standards for prepublication review of research as a significant gap 
between the two bodies of regulations that would create compliance 
difficulties. These commenters recommended that both final rules adopt 
the EAR standard. Further discussion of this issue may be found in the 
section of the preamble describing fundamental research, below.
    Twenty-two commenters recommended a six-month delayed effective 
date from date of publication. Most of these commenters explicitly 
based the recommendation on the anticipated difficulty created by 
adoption of differing proposed EAR and ITAR standards for 
prepublication review of research. State is not publishing revisions to 
fundamental research at this time; therefore, the rationale for 
requesting a six-month delay is largely eliminated.
    One commenter recommended at least a three-month delayed effective 
date to enable non-U.S. companies to understand and prepare for 
compliance with the revisions. BIS accepts this recommendation, and 
this final rule will be effective 90 days from the date of publication.
    One commenter recommended issuing an interim final rule with a 
comment period of at least 60 days due

[[Page 35588]]

to the breadth of the proposed changes. BIS does not accept this 
recommendation, because this final rule has a 90-day delayed effective 
date, which is a longer delay than generally applies to an interim 
final rule. The State rule published concurrently with this final rule 
also has a 90-day delayed effective date. Moreover, the State 
Department plans to publish a second proposed rule seeking comment on 
most of the terms at issue.

Frequently Asked Questions

    Objectives of this final rule include streamlining, clarifying, and 
updating regulatory text. BIS has attempted to focus the regulatory 
text on control criteria, limiting notes and examples to those 
necessary to adequately convey the criteria. Many public comments 
raised questions about how criteria would be applied in particular 
situations or suggested illustrative revisions. BIS considers these 
comments helpful to compliance with the EAR and is publishing them 
along with responses on the BIS Web site as Frequently Asked Questions 
(FAQs).

Items Subject to the EAR

    The June 3 rule proposed re-titling the section ``Subject to the 
EAR'' (from ``Important EAR terms and principles''), retaining the 
definition and description of that term, and creating separate sections 
in part 734 to define ``export,'' ``reexport,'' ``release,'' and 
``transfer (in-country),'' rather than retaining them in that section. 
The June 3 rule also proposed removing Sec.  734.2(b)(7) regarding the 
listing of foreign territories and possessions in the Commerce Country 
Chart (Supplement No. 1 to part 738) because it duplicated existing 
Sec.  738.3(b).
    BIS received no comments on its proposed revisions to Sec.  734.2. 
These revisions are adopted in this final rule.

Items Not Subject to the EAR

    Section 734.3(a) describes items (i.e., commodities, software, and 
technology) subject to the EAR. Paragraph (b) describes items that are 
not subject to the EAR. The June 3 rule proposed minor revisions to 
paragraph (b)(3), which describes software and technology that are not 
subject to the EAR, to describe more fully educational and patent 
information that are not subject to the EAR, and to add a note to make 
explicit that information that is not ``technology'' as defined in the 
EAR is per se not subject to the EAR. One commenter specifically 
offered support for inclusion of the note, and no commenters objected 
to it; BIS has adopted it in this final rule.

Educational Information

    The June 3 rule proposed to move the statement in Sec.  734.9 that 
educational information released by instruction in a catalog course or 
associated teaching laboratory of an academic institution is not 
subject to the EAR to Sec.  734.3(b) and remove Sec.  734.9. The June 3 
rule also proposed to revise the description of such educational 
information as information and software that ``[c]oncern general 
scientific, mathematical, or engineering principles commonly taught in 
schools, and released by instruction in a catalog course or associated 
teaching laboratory of an academic institution'' to better match the 
existing ITAR description. The proposed revisions were not intended to 
change the scope of educational information that is not subject to the 
EAR.
    Twenty-seven commenters stated that, in spite of BIS's declared 
intent to leave the scope of this provision unchanged, the proposed 
revision in fact narrowed the scope of educational information that is 
not subject to the EAR. With the adoption of the terms in the 
comparable ITAR provision, such as ``general'' and ``commonly,'' 
commenters said that the revision could be read to make courses with 
advanced or novel content subject to the EAR and suggested either 
changing ``and released by instruction'' to ``or released by 
instruction'' or reverting to the existing wording. BIS agrees that the 
revision could be read to narrow the scope of the exclusion, and 
because this narrowing was not intended, reverts to the existing 
wording in this final rule.
    BIS received no comments on the placement of the educational 
information provision in the list of information that is per se not 
subject to the EAR rather than in a separate section. BIS adopts the 
proposed placement in this final rule.

Additional Exclusions

    This final rule adopts two additional revisions that were not in 
Sec.  734.3(b)(3) in the June 3 proposed rule. This final rule adds 
paragraphs (b)(3)(v) and (vi), two additional exclusions from the EAR: 
Items that are non-proprietary system descriptions or are telemetry 
data. These two exclusions appeared in the June 3 proposed rule as 
exclusions from the definition of technology. For discussion of public 
comments on these exclusions and BIS's response to those comments, see 
the section on ``Technology'' below.

Exports of Encryption Source Code Notes

    The June 3 rule proposed no changes to the notes to paragraphs 
(b)(2) and (b)(3) of Sec.  734.3 that a printed book or other printed 
material setting forth encryption source code is not itself subject to 
the EAR, but that encryption source code in electronic form or media 
remains subject to the EAR. It also proposed no changes to the note 
that publicly available encryption object code software classified 
under Export Control Classification Number (ECCN) 5D002 is not subject 
to the EAR when the corresponding source code meets the criteria 
specified in Sec.  740.13(e) of the EAR.
    BIS received no comments on these notes, and this final rule makes 
no changes to them.

Published Technology and Software

    Section 734.7 sets forth that technology and software is 
``published'' and thus not subject to the EAR when it becomes generally 
accessible to the interested public in any form, including through 
publication, availability at libraries, patents, distribution or 
presentation at open gatherings, and public dissemination (i.e., 
unlimited distribution) in any form (e.g., not necessarily in published 
form), including posting on the Internet on sites available to the 
public.
    The June 3 rule proposed a definition of ``published'' that 
retained the same scope, but with a simpler structure. The proposed 
Sec.  734.7(a) read: ``Except as set forth in paragraph (b), 
``technology'' or ``software'' is ``published'' and is thus not 
``technology'' or ``software'' subject to the EAR when it is not 
classified national security information and has been made available to 
the public without restrictions upon its further dissemination,'' 
followed by a list of examples of published information. The proposed 
definition was substantially the same as the wording of definitions 
adopted by the multilateral export control regimes of which the United 
States is a member: The Wassenaar Arrangement on Export Controls for 
Conventional Arms and Dual-Use Goods and Technologies (herein 
``Wassenaar Arrangement'' or ``Wassenaar''), the Nuclear Suppliers 
Group, the Missile Technology Control Regime, and the Australia Group. 
The phrase ``classified national security information'' refers to 
information that has been classified in accordance with Executive Order 
13526, 75 FR 707; 3 CFR 2010 Comp., p. 298. The relevant restrictions 
do not include copyright protections or generic property rights in the 
underlying physical medium.
    This final rule adopts the definition of ``published'' from the 
June 3 proposed rule, with the exception of adding certain information, 
intended to be

[[Page 35589]]

published, released to ``researchers conducting fundamental research'' 
(see discussion below of ``Fundamental Research''). BIS received a 
number of comments on the definition of ``published.'' Two commenters 
found helpful the addressing of Internet posting and the clarification 
that submission of manuscripts to journal editors constitutes 
``published.'' Commenters requested that BIS define ``unclassified'' 
and clarify whether university libraries are ``open to the public.'' 
``Unclassified information'' refers to information that has not been 
classified in accordance with Executive Order 13526, 75 FR 707; 3 CFR 
2010 Comp., p. 298. University libraries are open to the public. BIS 
does not implement these requests in this final rule because answering 
them does not require a change to the regulations. BIS is, however, 
addressing the questions in FAQs posted on BIS's Web site. One 
commenter stated that, as proposed, the definition of ``published'' 
``suggests that releasing (publishing) technology that is unclassified 
but subject to the EAR makes that technology no longer subject to the 
EAR.'' One commenter described allowing publication by Internet posting 
as a ``loophole'' because the site may be obscure and the duration of 
posting is not specified. Another commenter warned of ``the risk of 
intentional abuse.'' Nonetheless, BIS confirms that technology or 
software that is ``published'' as provided in Sec.  734.7 is not 
subject to the EAR.
    A commenter noted that the definition ``does not appear to address 
the case of information posted by someone other than the rightful 
owner.'' BIS agrees with this statement, but notes that such cases are 
addressed by other laws and regulations.
    BIS received thirty comments opposing a provision in the definition 
of ``public domain'' in the State June 3 rule to which there is no 
corresponding provision in the definition of ``published.'' BIS is 
making no changes to the EAR in response to these comments because they 
are outside the scope of this rule. They address concerns with the 
ITAR, not the EAR.
    As adopted in this final rule, section 734.7(b) keeps certain 
published encryption software subject to the EAR, a restriction that 
the June 3 rule proposed moving from Sec.  734.7(c) without revision.

Fundamental Research

    The June 3 rule proposed revising Sec.  734.8, which excludes most 
information resulting from fundamental research from the scope of the 
EAR, but it was not intended to change the scope of the current Sec.  
734.8.

Alternative Definitions

    In the June 3 proposed rule, BIS specifically solicited comments on 
whether the alternative definition of fundamental research suggested in 
the preamble should be adopted. BIS also specifically solicited 
comments on whether the alternative definition of applied research 
suggested in the preamble should be adopted, or whether basic and 
applied research definitions are needed given that they are subsumed by 
fundamental research.
    Issued in 1985, National Security Decision Directive (NSDD)-189 
established a definition of ``fundamental research'' that has been 
incorporated into numerous regulations, internal compliance regimes, 
and guidance documents. The June 3 proposed rule contained a definition 
of ``fundamental research'' that was identical to that in NSDD-189. 
However, in the preamble to that rule, BIS provided a simpler 
definition that was consistent with NSDD-189, but not identical. 
Specifically, the alternative definition read: `` `Fundamental 
research' means non-proprietary research in science and engineering, 
the results of which ordinarily are published and shared broadly within 
the scientific community.'' BIS believed that the scope of this wording 
was the same as that of the wording in NSDD-189 and sought comment on 
whether the final rule should adopt the simpler wording. Unlike the 
simpler alternative definition, the proposed definition of 
``fundamental research'' included references to ``basic'' and 
``applied'' research and proposed definitions of those terms, as well 
as a possible alternative definition of applied research.
    Comments on alternative definitions of fundamental research were 
mixed. Thirteen commenters generally favored a simpler definition, in 
some cases offering their own revised versions of the alternative from 
the preamble to the June 3 proposed rule. Seven commenters recommended 
retaining the NSDD-189 wording. Many commenters favored one definition 
but expressed willingness to accept another. Comments on alternative 
definitions of basic and applied research were similarly mixed, 
including instances of the same commenter offering support for more 
than one option. There was greater unanimity on the term ``non-
proprietary:'' twenty commenters objected to it, most finding it vague. 
Commenters suggested the variation, research ``for which the 
researchers have not accepted restrictions for proprietary or national 
security reasons.''
    BIS agrees with the majority of commenters that the shorter 
definition of fundamental research is clearer and covers the same 
scope. Given the wide spectrum of definitions and applications of basic 
and applied research in different bodies of regulations, BIS determined 
that the definition should address the core concept, i.e., that the 
research is to be published and shared broadly without restriction. 
Having sub-definitions of basic and applied research in the definition 
of fundamental research does not change this core concept and would, 
moreover, merely add more words and layers of interpretation that would 
not change the outcome of an analysis. Adopting the shorter definition 
drops references to basic and applied research. BIS accepted the 
comments regarding the term ``non-proprietary'' and adopted a clearer 
variation that has the same scope as that intended by the June 3 
proposed rule.
    In addition to research in science and engineering, BIS included 
the term ``mathematics'' to broaden the definition in response to a 
comment by a BIS technical advisory committee. In this final rule, BIS 
adopts the following definition of fundamental research: `` 
``Fundamental research'' means research in science, engineering, or 
mathematics, the results of which ordinarily are published and shared 
broadly within the research community, and for which the researchers 
have not accepted restrictions for proprietary or national security 
reasons.''

Software

    The June 3 proposed rule revised Sec.  734.8 to use the term 
``technology'' in place of the term ``information.'' Thirty-two 
commenters objected that ``technology'' was too limiting and 
recommended including either ``software'' or ``source code'' in 
addition to ``technology'' to describe information arising during or 
resulting from fundamental research. Many commenters pointed to the 
text of Sec.  734.3(b)(3) (not subject to the EAR), which referred to 
certain ``technology and software'' not subject to the EAR, proposed to 
be revised to ``information and software'' in the June 3 rule, as 
support for this recommendation. The commenters further argued that 
``findings resulting from fundamental research may be written in 
natural-language or computer language.'' BIS accepts these comments and 
has adopted ``technology'' and ``software'' throughout Sec.  734.8 in 
this final rule.

[[Page 35590]]

    Two commenters recommended that BIS make commodities that result 
from fundamental research not subject to the EAR. BIS does not accept 
this recommendation because the policy foundations for the exclusion 
from the EAR of fundamental research apply only to technology and 
software, not commodities.

Note on Inputs

    The June 3 proposed rule contained the following note: ``Note 1 to 
paragraph (a): The inputs used to conduct fundamental research, such as 
information, equipment, or software, are not `technology that arises 
during or results from fundamental research' except to the extent that 
such inputs are technology that arose during or resulted from earlier 
fundamental research.'' Six commenters stated that the proposed note 
arbitrarily narrows the conduct of fundamental research under NSDD-189. 
Two additional commenters seemed to find the text unclear regarding the 
nature of the inputs.
    The note regarding inputs was intended to distill varying 
provisions found in the EAR but proposed to be revised by the June 3 
rule that ultimately made the same point: Information that is not 
intended to be published is not fundamental research. For example, 
existing Sec.  734.8(b)(2) states, ``Prepublication review by a sponsor 
of university research solely to insure that the publication would not 
inadvertently divulge proprietary information that the sponsor has 
furnished to the researchers does not change the status of the research 
as fundamental research. However, release of information from a 
corporate sponsor to university researchers where the research results 
are subject to prepublication review, is subject to the EAR.'' Existing 
section 734.8(b)(4) states, ``The initial transfer of information from 
an industry sponsor to university researchers is subject to the EAR 
where the parties have agreed that the sponsor may withhold from 
publication some or all of the information so provided.''
    To clarify this distinction, BIS has adopted a simpler note in this 
final rule. Paragraph (a) establishes that the intention to publish is 
what makes research not subject to the EAR; the following Note 1 to 
paragraph (a) states: ``This paragraph does not apply to technology or 
software subject to the EAR that is released to conduct fundamental 
research.'' To support this concept, this final rule adds the following 
phrase to Sec.  734.7(a)(5) (emphasis added): ``Submission of a written 
composition, manuscript, presentation, computer-readable dataset, 
imagery, algorithm, formula, or some other representation of knowledge 
with the intention that such information will be made publicly 
available if accepted for publication or presentation: (i) To domestic 
or foreign co-authors, editors, or reviewers of journals, magazines, 
newspapers, or trade publications; (ii) To researchers conducting 
fundamental research, or (iii) To organizers of open conferences or 
other open gatherings.''

Prepublication Review

    The June 3 proposed rule listed three types of prepublication 
review in Sec.  734.8 that could be performed on the results of 
fundamental research. Three commenters supported the clear statement 
that certain prepublication review does not render research subject to 
the EAR. One commenter recommended removing the criterion that the 
research be published without delay, pointing out that ``[p]ublication 
can be (and very often is) delayed for any number of reasons having 
nothing to do with the content or sensitivity of research results'' and 
that this provision would have the unintended effect of limiting or 
even eliminating the researchers' ability to use the fundamental 
research provisions. BIS accepts this latter comment and does not adopt 
the phrase ``or delay.'' The key point is that the researcher is able 
to publish without restriction.
    One commenter suggested that Note 2 to paragraph (b) proposed in 
the June 3 rule be replaced with a similar note from the State June 3 
rule (Sec.  120.49(b) of the ITAR) regarding research voluntarily 
subjected to U.S. government review. BIS agrees with commenters that 
the ITAR text is clearer. So, this final rule adopts that ITAR text in 
Note 2 to paragraph (b). Seven commenters recommended that BIS also 
adopt the text of Note 3 from the State June 3 rule's text of Sec.  
120.49(b) of the ITAR regarding U.S. government-imposed access and 
dissemination controls. BIS agrees. With adoption of Note 3 to 
paragraph (b), paragraph (a) of Sec.  734.11, Specific National 
Security Controls, is no longer necessary. BIS includes the examples 
from paragraph (b) of Sec.  734.11, which commenters deemed helpful, in 
new Note 3 to paragraph (b) of Sec.  734.8 in this final rule. Thus, 
this rule removes Sec.  734.11 in its entirety.
    One commenter stated that the only permissible method of 
restricting government-funded research was to classify it. BIS does not 
accept this comment because it is incorrect. Indeed, BIS has the 
authority under the EAR to control unclassified technology that 
warrants control for national security, foreign policy, or other 
reasons. For example, government-funded research that does not meet the 
criteria of Sec.  734.8, such as prepublication review, remains subject 
to the EAR regardless of whether it is classified information.

Locus of Research

    The June 3 rule proposed streamlining the fundamental research 
provisions, in Sec.  734.8. Instead of organizing the provisions 
primarily by locus (specifically by the type of organization in which 
the research takes place: Universities; federal agencies or Federally 
Funded Research and Development Centers; or business entities), the 
June 3 rule proposed consolidating different provisions that involved 
the same criteria with respect to prepublication review and removing 
any reference to locus unless it made a difference to the 
jurisdictional status of the research.
    Five commenters expressed support for the applicability of the 
concept of fundamental research regardless of locus, and this final 
rule retains the consolidated structure originally proposed.
    Although not objecting to the consolidation, eleven commenters 
requested that BIS retain the Sec.  734.8(b) statement that there is a 
presumption that university-based research is fundamental research. 
Although this presumption continues to exist, BIS does not adopt the 
specific statement in this final rule. Such a presumption has no effect 
on the jurisdictional status of technology. If it meets the criteria 
for fundamental research, it is not subject to the EAR; if it does not 
meet the criteria, it is subject. However, BIS is noting in its FAQs on 
its Web site that, although university-based research is presumed to be 
fundamental research, as with all rebuttable presumptions, it is 
rebutted if the research is not within the scope of technology and 
software that arises during, or results from fundamental research as 
described in Sec.  734.8.
    Eleven commenters requested that BIS retain the Sec.  734.8(b)(2) 
through (6) criteria for universities. BIS is not doing so because 
these criteria have been incorporated into this final rule more 
concisely. To address the comment, BIS has revised its FAQs to describe 
how these criteria are within the scope of the revised definition.

Patents

    The June 3 rule proposed revising Sec.  734.10, ``Patent 
applications,'' only for clarity and did not change the scope of 
control. For the sake of structural consistency with the ITAR's 
treatment of information in patents, paragraph (a)

[[Page 35591]]

was added to state that a patent or an open (published) patent 
application available from or at any patent office is per se not 
subject to EAR. The former footnote to the Sec.  734.10 was removed 
because it would be redundant of the proposed text.
    BIS received one comment on the proposed revisions to Sec.  734.10. 
Introductory text to the section reads: `` ``Technology'' is not 
``subject to the EAR'' if it is contained in:''. The commenter 
suggested adding the phrase ``any of the following'' to this text. BIS 
agrees and is making the addition to this final rule.

Specific National Security Controls

    The June 3 rule proposed minor conforming edits to Sec.  734.11, 
describing specific national security controls. The proposed revisions 
were not intended to change the scope of the section. As discussed 
above with respect to fundamental research, BIS has adopted the 
substance of former Sec.  734.11, Specific National Security Controls, 
in new Note 3 to paragraph (b) of Sec.  734.8 in this final rule. This 
final rule removes and reserves Sec.  734.11.

Export

    The June 3 proposed rule included a new Sec.  734.13 to define 
``Export.'' Section 734.13(a) had six paragraphs, with paragraphs 
(a)(4) and (5) reserved, because the corresponding paragraphs in the 
ITAR contained provisions that were not relevant to the EAR. One 
commenter noted that paragraph (a) had a typo and should refer to Sec.  
734.18, not Sec.  734.17. BIS does not agree--the reference is to the 
subset of exports of encryption source code and object code software--
but does accept the recommendation to add a reference to Sec.  734.18 
(Activities that are not exports, reexports, or transfers) in this 
final rule.
    Proposed paragraph (a)(1) of the definition of ``export'' used the 
EAR terms ``actual shipment or transmission out of the United States,'' 
combined with the existing ITAR ``sending or taking an item outside the 
United States in any manner.''
    One commenter recommended that BIS add ``release'' after ``actual 
shipment.'' BIS does not adopt this recommendation, because release is 
a separate concept and thus a separately defined term. BIS makes no 
revisions to this paragraph (a)(1) in this final rule.
    Proposed paragraph (a)(2), specifying the concept of transfer or 
release of technology to a foreign national in the United States, or 
``deemed export,'' retains the treatment of software source code as 
technology for deemed export purposes from Sec.  734.2(b)(2)(ii). In 
this final rule, including in this paragraph (a)(2), BIS has 
substituted the term ``foreign person'' for ``foreign national.'' 
``Foreign person'' has the same scope as ``foreign national;'' it 
mirrors the ITAR term. One commenter found the term ``otherwise 
transferring'' confusing, but this final rule retains it to distinguish 
releases as a subset of transfers.
    Proposed paragraph (a)(3) included in the definition of ``export'' 
the transfer by a person in the United States of registration, control, 
or ownership (i) of a spacecraft subject to the EAR that is not 
eligible for export under License Exception STA (i.e., spacecraft that 
provide space-based logistics, assembly or servicing of any spacecraft) 
to a person in or a national of any other country, or (ii) of any other 
spacecraft subject to the EAR to a person in or a national of a Country 
Group D:5 country.
    One commenter requested BIS to confirm whether the definition would 
carve out from the definitions of ``export'' and ``reexport'' the mere 
transfer of ownership to an entity outside of a Country Group D:5 
country (e.g., as part of an on orbit transfer of ownership to an 
entity outside a D:5 country) of satellites subject to the EAR that are 
eligible for License Exception STA. BIS confirms this understanding of 
the definition and is adding an FAQ regarding the point to the BIS Web 
site.
    Proposed paragraph (a)(6) defined as an export the release or other 
transfer of the means of access to encrypted data. This paragraph was 
not adopted in this final rule (see the section discussing transfer of 
access information in Sec.  734.19 below). Without a paragraph (a)(6), 
reserved paragraphs (a)(4) and (a)(5) that appeared in the June 3 rule 
are unnecessary and, therefore, do not appear in this final rule.
    As adopted in this final rule, proposed paragraph (b) of Sec.  
734.13 is unchanged from the June 3 rule, except for the substitution 
of the term ``foreign person'' for ``foreign national.'' This paragraph 
retains BIS's deemed export rule as set forth in Sec.  734.2(b). It 
also codifies a long-standing BIS policy that when technology or source 
code is released to a foreign national, the export is ``deemed'' to 
occur to that person's most recent country of citizenship or permanent 
residency. See, e.g., 71 FR 30840 (May 31, 2006).
    Four commenters raised deemed export issues, particularly with 
respect to the difficulty of determining the ``permanent residency'' 
status of a person in a foreign country. Two of these commenters 
recommended changing ``permanent residency'' to ``legal residency'' or 
establishing criteria in the EAR. One of these commenters suggested 
making deemed exports a separate definition. BIS finds that these 
comments have merit; however, the issues they raise are too wide-
ranging and complex to be resolved in this final rule. Addressing these 
issues would constitute a novel proposal that is outside the scope of 
the proposed rule, requiring an opportunity for comment before BIS 
makes a decision as to whether to adopt it. Where practical, BIS will 
state existing policy in FAQs. For those issues not addressed by 
existing policy, BIS will develop proposed revisions and seek public 
comment.
    Proposed paragraph (c) stated that items that will transit through 
a country or countries or will be transshipped in a country or 
countries to a new country, or are intended for reexport to the new 
country are deemed to be destined to the new country. (Proposed 
paragraph (c) text was taken without change from Sec.  734.2(b)(6).)
    One commenter requested that BIS clarify ``new country.'' BIS 
accepts this comment, and adopts the term ``destination'' in this final 
rule. BIS also drops the term ``transshipped,'' because the intended 
meaning of this paragraph is captured by ``transit.'' One commenter 
recommended that BIS specify that paragraph (c) applies to items 
``subject to the EAR.'' BIS does not believe the phrase is necessary.
    Two commenters requested that BIS clarify the status of services 
under the EAR. Unlike the ITAR, the EAR do not control services as such 
except as described in Sec.  744.6(a)(2) (``Restrictions on certain 
activities of U.S. persons'') and Sec.  736.2(b)(10) (``General 
Prohibition 10''). Section 744.6(a)(2) imposes licensing requirements 
on the performance by U.S. persons of any contract, service, or 
employment regarding various activities pertaining to missiles, 
biological weapons, and chemical weapons in various countries. General 
Prohibition 10 prohibits, inter alia, servicing an item subject to the 
EAR if a violation has occurred, is about to occur, or is intended to 
occur in connection with the item. Except for these provisions, the EAR 
regulates the export, reexport, and transfer (in-country) of 
commodities, technology, and software, regardless of whether such 
activities are in connection with a service. This means that, except 
with respect to activities described in these two provisions, services 
do not need to be analyzed separately for purposes of determining 
requirements under the EAR. Moreover, the ITAR does not impose controls 
on services unless they are ``directly related'' to a ``defense

[[Page 35592]]

article,'' i.e., an article, software, or technical data described on 
the ITAR's U.S. Munitions List at 22 CFR 121.1. In response to the 
commenters, BIS has added this explanation to its FAQs. A core goal of 
the ECR initiative was to make the distinctions in the ITAR and the EAR 
regarding the scope of controls over services as such clear. Thus, 
after the publication of the FAQs, if commenters believe that 
provisions of the ITAR or the EAR, statements by government officials, 
or any other government actions contradict this point regarding the 
narrow scope of controls over services pertaining to items subject to 
the EAR, they are encouraged to contact BIS to begin the process of 
resolving the issue.

Reexport

    The June 3 rule proposed moving the definition of ``reexport'' to 
new Sec.  734.14. In general, the provisions of the proposed definition 
of ``reexport'' paralleled those of the proposed definition of export 
discussed above, except that reexports occur outside of the United 
States. Public comments on the definition of ``reexport'' and BIS 
responses also mirror those discussed above for ``export.''
    One commenter recommended that BIS specify ``subject to the EAR'' 
in paragraphs (a)(1), (a)(2), and (a)(4) of ``reexport.'' BIS accepts 
this recommendation, except for paragraph (a)(4). Paragraph (a)(4) in 
the June 3 rule proposed to define as a reexport the release or other 
transfer of the means of access to encrypted data outside of the United 
States to a foreign national. This paragraph was not adopted in this 
final rule (see the section discussing transfer of access information 
in Sec.  734.19 below).
    One commenter requested that BIS confirm that sending an item back 
to the United States is not a reexport. BIS confirms that sending items 
to the United States is not a ``reexport.'' Moreover, unlike the ITAR, 
the EAR have no provisions controlling or otherwise pertaining to the 
act of importing items into the United States. BIS will confirm these 
points in an FAQ.

Release

    The June 3 proposed rule included a definition of ``release'' in a 
new Sec.  734.15. The proposed text provided that inspection (including 
other types of inspection in addition to visual, such as aural or 
tactile) must actually reveal technology or source code subject to the 
EAR to constitute a ``release.'' Thus, for example, merely seeing an 
item briefly is not necessarily sufficient to constitute a release of 
the technology required, for example, to develop or produce it. A 
foreign person's having theoretical or potential access to technology 
or software is similarly not a ``release'' because such access, by 
definition, does not reveal technology or software. A release would 
occur when the technology or software is revealed to the foreign 
person. The June 3 rule also proposed adding ``written'' to ``oral 
exchanges'' in paragraph (a)(2) as a means of release. No commenters 
objected to the clarification, and it remains unchanged. This final 
rule adds ``source code'' as well as ``technology'' to paragraph (a)(2) 
for consistency with paragraph (a)(1) and the definitions of deemed 
export and reexport; its omission from the June 3 rule was inadvertent.
    The proposed text also clarified, in paragraph (a)(3), that the 
application of ``technology'' and ``software'' is a ``release'' in 
situations where U.S. persons abroad use personal knowledge or 
technical experience acquired in the United States in a manner that 
reveals technology or software to foreign nationals. As indicated by 
various BIS training materials and statements of BIS officials publicly 
and in response to specific questions, this clarification makes 
explicit a long-standing BIS interpretation of the EAR. The June 3 
rule's proposed definition did not use the existing phrase ``visual 
inspection by foreign nationals of U.S.-origin equipment and 
facilities'' because such inspections do not per se release 
``technology.'' For example, merely seeing equipment does not 
necessarily mean that the seer is able to glean any technology from it 
and, in any event, not all visible information pertaining to equipment 
is necessarily ``technology'' subject to the EAR.
    Four commenters stated that this redefinition of ``release'' was 
helpful.
    Three comments expressed concern that paragraph (a)(1) is not 
sufficiently explicit in clarifying that visual inspection must 
``actually'' or ``substantively'' reveal technology in order to be 
defined as a ``release,'' or that ``actual access'' rather than 
``theoretical access'' is caught. BIS believes that the intent is clear 
and that the text only would be complicated by additional 
modifications. One commenter requested that BIS simplify the provision 
in which application of personal knowledge constitutes a release. Upon 
further consideration, BIS determined that the control criteria in that 
provision are already covered by the provisions governing inspection 
and oral or written exchanges. Therefore, BIS does not adopt this 
paragraph (a)(3) in this final rule. BIS has, however, created FAQs 
that include the points and examples contained in the foregoing 
description of the changes to the definition of ``release.''
    One commenter recommended that paragraph (a)(6) in the June 3 
rule's proposed definition of ``export,'' which addressed transfer of 
decryption keys or other such information, be moved to the definition 
of ``release.'' Related to the revisions regarding transfer of access 
information, and consistent with this commenter's recommendation, this 
final rule adopts in Sec.  734.15(b) a provision stating that the act 
of causing the ``release'' of ``technology'' or ``software,'' through 
use of ``access information'' or otherwise, to onesself or another 
person requires an authorization to the same extent an authorization 
would be required to export or reexport such ``technology'' or 
``software'' to that person.
    The purpose of this provision is to make it clear that the person 
who uses, for example, a password to access a technology database, or 
who hacks into the database, to transfer technology to himself or 
someone else is the one who caused the release of technology rather 
than the person who first placed the technology in the database through 
a technology export or an act described in new Sec.  734.18(a)(5). This 
provision codifies that basic concept that the unwitting victim of, for 
example, a database hack is not the one responsible for the theft of 
technology--the hacker is the one responsible because it is that person 
who caused the release through the use of a password or other access 
information. This provision is merely an application with respect to 
intangibles of a concept that is basic to tangible items--the export of 
an item is not the cause of a third person's later reexport of the same 
item. Placing technology into a database is not the cause of a third 
person's later transfer of the technology through the use of access 
information. The third person's use of the access information is the 
cause of the release to himself or others.
    Although the person who originally placed the technology into the 
database did not cause its release to the third person who used access 
information to later cause the technology to be released, the person 
who originally placed the technology into the database nonetheless 
would have liability in connection with the third party technology 
exfiltration if, for example, it conspired with the exfiltrator (see 
Sec.  764.2(d)) or placed the technology into the database with 
``knowledge'' that the exfiltrator would later violate the EAR by 
causing its release without a required

[[Page 35593]]

license (see Sec.  764.2(e)). Similarly, liability would arise from a 
violation of new section 734.19, which, as discussed below, states that 
providing a password or other access information to someone with 
``knowledge'' that the provision would result in the release of 
technology or software to the third person is tantamount to releasing 
the technology or software itself to the third person. BIS has created 
FAQs describing all the points in the foregoing examples.
    Finally, and in contrast to section 734.19, new section 734.15(b) 
does not contain a ``knowledge'' element. Thus, a ``release'' of 
``technology'' or ``software'' occurs when access information is used 
to transfer the ``technology'' or ``software''--resulting in liability 
if the release was not undertaken pursuant to a required authorization 
and regardless of whether the one using the access information knew it 
would be transferring controlled ``technology'' or ``software'' when it 
did so.

Transfer (In-Country)

    The June 3 rule proposed removing the definition of ``transfer (in-
country)'' from Sec.  772.1 and adding the following revised definition 
to new Sec.  734.16: ``a transfer (in-country) is a change in end use 
or end user of an item within the same foreign country.'' This revision 
was intended to eliminate any potential ambiguity regarding whether a 
change in end use or end user within a foreign country is a ``transfer 
(in-country).'' ``Transfer (in-country)'' parallels the term 
``retransfer'' in the ITAR.
    Four commenters said that this revision expands controls, and that 
such changes were beyond exporters' knowledge or control. While BIS 
acknowledges that ``end use'' was not explicitly included in the former 
definition of ``transfer (in-country),'' a change in end use is 
nonetheless a material change. When BIS and the other agencies review 
an application's description of a proposed end use and approve the 
license based on that end use, BIS is approving the transaction for the 
end use described, not all other end uses in the same country. Other 
end uses may or may not be acceptable, but a change in end use from 
that which the U.S. Government reviewed would be material in that there 
is the possibility that another end use may not have been approved. BIS 
further notes that, depending on the facts of the transaction, the 
foreign party may be responsible for obtaining authorization for the 
subsequent disposition of the item subject to the EAR. If a violation 
occurs, BIS will assess responsibility based on whether the parties 
involved violated any of the provisions of section 764.2 
(``violations'').
    To assist the commenters and others who have questions about BIS's 
policy regarding when a license or other authorization is required for 
in-country transfers, BIS has made the following the standard first 
condition on its licenses: ``Items subject to the EAR and within the 
scope of this license may not be reexported or transferred (in-country) 
unless such reexport or in-country transfer is (i) authorized by this 
license, or another license or other approval issued by the U.S. 
Government; (ii) authorized by a license exception or other 
authorization under the Export Administration Regulations (EAR); or 
(iii) to a destination, end user, and end use that would be ``NLR'' (No 
License Required) under the EAR.''

Export of Encryption Source Code and Object Code Software

    The June 3 proposed rule included a new Sec.  734.17, export of 
encryption source code and object code software, that retained the text 
of Sec.  734.2(b)(9) with only minor conforming and clarifying edits. 
Its relocation to a new, separate section, following similar 
definitions improves its accessibility to exporters.
    BIS received no comments on its proposed minor revisions to Sec.  
734.2(b)(9) or its creation of Sec.  734.17. These revisions are 
adopted in this final rule.

Activities That Are Not Exports, Reexports, or Transfers

    The June 3 proposed rule solicited public comment on two questions 
regarding the proposed definition of ``Activities that are not exports, 
reexports, or transfers.'' First, with respect to end-to-end 
encryption, BIS asked whether the illustrative standard proposed in the 
EAR rulemaking also should be adopted in the ITAR rulemaking; whether 
the safe harbor standard proposed in the ITAR rulemaking also should be 
adopted in the EAR rulemaking; or whether the two bodies of regulations 
should have different standards. Second, BIS asked whether encryption 
standards adequately address data storage and transmission issues with 
respect to export controls.
    As proposed, Sec.  734.18 gathered existing EAR exclusions from 
exports, reexports, and transfers into one place, and included a new 
exemption for encrypted technical data and software. A number of 
changes and adjustments are made in this final rule to the proposed 
text in response to comments received from the public.
    Paragraph (a)(1) in the June 3 proposed rule stated that by 
statute, launching a spacecraft, launch vehicle, payload, or other item 
into space is not an export. See 51 U.S.C. 50919(f). BIS received no 
comments on this paragraph and adopts it in this final rule.
    Paragraph (a)(2) in the June 3 proposed rule was based on text in 
former Sec.  734.2(b)(2)(ii) of the EAR, and provided that release in 
the United States of technology or software to U.S. nationals, 
permanent residents, or protected individuals would not be an export. 
In this final rule, the term ``release'' has been replaced in Sec.  
734.18(a)(2) with ``transmitting or otherwise transferring,'' and the 
previous reference to U.S. persons, permanent residents, and protected 
individuals has been eliminated in favor of a reference to a person 
``who is not a foreign person'' for reasons of clarity and brevity. The 
EAR contain three definitions of ``U.S. person,'' only one of which is 
applicable to this section. Additionally, the ITAR use the term 
``foreign person,'' and a comment from a BIS technical advisory 
committee recommended adopting the term in the EAR. ``Foreign person'' 
accordingly is defined in a new entry in Sec.  772.1.
    The change creates a structure parallel to that which is being 
adopted in the State rule published concurrently with this final rule, 
and to make clear that transmission from one U.S. person in the United 
States to another, regardless of the means or route of the 
transmission, does not constitute an export. Along the same lines, 
paragraph (a)(3) is added to clarify that the transmission between or 
among U.S. persons within the same foreign country similarly does not 
constitute an export, reexport, or transfer. The State June 3 rule 
received comments recommending these revisions, and this final rule 
adopts them in the EAR to stay parallel with the ITAR text.
    Proposed paragraph (a)(3) in the June 3 rule contained text from 
Sec.  734.2(b)(8) stating that shipments between or among the states or 
possessions of the United States are not ``exports'' or ``reexports.'' 
The words ``moving'' and ``transferring'' were inserted next to 
``shipment'' in order to avoid suggesting that the only way movement 
between or among the states or possessions would not be a controlled 
event was if they were ``shipped.'' BIS received no comments on this 
paragraph and adopts it in this final rule, renumbered as paragraph 
(a)(4).
    Paragraph (a)(5)--numbered (a)(4) in the June 3 proposed rule--
provides that technology and software that is encrypted in accordance 
with certain

[[Page 35594]]

specified criteria are not exports, reexports, or transfers even when 
they leave one country for another. In the June 3 proposed rule, this 
paragraph specifically excluded from this carve-out technology and 
software stored in countries in Country Group D:5 and Russia, for 
foreign policy reasons. In response to comments pointing out that 
Internet traffic in transit across D:5 countries and Russia may be 
technically ``stored'' temporarily on servers located in these 
countries without the knowledge of the sender, BIS has added text in 
(a)(5) specifying that the carve-out continues to apply to technology 
not authorized under the EAR for storage in these countries or intended 
for storage in these countries. Encrypted data may not be stored in 
these countries unless an appropriate authorization is available or has 
been approved. BIS has also added a note clarifying that data in-
transit via the Internet is not deemed to be stored. For a more 
complete understanding of Sec.  734.18(a)(5), see the discussion above 
of Sec.  734.15(b).
    BIS received many comments on the proposed definition of ``end-to-
end encryption,'' the presence of which is a condition of the export 
control carve-out for technology and software. Commenters observed that 
encryption and decryption services may be provided within defined 
security boundaries by organizational rather than personal systems or 
servers. BIS agrees that in such cases, the security objectives of the 
``end-to-end'' requirement in terms of eliminating access by third 
parties can still be met by expanding the definition of ``end-to-end'' 
to include transmissions between security boundaries.
    This approach has the added advantages of providing more 
flexibility and allowing the execution of shared services, such as 
virus scanning, that can enhance security. However, BIS has also 
specified that the ``security boundary'' must be in-country--that is, 
such boundaries cannot be defined as including infrastructure resources 
encompassing multiple countries. A consequence of this requirement is 
that data eligible for the carve-out must by definition be encrypted 
before crossing any national boundary and must remain encrypted at all 
times while being transmitted from one security boundary to another. 
This principle applies to transmissions within a cloud service 
infrastructure, where a transmission from one node or cloud 
infrastructure element to another could qualify for the carve-out 
provided that it was appropriately encrypted before any data crossed a 
national border.
    The June 3 proposed rule's definition of end-to-end encryption 
included a clause that specified that data not be decrypted at any 
point between the initiation of the transmission by the originator and 
its receipt by the intended recipient. The purpose of this requirement 
was to prevent unauthorized access to data in clear text by parties 
other than the originator (or the originator's company or organization) 
and the recipient, such as external service providers.
    Commenters pointed out that in many circumstances, companies and 
organizations encrypt and decrypt multiple times in the course of 
transmission between originator and recipient for technical reasons 
(for example, to initially establish communications with a VPN server 
and subsequently to transmit among servers) without release to any 
third party. As a result, the point-to-point requirement in the 
original proposal would impose an unnecessary and potentially 
disruptive burden on many encryption applications, in which data in 
clear text are never actually shared.
    To address this problem and more precisely describe BIS's original 
intent with the provision, BIS eliminated the statement in the end-to-
end definition specifying that exempted data must be encrypted by the 
originating party without decryption except by the intended recipient. 
This final rule adopts instead a requirement that the means of 
decryption may not be provided to any third party, thus permitting 
decryption and re-encryption within the security boundary of either the 
originator or recipient, provided that no third party (i.e., a party 
outside the security boundary) has the ability to access the data in 
clear text, and that no decryption takes place outside of the security 
boundaries of the originator and the recipient.
    The June 3 proposed rule's paragraph (4)(iii), which this final 
rule adopts in paragraph (5)(iii), described encryption standards that 
would qualify for the exemption. In the BIS proposed rule, use of 
encryption modules certified under the Federal Information Processing 
Standards Publication 140-2 (FIPS 140-2), supplemented by appropriate 
software implementation, cryptographic key management and other 
procedures or controls that are in accordance with guidance provided in 
current U.S. National Institute for Standards and Technology 
publications, would qualify as sufficient security.
    A number of commenters questioned the designation of the FIPS 140-2 
as an example of effective cryptography and thus a qualification for 
the control carve-out, preferring instead no reference to a standard, 
or a reference to any ``commercially reasonable'' standard.
    BIS rejects these suggestions. FIPS 140-2 is a well-understood 
cryptographic standard used for Federal Government procurement in the 
United States and Canada, as well as for many other uses, both in the 
U.S. and abroad. Citation of this standard provides a useful reference 
point for what the U.S. Federal Government considers effective 
encryption.
    The text adopted in this final rule allows for use of ``equally or 
more effective cryptographic means,'' meaning that alternative 
approaches are allowable provided that they work as well as or better 
than FIPS 140-2. In such cases, the exporter is responsible for 
ensuring that the alternative approaches work as well as or better than 
FIPS 140-2, regardless of common commercial practices.
    In the June 3 proposed rule, paragraph (c) confirmed that the mere 
ability to access ``technology'' or ``software'' while it is encrypted 
in a manner that satisfies the requirements in the section does not 
constitute the ``release'' or export of such ``technology'' or 
``software.'' This responds to a common industry question on the issue. 
This final rule adopts the proposed text with only a minor revision to 
correct a cross-reference.

Transfer of Access Information

    New Sec.  734.18(a)(5)(iii) excludes transfers of information 
encrypted to a particular standard as not being exports, reexports, or 
transfers and, thus, not subject to the EAR. Logically, providing keys 
or other information that would allow access to encrypted data 
exported, reexported, or released under this provision should be 
subject to controls much as the export, reexport, or transfer of the 
data itself. In the June 3 proposed rule, this concept was specifically 
addressed in proposed Sec.  734.13(a)(6) as part of the definition of 
``export.'' The June 3 rule also proposed adding a new paragraph (l) to 
Sec.  764.2 ``Violations'' providing that the unauthorized release of 
decryption keys or other information that would allow access to 
particular controlled technology or software would constitute a 
violation to the same extent as a violation in connection with the 
export of the underlying controlled ``technology'' or ``software.''
    Although recognizing the need to control the decryption of 
controlled technical data otherwise exempted by the encryption carve-
out, commenters noted that this construction might lead to the 
conclusion that keys and other

[[Page 35595]]

data permitting access might be controlled as separate stand-alone 
items, distinct from the underlying data that they could potentially 
release. This would pose problems with key and identity management, 
where such data are stored and transmitted separately. Controlling 
access information as a distinct item was not the intent of the 
proposal. As also discussed below with respect to the definition of 
``technology,'' one commenter stated that decryption keys and other 
such information are not technology and recommended moving the proposed 
paragraph (a)(5) text to the definition of ``release'' and control 
``accessing'' them. To address the concerns of such commenters, this 
final rule creates a new positive authorization requirement in a new 
Sec.  734.19, stating that ``[t]o the extent an authorization would be 
required to transfer ``technology'' or ``software,'' a comparable 
authorization is required to transfer access information if with 
``knowledge'' that such transfer would result in the release of such 
``technology'' or ``software'' without a required authorization.'' Five 
commenters found use of the term ``cause or permit'' inconsistent with 
BIS's principle of an export's occurring only when actual export or 
transfer takes place. This final rule replaces the former reference to 
``cause or permit'' with ``result in.''
    One commenter requested ``the removal of Sec.  764.2(l) in its 
entirety as the current language of Sec.  764.2 is adequate.'' With 
creation of new Sec.  734.19, and in light of the availability of Sec.  
764.2 to punish any violation of Sec.  734.19, BIS accepts this comment 
and does not adopt the proposed Sec.  764.2(l) in this final rule.
    To simplify this section, proposed references to ``decryption keys, 
network access codes, passwords and other information,'' are replaced 
with a new Sec.  772.1 definition of ``access information,'' which uses 
these as examples only of information that allows access to encrypted 
technology or encrypted software in an unencrypted format. In response 
to a commenter's request for a definition of ``clear text,'' this final 
rule replaces references to ``clear text'' with ``in an unencrypted 
form,'' as part of the definition of ``access information.''
    References in the June 3 proposed rule to what is termed ``access 
information'' in this final rule (e.g., references to decryption keys) 
were eliminated in the Sec.  772.1 definition of ``technology,'' the 
Sec.  734.13 definition of export, and the Sec.  734.14 definition of 
reexport.

Activities That Are Not Deemed Reexports

    The June 3 proposed rule created a new Sec.  734.20, Activities 
that are not Deemed Reexports. This section codified BIS's interagency-
cleared Deemed Reexport Guidance previously posted on the BIS Web site 
and dated October 31, 2013. This guidance was created so that the 
provisions regarding possible deemed reexports contained in Sec. Sec.  
124.16 and 126.18 of the ITAR would be available for EAR technology and 
source code in addition to legacy BIS guidance on the topic.
    Under BIS's legacy guidance and new Sec.  734.20, release of 
technology or source code by an entity outside the United States to a 
foreign national of a country other than the foreign country where the 
release takes place does not constitute a deemed reexport of such 
technology or source code if the entity is authorized to receive the 
technology or source code at issue, whether by a license, license 
exception, or in situations where no license is required under the EAR 
for such technology or source code and the foreign national's most 
recent country of citizenship or permanent residency is that of a 
country to which export from the United States of the technology or 
source code at issue would be authorized by the EAR either under a 
license exception, or in situations where no license under the EAR 
would be required.
    Release of technology or source code by an entity outside the 
United States to a foreign national of a country other than the foreign 
country where the release takes place also does not constitute a deemed 
reexport if: (i) The entity is authorized to receive the technology or 
source code at issue, whether by a license, license exception, or 
through situations where no license is required under the EAR; (ii) the 
foreign national is a bona fide regular and permanent employee (who is 
not a proscribed person) of the entity; (iii) such employee is a 
national exclusively of a country in Country Group A:5; and (iv) the 
release of technology or source code takes place entirely within the 
physical territory of any such country, or within the United States.
    For nationals other than those of Country Group A:5 countries, 
which are close military allies of the United States, other criteria 
may apply. In particular, the section specifies the situations in which 
the releases would not constitute deemed exports in a manner consistent 
with Sec.  126.18 of the ITAR. For purposes of this section, 
``substantive contacts'' has the same meaning as it has in Sec.  126.18 
of the ITAR. The proposed phrase ``permanent and regular employee'' was 
a combination of BIS's definition of ``permanent employee,'' as set 
forth in a BIS advisory opinion issued on November 19, 2007 (available 
on the BIS Web site), and the ITAR's definition of ``regular employee'' 
in Sec.  120.39. The June 3 proposed rule added specific text excluding 
persons proscribed under U.S. law to make clear that Sec.  734.20 does 
not authorize release of technology to persons proscribed under U.S. 
law, and defined ``proscribed person'' in Sec.  772.1. (Note: The U.S.-
U.K. Exchange of Notes and U.S.-Canadian Exchange of Letters referred 
to in the existing online guidance can be found on the State 
Department's Web site. The URLs for the letters are not being published 
in the EAR because URL addresses periodically change. BIS will place 
the URL references in an ``FAQ'' section of its Web site.)
    One commenter stated that due to the number of conditions contained 
in these provisions, this section should be a license exception. BIS 
does not agree. Many if not most of the transactions to which these 
provisions apply are already covered by a license or a license 
exception; this section will generally allow affected entities to 
comply with the terms of those authorizations in a rational way that 
will meet U.S. control objectives while minimizing conflict with non-
U.S. entities' domestic requirements.
    Two commenters requested that BIS replace ``is certain'' of a 
foreign person's most recent country of citizenship or permanent 
residency with ``has knowledge,'' to address concerns about ability to 
comply with such a standard. BIS agrees with this comment and adopts 
``has 'knowledge''' in this final rule.
    One commenter requested that BIS add ``or within the physical 
territory of the United States'' to certain provisions to account for 
the possibility of releases in the United States, because often 
``release of U.S.-origin technology or software could be said to take 
place partially within the United States and partially within the 
country in which the foreign person employee is located;'' BIS accepts 
this request. Another commenter requested that for releases to A:5 
nationals, BIS ``also include countries where the entity conducts 
official business or operates, which is part of Sec.  734.20(c) Release 
to other than A:5 nationals.'' BIS did not adopt this request because 
it would expand the provision too broadly.
    Two commenters requested that BIS cross reference the ``deemed 
reexport'' definition in Sec.  734.14(b). BIS accepts this request. One 
commenter asked BIS

[[Page 35596]]

to clarify that this section addresses non-U.S. entities. BIS believes 
that this is clear from context and is thus not changing the rule in 
response to this comment. However, BIS is including a description of 
the purpose of this section in its FAQs.
    Two commenters objected to the requirement that employees must be 
engaged for a year to be eligible for these provisions and asked that 
it be removed. Additionally, two commenters objected to the associated 
screening and recordkeeping requirements and asked that they be 
reduced. BIS does not accept these comments. The year-long period and 
the screening and recordkeeping requirements reduce the risk of 
diversion associated with the technology release.

Questions and Answers--Technology and Software Subject to the EAR

    The June 3 proposed rule removed Supplement No. 1 to part 734, 
``Questions and Answers--Technology and Software Subject to the EAR'' 
on the basis that the questions and answers are illustrative rather 
than regulatory, and are therefore more appropriately posted as Web 
site guidance than included in the EAR. BIS specifically solicited 
comments on whether the questions and answers in existing Supplement 
No. 1 to part 734 proposed to be removed have criteria that should be 
retained in part 734.
    Thirty commenters stated that BIS should not remove the questions 
and answers from the EAR. Reasons cited for opposing removal of the 
supplement included that the questions and answers will not have the 
same weight on the BIS Web site as they do in the EAR; that they are 
legally binding in the EAR; that their removal will create uncertainty; 
that their presence in EAR lessens the likelihood that interpretations 
will change outside the rulemaking process and promotes consistency of 
interpretation; and that other supplements contain regulatory 
information. One of these comments went on to say, ``Accordingly, 
Supplement No. 1 must not be removed unless all its substantive 
provisions are adequately incorporated into Part 734 or elsewhere in 
the regulations'' (emphasis supplied). BIS believes that the adequate 
incorporation of substantive provisions is the key point behind the 
comments. This concern drove the specific solicitation in the June 3 
rule to identify criteria in the Supplement that should be retained in 
part 734. None of the thirty comments opposing removal of this 
Supplement from the EAR identified any substantive provisions that were 
not adequately incorporated into part 734 or elsewhere in the EAR. BIS 
is publishing on its Web site FAQs that will cover the same guidance 
that was found in Supplement No. 1, in addition to answers to other 
questions generated by the public comments to the proposed rule. 
Questions regarding how regulations apply to specific fact patterns are 
better set out in FAQs. In sum, although Supplement No. 1 will no 
longer be in the EAR, all its content will be placed into FAQs on BIS's 
Web site in addition to the other FAQs referred to in this preamble.

Technology

    In the June 3 proposed rule, paragraph (a)(1) of the definition of 
technology reads as follows: ``Information necessary for the 
``development,'' ``production,'' ``use,'' operation, installation, 
maintenance, repair, overhaul, or refurbishing (or other terms 
specified in ECCNs on the CCL that control ``technology'') of an item. 
``Technology'' may be in any tangible or intangible form, such as 
written or oral communications, blueprints, drawings, photographs, 
plans, diagrams, models, formulae, tables, engineering designs and 
specifications, computer-aided design files, manuals or documentation, 
electronic media or information gleaned through visual inspection.''
    A note addressed modification of items. Proposed paragraphs (a)(2) 
through (a)(4) of the definition were held in reserve to allow for the 
eventual mirroring of the corresponding ITAR paragraph structure while 
not including provisions that were not relevant to the EAR. Proposed 
paragraph (a)(5) described access information. Proposed paragraph (b) 
described exclusions from the definition of technology.

Required vs. Necessary

    For the definition of ``technology,'' four commenters recommended 
that ``necessary'' be revised to read ``required'' to match the 
proposed ITAR definition. BIS does not adopt these recommendations. 
``Required'' is a defined term that describes certain technology on the 
Commerce Control List, and not all technology that is subject to the 
EAR is controlled on the Commerce Control List. One commenter 
recommended restoring a note from the definition that existed in the 
EAR prior to publication of this rule, to the effect that technology 
not elsewhere specified on the Commerce Control List is designated as 
EAR99 unless it is not subject to the EAR. BIS does not accept this 
recommendation in this final rule because a regulatory change is not 
required to make the same point. BIS will, however, add an FAQ stating 
that ``technology'' subject to the EAR and that is not described on the 
CCL is designated EAR99. One commenter recommended including a note 
that refers to the General Technology Note. BIS accepts this comment 
and includes the reference in this final rule.

``Use'' Elements

    As explained in the preamble to the June 3 rule, the proposed 
definition of ``technology'' was based on the Wassenaar Arrangement 
definition of technology, including the Wassenaar-defined sub-
definitions of ``development,'' ``production,'' and ``use,'' which are 
currently defined in Sec.  772.1. (No changes were proposed to the 
definitions of ``development,'' ``production,'' and ``use'' in the June 
3 rule, and none are made in this final rule.) The June 3 rule proposed 
no change to BIS's long-standing policy that all six activities in the 
definition of ``use'' (operation, installation (including on-site 
installation), maintenance (checking), repair, overhaul and 
refurbishing) must be present for an item to be classified under an 
ECCN paragraph that uses ``use'' to describe the ``technology'' 
controlled. (See 71 FR 30842, May 31, 2006.) Drawing from this existing 
framework, the proposed definition of ``technology'' included the terms 
``operation, installation, maintenance, repair, overhaul, or 
refurbishing (or other terms specified in ECCNs on the CCL that control 
`technology') of an item'' because such words are used to describe 
technology controlled in multiple ECCNs, often with ``or'' rather than 
the ``and'' found in ``use.''
    One commenter recommended inserting a Note in the definition of 
technology that states the BIS policy that all six elements are 
necessary for ``use'' technology. BIS does not adopt this 
recommendation in this final rule because the definition of ``use'' 
links the six elements with the conjunctive ``and'' rather than the 
disjunctive ``or.'' BIS nonetheless makes this point in an FAQ 
pertaining to the word ``use'' in the definition of ``technology.'' One 
commenter recommended removing the term ``installation'' from the 
definition based on its use in the context of the definition of defense 
services. BIS does not accept this comment. Many entries on the 
Commerce Control List explicitly control installation technology, and 
it is also an element of ``use'' technology. Three commenters 
recommended that BIS remove the separate listing of the six ``use'' 
elements or limit them to control of 600 series items. BIS does not 
accept these recommendations. The six elements may be listed separately 
in

[[Page 35597]]

entries on the Commerce Control List and are not limited to 600 series 
entries.

Information Gleaned Through Visual Inspection

    One commenter suggested dropping ``or information gleaned through 
visual inspection'' because it was a form or method of transfer, not 
what constitutes technology. BIS adopts the recommendation in this 
comment in part. ``Information gleaned through visual inspection'' is 
an example of a form of technology, with visual inspection as the 
method of transfer. The list to which this example belongs, however, 
illustrates rather than defines ``technology;'' therefore, BIS adopts 
the text as Note 1 to the definition of ``technology'' in this final 
rule, limiting the definition to what constitutes technology and 
illustrating the forms in a note.
    Another commenter suggested using ``revealed'' instead of 
``gleaned,'' first to align with ``release,'' and second, because ``use 
of the term `glean' implies the value of the information is based on 
the capability of the viewer, which is unknowable and unquantifiable. 
The use of the term `reveal' is a more objective measure of what is 
provided by the visual inspection.'' BIS agrees and has adopted the 
term ``revealed'' in this final rule.

Modification Note

    The June 3 rule proposed adding a note to address a common industry 
question about modification. The note read as follows: ``The 
modification of an existing item creates a new item and technology for 
the modification is technical data for the development of the new 
item.''
    Three commenters suggested revisions to this note. Two commenters 
described the note as overbroad or confusing. One commenter recommended 
adding ``production'' as well as ``development.'' In this final rule, 
BIS has adopted a revision that clarifies and narrows the description 
of the technology for modification, and includes ``production'' 
technology. The revised note reads as follows: ``The modification of 
the design of an existing item creates a new item and technology for 
the modified design is technology for the development or production of 
the new item.'' BIS created this note to address the fact that multiple 
variations of a product are usually created by one or more companies, 
and companies often struggle with how to classify the technology that 
is and is not common to the variations. Consider, for example, a 
company that makes a 9A991.d civil aircraft switch. It later modifies 
the switch so that it would work in a military aircraft. The modified 
switch--the ``dash one'' model--is, in this example, specially designed 
for a military aircraft and thus controlled under ECCN 9A610.x. The 
technology that is common to both switches is 9E991, but the additional 
or different technology to make the 9A610.x switch is controlled under 
9E610. That is, the technology additional or different that is required 
to make the 9A991.d commercial aircraft switch into a 9A610.x switch is 
the technology for the new, modified item. This example is contained in 
an FAQ posted on the BIS Web site.

Decryption Keys

    One commenter stated that decryption keys and other such 
information are not technology and recommended moving the proposed 
paragraph (a)(5) text to the definition of ``release'' and control 
``accessing'' them. Another commenter pointed out that keys may also be 
hardware or software. BIS agrees with these comments; therefore, BIS 
does not adopt proposed paragraph (a)(5) in this final rule and adds 
text to the definition of ``release'' regarding transfer of ``access 
information'' (see also discussion above).

Exclusions

    The June 3 rule proposed adding three exclusions to clarify the 
limits of the scope of the definition of ``technology:'' non-
proprietary general system descriptions; information on basic function 
or purpose of an item; and telemetry data as defined in note 2 to 
Category 9, Product Group E (see Supplement No. 1 to Part 774 of the 
EAR).
    The first two exclusions paralleled exclusions in the ITAR and the 
third, the exclusion of telemetry data, mirrored specific exclusions 
added to both the ITAR and the EAR as part of recent changes regarding 
the scope of U.S. export controls pertaining to satellites and related 
items. See 79 FR 27417 (May 13, 2014).
    One commenter recommended excluding Build/Design-to-Specifications 
from the definition of technology and adding sub-definitions of 
different forms of technology. BIS does not accept this recommendation 
in this final rule because such specifications are not always outside 
the scope of the EAR's definition of ``development'' or ``production'' 
technology. However, BIS will incorporate information on this topic 
into its FAQs. Five commenters objected to use of the term ``non-
proprietary,'' arguing that certain proprietary system descriptions 
should not be subject to the EAR. One commenter thought that the term 
``systems'' was too narrow. BIS did not adopt these recommendations. 
Whether a particular technology is one that the possessor would readily 
share with competitors provides a fairly reliable test of whether that 
technology is subject to the EAR. With respect to the breadth of the 
term ``system,'' BIS notes that this exclusion is not the only 
provision in the EAR under which technology may be determined to be not 
subject. BIS did remove the modifier ``general,'' because of its 
potential to be ambiguous and subjective. BIS also did not adopt in 
this final rule the exclusion for ``information on basic function or 
purpose of an item,'' because the phrase was too vague and 
substantively already addressed by other provisions.
    One commenter questioned the scope of these exclusions from the 
definition of technology and another questioned how the exclusions from 
the definition should be read in conjunction with the provisions in the 
Scope part that make items not subject to the EAR. Based on these 
comments, and as noted earlier in the preamble to this final rule, the 
exclusion of ``information on basic function or purpose of an item'' is 
not adopted and the remaining two exclusions are moved from the 
definition of technology to Sec.  734.3(b)(3).

Required

    The June 3 proposed rule retained the existing EAR definition of 
``required'' in Sec.  772.1, but added notes clarifying the application 
of the term. It removed parenthetical references in the existing 
definition to CCL Categories 4, 5, 6, and 9 to avoid the suggestion 
that BIS applies the definition of ``required'' only to the uses of the 
term in these categories. BIS has never had a separate definition of 
``required'' used elsewhere in the EAR, and this removal merely 
eliminated a potential ambiguity and reflects long-standing BIS policy 
that ``required'' applies generally to ``technology'' entries on the 
CCL. (See, e.g., the Advisory Opinion dated December 27, 2010 on the 
BIS Web site.) BIS received one comment praising the removal of the 
references and none objecting to it; the revision is adopted in this 
final rule. The definition of ``required'' contained an illustrative 
example. BIS did not propose any revisions to this example in the June 
3 rule. In this final rule, however, BIS revises the example to make 
clear that technology that is peculiarly responsible for the 
characteristics of the item that make it controlled is thus 
``required'' technology. This subtle change thus responds to the 
question of which

[[Page 35598]]

technology is ``peculiarly responsible'' but without changing the well-
established definition of ``required'' that is central to the scope of 
the technology and software controls in the EAR. This revision also 
addresses issues raised by commenters, discussed more fully below, with 
respect to the proposed definition of ``peculiarly responsible.''
    To address common questions BIS has received regarding the meaning 
of the word ``required,'' the June 3 rule proposed adding two notes. 
The first stated that the references to ``characteristics'' and 
``functions'' are not limited to entries on the CCL that use specific 
technical parameters to describe the scope of what is controlled. The 
``characteristics'' and ``functions'' of an item listed are, absent a 
specific regulatory definition, a standard dictionary's definition of 
the item. The first note also included examples of this point. The 
second note referred to the fact that the ITAR and the EAR often divide 
within each set of regulations or between each set of regulations (a) 
controls on parts, components, accessories, attachments, and software 
and (b) controls on the end items, systems, equipment, or other 
articles into which those parts, components, accessories, attachments, 
and software are to be installed or incorporated. The note also 
referred to jurisdiction over technology. The public comments on these 
parts of the notes were favorable and the first note is included in 
this final rule without modification, except that it is now designated 
as Note 2 to the definition of ``required.'' The second note is split 
into Notes 1 and 3 to the definition of ``required,'' and the text is 
modified from the June 3 proposal as discussed below.
    A core tenet of ECR is that the jurisdictional status of the 
technical data/technology for an article that moves from the USML to 
the EAR follows the article. BIS and DDTC recognize the need to clarify 
the jurisdictional line for such technical data/technology. To help 
those making jurisdictional self-determinations for technical data/
technology pertaining to articles affected by the reform effort, BIS 
and DDTC had proposed in their respective June 3 rules common 
definitions of ``required'' and ``peculiarly responsible'' so that the 
regulatory line between technical data subject to the ITAR and 
technology subject to the EAR would be bright. Based on a review of the 
comments, BIS and DDTC have, however, decided not to publish their 
proposed common definitions of ``required'' and ``peculiarly 
responsible.'' (See discussion of the public comments on ``peculiarly 
responsible'' below.) Rather, DDTC and BIS have determined that a 
better way for the ITAR to address this bright-line objective is for 
DDTC to publish, and get public comments on, a proposed definition of 
``directly related'' that will eventually lead to a final ITAR 
definition acceptable to both DDTC and BIS. The reason for this 
approach is that, with the exception of technical data specifically 
enumerated on the USML, technical data is subject to the ITAR only if 
it is ``directly related'' to a defense article. This means, by 
definition, that technology that is indirectly related to, or only 
``related to,'' a defense article, such as by merely being capable for 
use with, used in connection with, or somehow having something 
generally to do with the eventual functioning of a defense article, is 
not subject to the ITAR and is, thus, subject to the EAR. For example, 
technology required for the production of a 9A610.x aircraft 
component--which, by definition, means that that it is specially 
designed for a USML VIII(a) aircraft--does not become subject to the 
ITAR merely because it generally relates to a defense article by virtue 
of being a component that will be or is integrated into and necessary 
for the functioning of the aircraft subject to the ITAR. It is 
technology required for the aircraft component subject to the EAR, not 
the whole of the USML aircraft or another defense article, and thus 
subject to the EAR. On the other hand, technical data that is directly 
related to the production of a component subject to the ITAR does not 
become subject to the EAR merely because, for example, it is developed 
or manufactured with equipment subject to the EAR.
    Wanting to nonetheless respond to the comments seeking guidance 
regarding the jurisdictional status of technology pertaining to items 
that have moved to the CCL from the USML and to further advance the 
effort of creating a truly bright line jurisdictional rule, BIS is 
publishing with this rule as a third note to ``required'' its guidance 
on the topic because the meaning of ``required'' is central to such 
determinations. Specifically, unclassified technology not specifically 
enumerated on the USML is ``subject to the EAR'' if it is ``required'' 
for the ``development,'' ``production,'' ``use,'' operation, 
installation, maintenance, repair, overhaul, or refurbishing (or other 
terms specified in ECCNs on the CCL that control ``technology'') of a 
commodity or software that is ``subject to the EAR.'' If such 
information is technical data that is not ``required'' for an item 
subject to the EAR and directly related to a defense article, then it 
is subject to the ITAR. If the application of industry-standard or 
dictionary definitions of ``directly related'' does not resolve doubts 
about whether any unit of technical data is, as a matter of law, 
``directly related'' (as opposed to indirectly related) to a defense 
article, one should contact DDTC for resolution of the doubt through 
established procedures in the ITAR's Part 120.

Peculiarly Responsible

    In the June 3 rule, BIS proposed a definition of the term 
``peculiarly responsible'' that was modeled on the catch-and-release 
structure BIS adopted for the definition of ``specially designed.'' 
Thus, under the proposed definition, an item was ``peculiarly 
responsible'' for achieving or exceeding any referenced controlled 
performance levels, characteristics, or functions if it was used in 
``development,'' ``production,'' ``use,'' operation, installation, 
maintenance, repair, overhaul, or refurbishing of an item subject to 
the EAR unless (a) the Department of Commerce had determined otherwise 
in a commodity classification determination, (b) the item was identical 
to information used in or with a commodity or software that was or had 
been in production and was EAR99 or described in an ECCN controlled 
only for Anti-Terrorism (AT) reasons, (c) the item had been or was 
being developed for use in or with general purpose commodities or 
software, or (d) the item had been or was being developed with 
``knowledge'' that it would be for use in or with commodities or 
software described (i) in an ECCN controlled for AT-only reasons and 
also EAR99 commodities or software or (ii) exclusively for use in or 
with EAR99 commodities or software.
    BIS specifically solicited comments on whether the proposed 
definition of ``peculiarly responsible'' effectively explained how 
items may be ``required'' or ``specially designed'' for particular 
functions. Two commenters offered support for the definition but still 
suggested revisions. Twelve additional commenters objected to the 
definition, describing it as confusing and stating that it dramatically 
expanded the scope of control beyond the existing ``required'' 
technology definition. BIS agrees with these comments and does not 
adopt the proposed definition of ``peculiarly responsible'' in this 
final rule. As described above, in this final rule, peculiarly 
responsible is defined within the scope of the already existing 
definition of required, thus providing a definition while guaranteeing 
no expansion of scope.

[[Page 35599]]

Temporary Export of Technology

    The June 3 proposed rule included amended text in the temporary 
export of technology provisions of License Exception TMP by revising 
Sec.  740.9(a)(3) to clarify that the ``U.S. employer'' and ``U.S. 
persons or their employees'' using this license exception are not 
foreign subsidiaries. The proposed paragraph streamlined current text 
without changing the scope. In this final rule, BIS substitutes 
``foreign person'' for ``foreign national'' in this section for reasons 
discussed elsewhere in this preamble, except where ``natural person'' 
was meant and BIS substituted ``individual'' for clarity (and in so 
doing responded to a comment on including foreign nationals in 
paragraph (a)(3)(iii)). BIS also added authority to reexport or 
transfer (in-country) to the authority to export; the absence of these 
terms from the June 3 proposed rule was an oversight.
    One commenter stated that BIS should provide for use of this 
license exception by non-U.S. persons. Another commenter recommended 
that BIS expand the scope of the license exception to include foreign 
subsidiaries and affiliates. BIS does not adopt these recommendations. 
Because of the risks associated with securing temporary exports of 
technology, BIS is not broadening the provisions for foreign persons 
beyond those employed by U.S. companies or to allow use by foreign 
companies.
    BIS received two comments on the recordkeeping provision in 
paragraph (a)(3)(v), with one requesting that it be clarified and one 
requesting that it be removed in view of the existing broad 
recordkeeping requirements in the EAR. BIS agrees with these comments 
and does not adopt the recordkeeping provision in this final rule.
    One commenter asked BIS to clarify if TMP is available for remote 
access to U.S. servers. Another commenter asked BIS to clarify if 
taking an encrypted device is an export. BIS is not including these 
changes in regulatory text, because these are applications of the rule 
that are more appropriate to FAQs. However, BIS is confirming in its 
FAQs that TMP is available for remote access if its provisions are met. 
BIS is also confirming in its FAQs that taking an encrypted device is 
an export and referring to a different paragraph of Sec.  740.9 for 
authorizing export of devices. Devices are commodities and therefore 
not eligible for paragraph (a)(3), which authorizes only technology.
    One commenter recommended that BIS remove a requirement to encrypt 
the technology, saying that the list of techniques for securing the 
data required all to be used. BIS accepts this comment, and this final 
rule adds ``may'' before ``include'' to make clear that the list is 
illustrative. One commenter recommended allowing obfuscation/
tokenization to protect data. BIS agrees that done properly, this is an 
effective security measure, and will add an FAQ on the topic to its Web 
site.

Scope of a License

    The June 3 rule proposed implementing in the EAR the interagency-
agreed boilerplate notification for all licenses that was posted on the 
BIS Web site and began appearing on licenses December 8, 2014. It was a 
slight revision to the former Sec.  750.7(a), which stated that 
licenses authorize only the transaction(s) described in the license 
application and the license application support documents. The proposed 
revision also codified the existing interpretation that a license 
authorizing the release of technology to an entity also authorizes the 
release of the same technology to the entity's foreign nationals who 
are permanent and regular employees of the entity's facility or 
facilities authorized on the license, except to the extent a license 
condition limits or prohibits the release of the technology to 
nationals of specific countries or country groups.
    Two commenters requested that BIS drop the modifier ``permanent 
and'' from ``regular employees.'' BIS does not adopt this request due 
to risk of diversion associated with non-permanent and non-regular 
employees. See further discussion of this issue above with respect to 
activities that are not deemed reexports. The phrase ``under U.S. law'' 
that modified ``proscribed persons'' in the June 3 rule is not adopted 
in this final rule for reasons discussed in connection with the 
definition of ``proscribed persons'' below. Except for that change, 
this final rule adopts the text proposed in the June 3 rule.

Removals From and Additions to EAR's List of Definitions in Sec.  772.1

    This final rule creates stand-alone sections in the EAR to address 
the scope and meaning of ``publicly available information,'' ``publicly 
available technology and software,'' and ``technical data.'' To avoid 
redundancy, this rule removes those definitions from Sec.  772.1. In 
light of the changes described above, the definitions of ``export,'' 
``reexport,'' ``required,'' ``technology,'' and ``transfer'' are 
revised accordingly. A clarifying note is added at the bottom of the 
definition explaining that the use of ``transfer'' does not apply to 
the unrelated ``transfers of licenses'' provision in Sec.  750.10 or 
the antiboycott provisions in Supplement No. 8 to part 760 of the EAR. 
It also states that the term ``transfer'' may be included on licenses 
issued by BIS. In that regard, the changes that can be made to a BIS 
license are the non-material changes described in Sec.  750.7(c). Any 
other change to a BIS license without authorization is a violation of 
the EAR. See Sec. Sec.  750.7(c) and 764.2(e). Finally, consistent with 
the explanations above, definitions for the terms ``access 
information,'' ``foreign person,'' ``fundamental research,'' 
``proscribed person,'' ``publicly available encryption software,'' 
``published,'' and ``release'' are added to Sec.  772.1.
    One commenter stated that the definition of proscribed persons was 
overbroad, catching those individuals sanctioned under U.S. law without 
an export control nexus and recommended deleting ``under US law.'' BIS 
agrees with this comment. One commenter recommended striking 
``scientific'' from the definition of ``basic scientific research'' in 
part 772 and adding definitions of applied and fundamental research to 
part 772. BIS does not accept this recommendation. The definition of 
``basic scientific research'' reflects a Wassenaar Arrangement 
definition; it is retained in this final rule. A definition for applied 
research is not adopted because it is not necessary as a result of the 
adoption of a simplified definition of fundamental research, and as 
fundamental research is defined in Sec.  734.8, use of a cross 
reference in part 772 is appropriate.

Issues Raised by Public Comments That Are Outside the Scope of This 
Rule

    One commenter requested that BIS clarify treatment of U.S.-origin 
chemical materials that are substantially transformed and exempt Japan 
and other like-minded countries from reexport controls. One commenter 
requested that BIS expand controls on missile production and drop Fiji 
from Country Group D:5. One commenter appended comments on a separate 
BIS proposed rule for which the comment period was already closed. One 
commenter stated that items classified under Export Control 
Classification Number 0A998 will no longer be subject to the EAR under 
the new note to Sec.  734.3(b)(3). One commenter requested that BIS 
drop the term ``serial'' from the definition of ``production,'' which 
was not revised by this rule. Although these comments are outside the 
scope of this rule and thus not addressed in this notice, BIS 
nonetheless encourages the

[[Page 35600]]

public to submit thoughts, suggestions, and comments to BIS about the 
EAR and the export control system. BIS cannot commit to addressing them 
in every case, but nonetheless encourages as much industry 
participation as possible in the development and drafting of the 
regulations.

Export Administration Act

    Since August 21, 2001, the Export Administration Act of 1979, as 
amended, has been in lapse. However, the President, through Executive 
Order 13222 of August 17, 2001, 3 CFR, 2001 Comp., p. 783 (2002), as 
amended by Executive Order 13637 of March 8, 2013, 78 FR 16129 (March 
13, 2013), and as extended by the Notice of August 7, 2015 (80 FR 48233 
(Aug. 11, 2015) has continued the EAR in effect under the International 
Emergency Economic Powers Act (50 U.S.C. 1701 et seq.). BIS continues 
to carry out the provisions of the Export Administration Act, as 
appropriate and to the extent permitted by law, pursuant to Executive 
Order 13222 as amended by Executive Order 13637.

Regulatory Requirements

    1. Executive Orders 13563 and 12866 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distribute impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This final rule has been designated a ``significant 
regulatory action,'' although not economically significant, under 
section 3(f) of Executive Order 12866. Accordingly, this final rule has 
been reviewed by the Office of Management and Budget (OMB).
    2. This final rule does not contain information collections subject 
to the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 
3501 et seq.) (PRA). Notwithstanding any other provision of law, no 
person is required to respond to, nor is subject to a penalty for 
failure to comply with, a collection of information, subject to the 
requirements of the PRA, unless that collection of information displays 
a currently valid OMB control number.
    3. This final rule does not contain policies with Federalism 
implications as that term is defined under E.O. 13132.
    4. Pursuant to the Regulatory Flexibility Act, as amended by the 
Small Business Regulatory Enforcement Fairness Act of 1996, 5 U.S.C. 
601 et seq., BIS has prepared the following final Regulatory 
Flexibility Act analysis of the impact that this final rule will have 
on small entities.

Statement of the Objectives of, and Legal Basis for, the Final Rule; 
Identification of All Relevant Federal Rules Which May Duplicate, 
Overlap, or Conflict With the Final Rule

    The objective of this final rule (and a final rule being published 
simultaneously by the Department of State) is to provide greater 
clarity and precision in the EAR and the ITAR by providing, where 
warranted and possible, common definitions and common terms to regulate 
the same types of actions and issues. This final rule also seeks to 
express some concepts more clearly.
    The final rule alters definitions in the EAR. It also updates and 
clarifies application of controls to electronically transmitted 
technology and software.
    The legal basis for this proposed rule is 50 U.S.C. 4601 et seq.; 
50 U.S.C. 1701 et seq.; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 
950; E.O. 13020, 61 FR 54079, 3 CFR, 1996 Comp., p. 219; E.O. 13026, 61 
FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 
2001 Comp., p. 783; E.O. 13637, 78 FR 16129, 3 CFR, 2014 Comp., p. 223; 
Notice of August 7, 2015, 80 FR 48233 (August 11, 2015); Notice of 
November 12, 2015, 80 FR 70667 (November 13, 2015).
    No other Federal rules duplicate, overlap, or conflict with this 
final rule.

Comments in Response to the Initial Regulatory Flexibility Analysis

    BIS received one comment from the public in response to the Initial 
Regulatory Flexibility Analysis (IRFA). The comment stated that while 
the proposed regulatory text indicated that the extent to which release 
of access information could be a violation of the EAR was limited by 
whether the party acted with knowledge, text in the IRFA regarding the 
impact of this provision created tension by stating that other 
provisions in the EAR could be used to bring charges for that same type 
of misconduct. The comment requested that BIS provide clarification in 
the final rule. BIS addressed this comment by not adopting Sec.  
764.2(l), the provision that would have established the violation at 
issue in the final rule. The Chief Counsel for Advocacy of the Small 
Business Administration filed no comments in response to the proposed 
rule.

Number and Description of Small Entities to Which This Rule Will Apply

    This final rule will apply to all persons engaged in the export, 
reexport, or transfer of commodities, technology, or software subject 
to the EAR. BIS does not maintain data from which it can determine how 
many of those persons are small entities as identified in the Small 
Business Administration size standards. Nevertheless, BIS recognizes 
that some of those persons are likely to be small entities.

Description of the Projected Reporting, Recordkeeping, and Other 
Compliance Requirements of the Final Rule

    This final rule is unlikely to increase the number of transactions 
that must be reported to BIS because EAR reporting requirements apply 
only in five specific situations, none of which will change as a result 
of this final rule. Those situations are: Exports of items on the 
Wassenaar Arrangement Sensitive List that do not require a license; 
Exports of High Performance Computers; Exports of certain thermal 
imaging cameras that do not require a license; Certain exports of 
Conventional Arms; and 600 series major defense equipment. Because 
recordkeeping requirements already apply to all transactions that are 
subject to the EAR, BIS expects that this final rule will not expand 
recordkeeping requirements.
    It is possible that some of these changes will increase the number 
of licenses that some small entities will have to seek from BIS, 
although BIS is not aware of any specific instance in which additional 
licenses will be required.
    The following discussion describes the changes made by this final 
rule. It is divided into two sections: Changes that BIS believes will 
not impose any new regulatory obligations; and Changes that are not 
intended to imposed any new regulatory obligation, but that BIS cannot 
state with certainty will not do so.

Changes That BIS Believes Will Not Impose Any New Regulatory Burden

    This final rule makes certain changes to clarify and streamline the 
definitions of comparable terms, phrases, and concepts between the EAR 
and the ITAR. Many of these changes are technical in nature and attempt 
to consolidate and re-phrase the definitions to enhance readability and 
to parallel the structure of the ITAR's definition of the same term. 
There are a small number of new provisions, but these changes do not 
impose any new regulatory burdens. Specifically, this final rule makes 
the following changes:

[[Page 35601]]

    Removes Sec.  734.2(b) which formerly defined export, reexport, 
release, transfer (in country) and export of encryption source code or 
object code software, because those terms are defined in separate 
sections. Section 734.2(b) also stated the policy of applying license 
requirements that apply to a country to its dependencies and 
possessions; this policy is currently stated elsewhere in the EAR.
    Creates new separate sections defining export, reexport, release 
and export of encryption source code or object code software. Those 
terms are clarified and presented in a more organized manner, but 
substantively unchanged from the former regulatory text.
    Creates a new section identifying activities that are not exports, 
reexports, or transfers. This section restates the transactions that 
are excluded from the definition of export in former regulatory text 
and adds two additional activities that are expressly declared not to 
be exports, reexports or transfers: Space launches; and sending, taking 
or storing certain technology or software abroad using specified 
cryptographic techniques. The former, although it was not included in 
past regulatory text, states an exclusion already set forth in a 
statute (see 51 U.S.C. 50919(f)) and is consistent with past BIS 
practice of not treating a space launch as an export, reexport or 
transfer. The latter is, in fact, new. However, by removing the 
transactions it describes from the definitions of exports, reexports, 
or transfers, it removes existing license requirements from those 
transactions.
    Clarifies without substantively changing the provisions related to 
patent applications and adds specific text stating that technology 
contained in a patent available from or at any patent office is not 
subject to the EAR. The addition reflects BIS's long-standing 
interpretation. To the extent that it could be characterized as new, 
its only effect would be to appear to release from the EAR technology 
that some readers of the EAR might have (erroneously) concluded was 
subject to the EAR.
    Adds text to License Exception TMP to emphasize that foreign 
subsidiaries of U.S. companies are neither U.S. employers nor ``U.S. 
persons or their employees'' as those terms are used in the license 
exception. This additional text adds no restriction that is not already 
imposed by the definition of ``U.S. persons'' that currently appears in 
the text of License Exception TMP.
    Adds text codifying in the EAR limits on transactions authorized by 
a license that currently are imposed by conditions on the license 
itself.
    Adds text specifying that to the extent an authorization would be 
required to transfer technology or software, a comparable authorization 
is required to transfer access information (e.g., decryption keys, 
network access codes, and passwords) with ``knowledge'' that such 
transfer would result in the unauthorized release of such technology or 
software.

Changes That Are Not Intended To Impose Any Regulatory Obligation, But 
That BIS Cannot State With Certainty Would Not Do So

    This final rule revises the definitions of the two existing terms 
``required'' and ``transfer (in-country).'' It also adopts BIS's 
interpretative guidance regarding deemed reexports as regulatory text. 
These changes are not intended to impose any regulatory obligations on 
regulated entities, but BIS cannot state with certainty that there will 
be no impact. This final rule makes the following changes:
    Adds to the EAR a definition of ``proscribed person.'' This 
definition does not create any new regulated class. It simply provides 
a clear, shorthand reference to a person who is already prohibited from 
receiving items or participating in a transaction that is subject to 
the EAR without authorization, such as persons on the Entity List.
    Removes from the definition of the term ``required'' references to 
CCL Categories 4, 5, 6 and 9 to accurately reflect BIS's long-standing 
interpretation that its definition applies wherever the EAR imposes a 
license requirement for technology ``required'' for a particular 
process or activity.
    In the definition of ``transfer (in-country),'' replaces the phrase 
``shipment, transmission, or release of items subject to the EAR from 
one person to another person that occurs outside the United States 
within a single foreign country'' with ``a change in end use or end 
user of an item within the same foreign country.'' This new text will 
parallel the term ``retransfer'' in the ITAR and will eliminate any 
potential ambiguity that a change in end use or end user within a 
foreign country is or is not a ``transfer (in-country).''
    Each of the foregoing changes serves the overall policy goals of 
reducing uncertainty and harmonizing, to the extent warranted and 
possible, the requirements of the ITAR and the EAR. In most instances, 
reduced uncertainty will be beneficial to persons who have to comply 
with the regulations, particularly persons who engage in transactions 
subject to both sets of regulations. They will be able to make 
decisions more quickly and have less need to contact BIS for advice. 
Additionally, by making these terms more explicit, the possibility of 
their being interpreted contrary to BIS's intent is reduced. Such 
contrary interpretations would have three undesirable effects. First, 
they would undermine the national security and foreign policy 
objectives that the EAR are intended to implement. Second, persons who 
are interpreting the regulations in a less restrictive manner than BIS 
intends may seek fewer licenses from BIS than their competitors who are 
interpreting the regulations consistent with BIS's intent or who are 
obtaining advice from BIS, thereby gaining a commercial advantage to 
the detriment of the relevant national security or foreign policy 
interests. Third, unnecessary regulatory complexity and unnecessary 
differences between the terminology of the ITAR and that of the EAR 
could discourage small entities from even attempting to export. The 
beneficial effects of making these terms more explicit justify the 
economic impact that might be incurred by small entities that will have 
to change their conduct because their contrary interpretations can no 
longer be relied on given the clearer and more explicit terms in the 
regulations.
    This final rule also adds to the EAR a description of activities 
that are not deemed reexports. This description formerly appeared as 
interpretative guidance on BIS's Web site and closely tracks the 
regulatory text of the ITAR. Deemed reexports are releases of 
technology or software source code within a single foreign country by a 
party located outside the United States to a national of a country 
other than the country in which the releasing party is located. The new 
section describes three situations in which that party may release the 
technology or source code without obtaining a license from BIS.
    By adopting this guidance as regulatory text that closely tracks 
the text governing the same activities in the ITAR, BIS reduces both 
complexity and unnecessary differences between the two sets of 
regulations with the salutary effects of faster decision making, 
reduced need to contact BIS for advice, and reduced possibility that 
small entities would be discouraged from exporting as noted above.

[[Page 35602]]

Description of Any Significant Alternatives to the Final Rule That 
Accomplish the Stated Objectives of Applicable Statutes and That 
Minimize Any Significant Economic Impact of the Final Rule on Small 
Entities

    As required by 5 U.S.C. 603(c), BIS's analysis considered 
significant alternatives. Those alternatives are: (1) The preferred 
alternative of altering definitions and updating and clarifying 
application of controls to electronically transmitted technology and 
software; (2) Maintaining the status quo and not revising the 
definitions or updating and clarifying application of controls to 
electronically transmitted technology and software; and (3) 
Establishing a size threshold below which entities would not be subject 
to the changes proposed by this rulemaking.
    By altering definitions and updating and clarifying application of 
controls to electronically transmitted technology and software as this 
final rule does, BIS reduces uncertainty for all parties engaged in 
transactions that are subject to the EAR. Potential ambiguities are 
reduced; decisions can be made more quickly; the need to contact BIS 
for advice is reduced; and the possibility of inconsistent 
interpretations providing one party commercial advantages over others 
is reduced. Persons (including small entities) engaged in transactions 
that are subject to the ITAR and transactions that are subject to the 
EAR face fewer actual or apparent inconsistencies that must be 
addressed in their regulatory compliance programs. Although small 
entities, along with all other parties, will need to become familiar 
with the revised terminology, in the long run, compliance costs are 
likely to be reduced when compared to the present situation where the 
ITAR and the EAR use different terminology to regulate the same types 
of activity in the same manner. Therefore, BIS adopted this 
alternative.
    If BIS had chosen to maintain the status quo, small entities and 
other parties would not have to incur the cost and effort of becoming 
familiar with the revised regulations, and any party who was 
interpreting the regulations in a way that would clearly be precluded 
by the more explicit interpretations would not incur the cost of 
complying with the regulations consistent with their underlying intent 
and in the way that BIS believes most regulated parties do. However, 
the benefits of these proposed changes would be lost. Those benefits, 
greater clarity, consistency between the ITAR and the EAR, and reduced 
possibility of inconsistent application of the regulations by similarly 
situated regulated parties, would be foregone. Therefore, BIS has not 
adopted this alternative.
    If BIS had chosen to create a size threshold exempting small 
entities as currently defined by the SBA size standards from the 
changes imposed by this final rule, those entities would face a more 
complicated regulatory environment than larger entities. The small 
entities would continue to be subject to the EAR as a whole but without 
the benefit of the clarifications introduced by this final rule. The 
only way to make a size threshold beneficial to entities falling below 
the threshold would be to exempt them from all or at least many of the 
requirements of the EAR. However, doing so would create a major 
loophole allowing commodities, software, and technology that are 
controlled for export for national security or foreign policy reasons 
to go, without restriction, to any party abroad, undermining the 
interests that the regulations are intended to protect. Therefore, BIS 
has not adopted this alternative.

List of Subjects

15 CFR Parts 734 and 772

    Exports.

15 CFR Parts 740 and 750

    Administrative practice and procedure, Exports, Reporting and 
recordkeeping requirements.

    For the reasons stated in the preamble, parts 734, 740, 750, and 
772 of the Export Administration Regulations (15 CFR subchapter C) are 
amended as follows:

PART 734--SCOPE OF THE EXPORT ADMINISTRATION REGULATIONS

0
1. The authority citation for part 734 continues to read as follows:

    Authority:  50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; E.O. 
12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61 FR 
54079, 3 CFR, 1996 Comp., p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 
1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 
783; E.O. 13637, 78 FR 16129, 3 CFR, 2014 Comp., p. 223; Notice of 
August 7, 2015, 80 FR 48233 (August 11, 2015); Notice of November 
12, 2015, 80 FR 70667 (November 13, 2015).

0
2. Section 734.2 is amended by revising the heading to read as follows 
and by removing and reserving paragraph (b).


Sec.  734.2  Subject to the EAR.

* * * * *

0
3. Section 734.3 is amended by revising paragraph (b) introductory 
text, paragraph (b)(3), the Note to paragraphs (b)(2) and (b)(3), and 
adding a Note to paragraph (b)(3) to read as follows.


Sec.  734.3  Items subject to the EAR.

* * * * *
    (b) The following are not subject to the EAR:
* * * * *
    (3) Information and ``software'' that:
    (i) Are published, as described in Sec.  734.7;
    (ii) Arise during, or result from, fundamental research, as 
described in Sec.  734.8;
    (iii) Are released by instruction in a catalog course or associated 
teaching laboratory of an academic institution;
    (iv) Appear in patents or open (published) patent applications 
available from or at any patent office, unless covered by an invention 
secrecy order, or are otherwise patent information as described in 
Sec.  734.10;
    (v) Are non-proprietary system descriptions; or
    (vi) Are telemetry data as defined in Note 2 to Category 9, Product 
Group E (see Supplement No. 1 to part 774 of the EAR).

    Note to paragraphs (b)(2) and (b)(3): A printed book or other 
printed material setting forth encryption source code is not itself 
subject to the EAR (see Sec.  734.3(b)(2)). However, notwithstanding 
Sec.  734.3(b)(2), encryption source code in electronic form or 
media (e.g., computer diskette or CD ROM) remains subject to the EAR 
(see Sec.  734.17)). Publicly available encryption object code 
``software'' classified under ECCN 5D002 is not subject to the EAR 
when the corresponding source code meets the criteria specified in 
Sec.  740.13(e) of the EAR.


    Note to paragraph (b)(3): Except as set forth in part 760 of 
this title, information that is not within the scope of the 
definition of ``technology'' (see Sec.  772.1 of the EAR) is not 
subject to the EAR.

* * * * *

0
4. Section 734.7 is revised to read as follows:


Sec.  734.7  Published.

    (a) Except as set forth in paragraph (b) of this section, 
unclassified ``technology'' or ``software'' is ``published,'' and is 
thus not ``technology'' or ``software'' subject to the EAR, when it has 
been made available to the public without restrictions upon its further 
dissemination such as through any of the following:
    (1) Subscriptions available without restriction to any individual 
who desires to obtain or purchase the published information;
    (2) Libraries or other public collections that are open and 
available

[[Page 35603]]

to the public, and from which the public can obtain tangible or 
intangible documents;
    (3) Unlimited distribution at a conference, meeting, seminar, trade 
show, or exhibition, generally accessible to the interested public;
    (4) Public dissemination (i.e., unlimited distribution) in any form 
(e.g., not necessarily in published form), including posting on the 
Internet on sites available to the public; or
    (5) Submission of a written composition, manuscript, presentation, 
computer-readable dataset, formula, imagery, algorithms, or some other 
representation of knowledge with the intention that such information 
will be made publicly available if accepted for publication or 
presentation:
    (i) To domestic or foreign co-authors, editors, or reviewers of 
journals, magazines, newspapers or trade publications;
    (ii) To researchers conducting fundamental research; or
    (iii) To organizers of open conferences or other open gatherings.
    (b) Published encryption software classified under ECCN 5D002 
remains subject to the EAR unless it is publicly available encryption 
object code software classified under ECCN 5D002 and the corresponding 
source code meets the criteria specified in Sec.  740.13(e) of the EAR.

0
5. Section 734.8 is revised to read as follows:


Sec.  734.8  ``Technology'' or ``software'' that arises during, or 
results from, fundamental research.

    (a) Fundamental research. ``Technology'' or ``software'' that 
arises during, or results from, fundamental research and is intended to 
be published is not subject to the EAR.

    Note 1 to paragraph (a): This paragraph does not apply to 
``technology'' or ``software'' subject to the EAR that is released 
to conduct fundamental research. (See Sec.  734.7(a)(5)(ii) for 
information released to researchers that is ``published.'')


    Note 2 to paragraph (a): There are instances in the conduct of 
research where a researcher, institution or company may decide to 
restrict or protect the release or publication of ``technology'' or 
``software'' contained in research results. Once a decision is made 
to maintain such ``technology'' or ``software'' as restricted or 
proprietary, the ``technology'' or ``software,'' if within the scope 
of Sec.  734.3(a), becomes subject to the EAR.

    (b) Prepublication review. ``Technology'' or ``software'' that 
arises during, or results, from fundamental research is intended to be 
published to the extent that the researchers are free to publish the 
``technology'' or ``software'' contained in the research without 
restriction. ``Technology'' or ``software'' that arises during or 
results from fundamental research subject to prepublication review is 
still intended to be published when:
    (1) Prepublication review is conducted solely to ensure that 
publication would not compromise patent rights, so long as the review 
causes no more than a temporary delay in publication of the research 
results;
    (2) Prepublication review is conducted by a sponsor of research 
solely to insure that the publication would not inadvertently divulge 
proprietary information that the sponsor has furnished to the 
researchers; or
    (3) With respect to research conducted by scientists or engineers 
working for a Federal agency or a Federally Funded Research and 
Development Center (FFRDC), the review is conducted within any 
appropriate system devised by the agency or the FFRDC to control the 
release of information by such scientists and engineers.

    Note 1 to paragraph (b): Although ``technology'' or ``software'' 
arising during or resulting from fundamental research is not 
considered intended to be published if researchers accept 
restrictions on its publication, such ``technology'' or ``software'' 
will nonetheless qualify as ``technology'' or ``software'' arising 
during or resulting from fundamental research once all such 
restrictions have expired or have been removed.


    Note 2 to paragraph (b):  Research that is voluntarily subjected 
to U.S. government prepublication review is considered ``intended to 
be published'' when the research is released consistent with the 
prepublication review and any resulting controls.


    Note 3 to paragraph (b): ``Technology'' or ``software'' 
resulting from U.S. government funded research that is subject to 
government-imposed access and dissemination or other specific 
national security controls qualifies as ``technology'' or 
``software'' resulting from fundamental research, provided that all 
government-imposed national security controls have been satisfied 
and the researchers are free to publish the ``technology'' or 
``software'' contained in the research without restriction. Examples 
of specific national security controls include requirements for 
prepublication review by the Government, with right to withhold 
permission for publication; restrictions on prepublication 
dissemination of information to non-U.S. citizens or other 
categories of persons; or restrictions on participation of non-U.S. 
citizens or other categories of persons in the research. A general 
reference to one or more export control laws or regulations or a 
general reminder that the Government retains the right to classify 
is not a specific national security control.

    (c) Fundamental research definition. Fundamental research means 
research in science, engineering, or mathematics, the results of which 
ordinarily are published and shared broadly within the research 
community, and for which the researchers have not accepted restrictions 
for proprietary or national security reasons.


Sec.  734.9--[Removed  and Reserved]

0
6. Section 734.9 is removed and reserved.

0
7. Section 734.10 is revised to read as follows:


Sec.  734.10  Patents.

    ``Technology'' is not subject to the EAR if it is contained in any 
of the following:
    (a) A patent or an open (published) patent application available 
from or at any patent office;
    (b) A published patent or patent application prepared wholly from 
foreign-origin ``technology'' where the application is being sent to 
the foreign inventor to be executed and returned to the United States 
for subsequent filing in the U.S. Patent and Trademark Office;
    (c) A patent application, or an amendment, modification, supplement 
or division of an application, and authorized for filing in a foreign 
country in accordance with the regulations of the Patent and Trademark 
Office, 37 CFR part 5; or
    (d) A patent application when sent to a foreign country before or 
within six months after the filing of a United States patent 
application for the purpose of obtaining the signature of an inventor 
who was in the United States when the invention was made or who is a 
co-inventor with a person residing in the United States.


Sec.  734.11--[Removed  and Reserved]

0
8. Section 734.11 is removed and reserved.

0
9. Section 734.13 is added to read as follows:


Sec.  734.13  Export.

    (a) Except as set forth in Sec. Sec.  734.17 or 734.18, Export 
means:
    (1) An actual shipment or transmission out of the United States, 
including the sending or taking of an item out of the United States, in 
any manner;
    (2) Releasing or otherwise transferring ``technology'' or source 
code (but not object code) to a foreign person in the United States (a 
``deemed export'');

[[Page 35604]]

    (3) Transferring by a person in the United States of registration, 
control, or ownership of:
    (i) A spacecraft subject to the EAR that is not eligible for export 
under License Exception STA (i.e., spacecraft that provide space-based 
logistics, assembly or servicing of any spacecraft) to a person in or a 
national of any other country; or
    (ii) Any other spacecraft subject to the EAR to a person in or a 
national of a Country Group D:5 country.
    (b) Any release in the United States of ``technology'' or source 
code to a foreign person is a deemed export to the foreign person's 
most recent country of citizenship or permanent residency.
    (c) The export of an item that will transit through a country or 
countries to a destination identified in the EAR is deemed to be an 
export to that destination.

0
10. Section 734.14 is added to read as follows:


Sec.  734.14  Reexport.

    (a) Except as set forth in Sec. Sec.  734.18 and 734.20, Reexport 
means:
    (1) An actual shipment or transmission of an item subject to the 
EAR from one foreign country to another foreign country, including the 
sending or taking of an item to or from such countries in any manner;
    (2) Releasing or otherwise transferring ``technology'' or source 
code subject to the EAR to a foreign person of a country other than the 
foreign country where the release or transfer takes place (a deemed 
reexport);
    (3) Transferring by a person outside the United States of 
registration, control, or ownership of:
    (i) A spacecraft subject to the EAR that is not eligible for 
reexport under License Exception STA (i.e., spacecraft that provide 
space-based logistics, assembly or servicing of any spacecraft) to a 
person in or a national of any other country; or
    (ii) Any other spacecraft subject to the EAR to a person in or a 
national of a Country Group D:5 country.
    (b) Any release outside of the United States of ``technology'' or 
source code subject to the EAR to a foreign person of another country 
is a deemed reexport to the foreign person's most recent country of 
citizenship or permanent residency, except as described in Sec.  
734.20.
    (c) The reexport of an item subject to the EAR that will transit 
through a country or countries to a destination identified in the EAR 
is deemed to be a reexport to that destination.

0
11. Section 734.15 is added to read as follows:


Sec.  734.15  Release.

    (a) Except as set forth in Sec.  734.18, ``technology'' and 
``software'' are ``released'' through:
    (1) Visual or other inspection by a foreign person of items that 
reveals ``technology'' or source code subject to the EAR to a foreign 
person; or
    (2) Oral or written exchanges with a foreign person of 
``technology'' or source code in the United States or abroad.
    (b) Any act causing the ``release'' of ``technology'' or 
``software,'' through use of ``access information'' or otherwise, to 
yourself or another person requires an authorization to the same extent 
an authorization would be required to export or reexport such 
``technology'' or ``software'' to that person.

0
12. Section 734.16 is added to read as follows:


Sec.  734.16  Transfer (in-country).

    Except as set forth in Sec.  734.18(a)(3), a Transfer (in-country) 
is a change in end use or end user of an item within the same foreign 
country. Transfer (in-country) is synonymous with In-country transfer.

0
13. Section 734.17 is added to read as follows:


Sec.  734.17  Export of encryption source code and object code 
software.

    (a) For purposes of the EAR, the Export of encryption source code 
and object code ``software'' means:
    (1) An actual shipment, transfer, or transmission out of the United 
States (see also paragraph (b) of this section); or
    (2) A transfer of such ``software'' in the United States to an 
embassy or affiliate of a foreign country.
    (b) The export of encryption source code and object code 
``software'' controlled for ``EI'' reasons under ECCN 5D002 on the 
Commerce Control List (see Supplement No. 1 to part 774 of the EAR) 
includes:
    (1) Downloading, or causing the downloading of, such ``software'' 
to locations (including electronic bulletin boards, Internet file 
transfer protocol, and World Wide Web sites) outside the U.S., or
    (2) Making such ``software'' available for transfer outside the 
United States, over wire, cable, radio, electromagnetic, photo optical, 
photoelectric or other comparable communications facilities accessible 
to persons outside the United States, including transfers from 
electronic bulletin boards, Internet file transfer protocol and World 
Wide Web sites, unless the person making the ``software'' available 
takes precautions adequate to prevent unauthorized transfer of such 
code. See Sec.  740.13(e) of the EAR for notification requirements for 
exports or reexports of encryption source code ``software'' considered 
to be publicly available or published consistent with the provisions of 
Sec.  734.3(b)(3). Publicly available encryption ``software'' in object 
code that corresponds to encryption source code made eligible for 
License Exception TSU under Sec.  740.13(e) of the EAR is not subject 
to the EAR.
    (c) Subject to the General Prohibitions described in part 736 of 
the EAR, such precautions for Internet transfers of products eligible 
for export under Sec.  740.17(b)(2) of the EAR (encryption ``software'' 
products, certain encryption source code and general purpose encryption 
toolkits) shall include such measures as:
    (1) The access control system, either through automated means or 
human intervention, checks the address of every system outside of the 
U.S. or Canada requesting or receiving a transfer and verifies such 
systems do not have a domain name or Internet address of a foreign 
government end-user (e.g., ``.gov,'' ``.gouv,'' ``.mil'' or similar 
addresses);
    (2) The access control system provides every requesting or 
receiving party with notice that the transfer includes or would include 
cryptographic ``software'' subject to export controls under the Export 
Administration Regulations, and anyone receiving such a transfer cannot 
export the ``software'' without a license or other authorization; and
    (3) Every party requesting or receiving a transfer of such 
``software'' must acknowledge affirmatively that the ``software'' is 
not intended for use by a government end user, as defined in part 772 
of the EAR, and he or she understands the cryptographic ``software'' is 
subject to export controls under the Export Administration Regulations 
and anyone receiving the transfer cannot export the ``software'' 
without a license or other authorization. BIS will consider 
acknowledgments in electronic form provided they are adequate to assure 
legal undertakings similar to written acknowledgments.

0
14. Section 734.18 is added to read as follows:


Sec.  734.18  Activities that are not exports, reexports, or transfers.

    (a) Activities that are not exports, reexports, or transfers. The 
following activities are not exports, reexports, or transfers:
    (1) Launching a spacecraft, launch vehicle, payload, or other item 
into space.

[[Page 35605]]

    (2) Transmitting or otherwise transferring ``technology'' or 
``software'' to a person in the United States who is not a foreign 
person from another person in the United States.
    (3) Transmitting or otherwise making a transfer (in-country) within 
the same foreign country of ``technology'' or ``software'' between or 
among only persons who are not ``foreign persons,'' so long as the 
transmission or transfer does not result in a release to a foreign 
person or to a person prohibited from receiving the ``technology'' or 
``software.''
    (4) Shipping, moving, or transferring items between or among the 
United States, the District of Columbia, the Commonwealth of Puerto 
Rico, or the Commonwealth of the Northern Mariana Islands or any 
territory, dependency, or possession of the United States as listed in 
Schedule C, Classification Codes and Descriptions for U.S. Export 
Statistics, issued by the Bureau of the Census.
    (5) Sending, taking, or storing ``technology'' or ``software'' that 
is:
    (i) Unclassified;
    (ii) Secured using `end-to-end encryption;'
    (iii) Secured using cryptographic modules (hardware or 
``software'') compliant with Federal Information Processing Standards 
Publication 140-2 (FIPS 140-2) or its successors, supplemented by 
``software'' implementation, cryptographic key management and other 
procedures and controls that are in accordance with guidance provided 
in current U.S. National Institute for Standards and Technology 
publications, or other equally or more effective cryptographic means; 
and
    (iv) Not intentionally stored in a country listed in Country Group 
D:5 (see Supplement No. 1 to part 740 of the EAR) or in the Russian 
Federation.

    Note to paragraph (a)(4)(iv): Data in-transit via the Internet 
is not deemed to be stored.

    (b) Definitions. For purposes of this section, End-to-end 
encryption means (i) the provision of cryptographic protection of data 
such that the data is not in unencrypted form between an originator (or 
the originator's in-country security boundary) and an intended 
recipient (or the recipient's in-country security boundary), and (ii) 
the means of decryption are not provided to any third party. The 
originator and the recipient may be the same person.
    (c) Ability to access ``technology'' or ``software'' in encrypted 
form. The ability to access ``technology'' or ``software'' in encrypted 
form that satisfies the criteria set forth in paragraph (a)(5) of this 
section does not constitute the release or export of such 
``technology'' or ``software.''

0
15. Section 734.19 is added to read as follows:


Sec.  734.19  Transfer of access information.

    To the extent an authorization would be required to transfer 
``technology'' or ``software,'' a comparable authorization is required 
to transfer access information if done with ``knowledge'' that such 
transfer would result in the release of such ``technology'' or 
``software'' without a required authorization.

0
16. Section 734.20 is added to read as follows:


Sec.  734.20  Activities that are not deemed reexports.

    The following activities are not deemed reexports (see ``deemed 
reexport'' definition in Sec.  734.14(b)):
    (a) Authorized Release of ``technology'' or source code. Release of 
``technology'' or source code by an entity outside the United States to 
a foreign person of a country other than the foreign country where the 
release takes place if:
    (1) The entity is authorized to receive the ``technology'' or 
source code at issue, whether by a license, license exception, or 
situation where no license is required under the EAR for such 
``technology'' or source code; and
    (2) The entity has ``knowledge'' that the foreign national's most 
recent country of citizenship or permanent residency is that of a 
country to which export from the United States of the ``technology'' or 
source code at issue would be authorized by the EAR either under a 
license exception or in situations where no license under the EAR would 
be required.
    (b) Release to Country Group A:5 nationals. Without limiting the 
scope of paragraph (a), release of ``technology'' or source code by an 
entity outside the United States to a foreign person of a country other 
than the foreign country where the release takes place if:
    (1) The entity is authorized to receive the ``technology'' or 
source code at issue, whether by a license, license exception, or 
through situations where no license is required under the EAR;
    (2) The foreign person is a bona fide `permanent and regular 
employee' of the entity and is not a proscribed person (see Sec.  772.1 
for definition of proscribed person);
    (3) Such employee is a national exclusively of a country in Country 
Group A:5; and
    (4) The release of ``technology'' or source code takes place 
entirely within the physical territory of any such country, or within 
the United States.
    (c) Release to other than Country Group A:5 nationals. Without 
limiting the scope of paragraph (a), release of ``technology'' or 
source code by an entity outside the United States to a foreign person 
of a country other than the foreign country where the release takes 
place if:
    (1) The entity is authorized to receive the ``technology'' or 
source code at issue, whether by a license, license exception, or 
situations where no license is required under the EAR;
    (2) The foreign person is a bona fide `permanent and regular 
employee' of the entity and is not a proscribed person (see Sec.  772.1 
for definition of proscribed person);
    (3) The release takes place entirely within the physical territory 
of the country where the entity is located, conducts official business, 
or operates, or within the United States;
    (4) The entity has effective procedures to prevent diversion to 
destinations, entities, end users, and end uses contrary to the EAR; 
and
    (5) Any one of the following six (i.e., paragraphs (c)(5)(i), (ii), 
(iii), (iv), (v), or (vi) of this section) situations is applicable:
    (i) The foreign person has a security clearance approved by the 
host nation government of the entity outside the United States;
    (ii) The entity outside the United States:
    (A) Has in place a process to screen the foreign person employee 
and to have the employee execute a non-disclosure agreement that 
provides assurances that the employee will not disclose, transfer, or 
reexport controlled ``technology'' contrary to the EAR;
    (B) Screens the employee for substantive contacts with countries 
listed in Country Group D:5 (see Supplement No. 1 to part 740 of the 
EAR). Although nationality does not, in and of itself, prohibit access 
to ``technology'' or source code subject to the EAR, an employee who 
has substantive contacts with foreign persons from countries listed in 
Country Group D:5 shall be presumed to raise a risk of diversion, 
unless BIS determines otherwise;
    (C) Maintains a technology security or clearance plan that includes 
procedures for screening employees for such substantive contacts;
    (D) Maintains records of such screenings for the longer of five 
years or the duration of the individual's employment with the entity; 
and
    (E) Will make such plans and records available to BIS or its agents 
for civil

[[Page 35606]]

and criminal law enforcement purposes upon request;
    (iii) The entity is a U.K. entity implementing Sec.  126.18 of the 
ITAR (22 CFR 126.18) pursuant to the U.S.-U.K. Exchange of Notes 
regarding Sec.  126.18 of the ITAR for which the U.K. has provided 
appropriate implementation guidance;
    (iv) The entity is a Canadian entity implementing Sec.  126.18 of 
the ITAR pursuant to the U.S.-Canadian Exchange of Letters regarding 
Sec.  126.18 of the ITAR for which Canada has provided appropriate 
implementation guidance;
    (v) The entity is an Australian entity implementing the exemption 
at paragraph 3.7b of the ITAR Agreements Guidelines; or
    (vi) The entity is a Dutch entity implementing the exemption at 
paragraph 3.7c of the ITAR Agreements Guidelines.
    (d) Definitions--(1) Substantive contacts include regular travel to 
countries in Country Group D:5; recent or continuing contact with 
agents, brokers, and nationals of such countries; continued 
demonstrated allegiance to such countries; maintenance of business 
relationships with persons from such countries; maintenance of a 
residence in such countries; receiving salary or other continuing 
monetary compensation from such countries; or acts otherwise indicating 
a risk of diversion.
    (2) Permanent and regular employee is an individual who:
    (i) Is permanently (i.e., for not less than a year) employed by an 
entity, or
    (ii) Is a contract employee who:
    (A) Is in a long-term contractual relationship with the company 
where the individual works at the entity's facilities or at locations 
assigned by the entity (such as a remote site or on travel);
    (B) Works under the entity's direction and control such that the 
company must determine the individual's work schedule and duties;
    (C) Works full time and exclusively for the entity; and
    (D) Executes a nondisclosure certification for the company that he 
or she will not disclose confidential information received as part of 
his or her work for the entity.

    Note to paragraph (d)(2): If the contract employee has been 
seconded to the entity by a staffing agency, then the staffing 
agency must not have any role in the work the individual performs 
other than to provide the individual for that work. The staffing 
agency also must not have access to any controlled ``technology'' or 
source code other than that authorized by the applicable regulations 
or a license.

Supplement No. 1 to Part 734 [Removed and Reserved]

0
17. Supplement No. 1 to part 734 is removed and reserved.

PART 740-- LICENSE EXCEPTIONS

0
18. The authority citation for part 740 continues to read as follows:

    Authority: 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; 22 
U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 
228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of 
August 7, 2015, 80 FR 48233 (August 11, 2015).

0
19. In Sec.  740.9, paragraph (a)(3) is revised to read as follows:


Sec.  740.9  Temporary imports, exports, reexports, and transfers (in-
country) (TMP).

* * * * *
    (a) * * *
    (3) ``Technology,'' regardless of media or format, may be exported, 
reexported, or transferred (in-country) by or to a U.S. person, or a 
foreign person employee of a U.S. person traveling or on temporary 
assignment abroad, subject to the following restrictions:
    (i) Foreign persons may only export, reexport, transfer (in 
country) or receive such ``technology'' as they are authorized to 
receive through a license, license exception other than TMP or because 
no license is required.
    (ii) ``Technology'' exported, reexported, or transferred under this 
authorization may only be possessed or used by a U.S. person or 
authorized foreign person. Sufficient security precautions must be 
taken to prevent the unauthorized release of the ``technology.'' Such 
security precautions may include encryption of the ``technology,'' the 
use of secure network connections, such as Virtual Private Networks, 
the use of passwords or other access restrictions on the electronic 
device or media on which the ``technology'' is stored, and the use of 
firewalls and other network security measures to prevent unauthorized 
access.
    (iii) The individual is an employee of the U.S. Government or is 
directly employed by a U.S. person and not, e.g., by a foreign 
subsidiary.
    (iv) ``Technology'' authorized under this exception may not be used 
for foreign production purposes or for technical assistance unless 
authorized through a license or license exception other than TMP.
* * * * *

PART 750--APPLICATION PROCESSING, ISSUANCE, AND DENIAL

0
20. The authority citation for 15 CFR part 750 continues to read as 
follows:

    Authority: 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; Sec 
1503, Pub. L. 108-11, 117 Stat. 559; E.O. 13026, 61 FR 58767, 3 CFR, 
1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 
783; E.O. 13637, 78 FR 16129, 3 CFR, 2013 Comp., p. 223; 
Presidential Determination 2003-23, 68 FR 26459, 3 CFR, 2004 Comp., 
p. 320; Notice of August 7, 2015, 80 FR 48233 (August 11, 2015).

0
21. Section 750.7 is amended by revising paragraph (a) to read as 
follows:


Sec.  750.7  Issuance of licenses.

    (a) Scope. Unless limited by a condition set out in a license, the 
export, reexport, or transfer (in-country) authorized by a license is 
for the item(s), end-use(s), and parties described in the license 
application and any letters of explanation. The applicant must inform 
the other parties identified on the license, such as the ultimate 
consignees and end users, of the license's scope and of the specific 
conditions applicable to them. BIS grants licenses in reliance on 
representations the applicant made in or submitted in connection with 
the license application, letters of explanation, and other documents 
submitted. A BIS license authorizing the release of ``technology'' to 
an entity also authorizes the release of the same ``technology'' to the 
entity's foreign persons who are permanent and regular employees (and 
who are not proscribed persons) of the entity's facility or facilities 
authorized on the license, except to the extent a license condition 
limits or prohibits the release of the ``technology'' to foreign 
persons of specific countries or country groups.
* * * * *

PART 772--DEFINITIONS OF TERMS

0
22. The authority citation for part 772 continues to read as follows:

    Authority: 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; E.O. 
13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 7, 
2015, 80 FR 48233 (August 11, 2015).

0
23. Section 772.1 is amended by:
0
a. Adding in alphabetical order a definition for ``Access 
information'';
0
b. Revising the definition of ``Export'';
0
c. Adding in alphabetical order definitions for ``Foreign person,'' 
``Fundamental research,'' ``Proscribed person,'' and ``Publicly 
available encryption software'';
0
d. Removing the definitions of ``Publicly available information'' and

[[Page 35607]]

``Publicly available technology and software'';
0
e. Adding in alphabetical order a definition for ``Published'';
0
f. Revising the definition of ``Reexport'';
0
g. Adding in alphabetical order a definition for ``Release'';
0
h. Revising the definition of ``Required'';
0
i. Removing the definition of ``Technical data''; and
0
j. Revising the definitions of ``Technology,'' and ``Transfer.''
    The revisions and additions read as follows:


Sec.  772.1  Definitions of terms as used in the Export Administration 
Regulations (EAR).

* * * * *
    Access information. Information that allows access to encrypted 
technology or encrypted software in an unencrypted form. Examples 
include decryption keys, network access codes, and passwords.
* * * * *
    Export. See Sec.  734.13 of the EAR.
* * * * *
    Foreign person. Any natural person who is not a lawful permanent 
resident of the United States, citizen of the United States, or any 
other protected individual as defined by 8 U.S.C. 1324b(a)(3). It also 
means any corporation, business association, partnership, trust, 
society or any other entity or group that is not incorporated in the 
United States or organized to do business in the United States, as well 
as international organizations, foreign governments and any agency or 
subdivision of a foreign government (e.g., diplomatic mission). 
``Foreign person'' is synonymous with ``foreign national,'' as used in 
the EAR, and ``foreign person'' as used in the International Traffic in 
Arms Regulations (22 CFR 120.16). This definition does not apply to 
part 760 of the EAR (Restrictive Trade Practices or Boycotts).
* * * * *
    Fundamental research. See Sec.  734.8 of the EAR.
* * * * *
    Proscribed person. A person who is prohibited from receiving the 
items at issue or participating in a transaction that is subject to the 
EAR without authorization under the EAR, such as persons on the Entity 
List or denied persons.
    Publicly available encryption software. See Sec.  740.13(e) of the 
EAR.
    Published. See Sec.  734.7 of the EAR.
* * * * *
    Reexport. See Sec.  734.14 of the EAR.
    Release. See Sec.  734.15 of the EAR.
* * * * *
    Required. (General Technology Note) --As applied to ``technology'' 
or ``software,'' refers to only that portion of ``technology'' or 
``software'' which is peculiarly responsible for achieving or exceeding 
the controlled performance levels, characteristics or functions. Such 
``required'' ``technology'' or ``software'' may be shared by different 
products. For example, assume product ``X'' is controlled on the CCL if 
it operates at or above 400 MHz and is not controlled if it operates 
below 400 MHz. If production technologies ``A,'' ``B,'' and ``C'' allow 
production at no more than 399 MHz, then technologies ``A,'' ``B,'' and 
``C'' are not ``required'' to produce the controlled product ``X''. If 
technologies ``A,'' ``B,'' ``C,'' ``D,'' and ``E'' are used together, a 
manufacturer can produce product ``X'' that operates at or above 400 
MHz. In this example, technologies ``D'' and ``E'' are peculiarly 
responsible for making the controlled product and are thus ``required'' 
technology under the General Technology Note. (See the General 
Technology Note.)

    Note 1 to the definition of Required:  The ITAR and the EAR 
often divide within each set of regulations or between each set of 
regulations:
    (a) Controls on parts, components, accessories, attachments, and 
software; and
    (b) Controls on the end items, systems, equipment, or other 
items into which those parts, components, accessories, attachments, 
and software are to be installed or incorporated.


    Note 2 to the definition of Required:  The references to 
``characteristics'' and ``functions'' are not limited to entries on 
the CCL that use specific technical parameters to describe the scope 
of what is controlled. The ``characteristics'' and ``functions'' of 
an item listed are, absent a specific regulatory definition, a 
standard dictionary's definition of the item. For example, ECCN 
9A610.a controls military aircraft specially designed for a military 
use that are not enumerated in USML paragraph VIII(a). No 
performance level is identified in the entry, but the control 
characteristic of the aircraft is that it is specially designed 
``for military use.'' Thus, any technology, regardless of 
significance, peculiar to making an aircraft ``for military use'' as 
opposed to, for example, an aircraft controlled under ECCN 9A991.a, 
would be technical data ``required'' for an aircraft specially 
designed for military use thus controlled under ECCN 9E610.


    Note 3 to the definition of Required:  Unclassified technology 
not specifically enumerated on the USML is ``subject to the EAR'' if 
it is ``required'' for the ``development,'' ``production,'' ``use,'' 
operation, installation, maintenance, repair, overhaul, or 
refurbishing (or other terms specified in ECCNs on the CCL that 
control ``technology'') of a commodity or software that is subject 
to the EAR. Thus, for example, if unclassified technology not 
specifically enumerated on the USML is ``required'' for the 
development or production of a 9A610.x aircraft component that is to 
be integrated or installed in a USML VIII(a) aircraft, then the 
``technology'' is controlled under ECCN 9E610, not USML VIII(i). 
Conversely, technical data directly related to, for example, the 
development or production of a component subject to the ITAR does 
not become subject to the EAR merely because it is developed or 
produced with equipment subject to the EAR.

* * * * *
    Technology. Technology means:
    Information necessary for the ``development,'' ``production,'' 
``use,'' operation, installation, maintenance, repair, overhaul, or 
refurbishing (or other terms specified in ECCNs on the CCL that control 
``technology'') of an item.
    N.B.: Controlled ``technology'' is defined in the General 
Technology Note and in the Commerce Control List (Supplement No. 1 to 
part 774 of the EAR).

    Note 1 to definition of Technology:  ``Technology'' may be in 
any tangible or intangible form, such as written or oral 
communications, blueprints, drawings, photographs, plans, diagrams, 
models, formulae, tables, engineering designs and specifications, 
computer-aided design files, manuals or documentation, electronic 
media or information revealed through visual inspection;


    Note 2 to definition of Technology:  The modification of the 
design of an existing item creates a new item and technology for the 
modified design is technology for the development or production of 
the new item.

* * * * *
    Transfer. A shipment, transmission, or release of items subject to 
the EAR either within the United States or outside the United States. 
For In-country transfer/Transfer (in-country), see Sec.  734.16 of the 
EAR.

    Note to definition of Transfer:  This definition of ``transfer'' 
does not apply to Sec.  750.10 of the EAR or Supplement No. 8 to 
part 760 of the EAR. The term ``transfer'' may also be included on 
licenses issued by BIS. In that regard, the changes that can be made 
to a BIS license are the non-material changes described in Sec.  
750.7(c) of the EAR. Any other change to a BIS license without 
authorization is a violation of the EAR. See Sec. Sec.  750.7(c) and 
764.2(e) of the EAR.

* * * * *


[[Page 35608]]


    Dated: May 23, 2016.
Kevin J. Wolf,
Assistant Secretary for Export Administration.
[FR Doc. 2016-12734 Filed 6-2-16; 8:45 am]
 BILLING CODE 3510-33-P