QuickCounsel
EU Export Regulations for Dual Purpose Goods
By John Menton, Arthur Cox, Ireland
Maury Shenk and David Lorello, Steptoe & Johnson, London
Joseph A. Vicario, Senior Counsel, Texas Instruments
Overview
What Constitutes an "Export" From the EU?
Licensing Regime in the EU – Some Highlights
Potential Pitfalls – Case Study
Voluntary Disclosure
Conclusion
Additional Resources
Overview
The European Union, like most countries/jurisdictions, has a variety of regulations governing the export of certain products and technologies. Broadly speaking these regulations control:
• Exports of dual-use goods (i.e. goods with both a military and civilian use);
• Exports of military goods; and
• Exports to countries that are subject to a UN/EU trade embargo.
This brief article focuses on dual-use controls.
EU dual-use export controls apply to the export of goods from the EU by subsidiaries of United States corporations. Without an understanding of EU export controls, a U.S. corporation risks inadvertent violations, even if it is otherwise in compliance with U.S. laws. Problems can occur in unlikely circumstances. In particular, there can be a difference in approach between the practical implementation of the U.S. and EU dual-use on the same products. A sample case study is set out below that highlights a key difference between EU and U.S. export controls as they apply to the export of certain encryption products that are controlled by the EU dual-use controls.
The EU-wide Dual-Use Regulation sets out the framework of EU dual-use controls and the list of controlled goods, but practical implementation of the controls is dealt with on a country-by-country basis. Each EU country (known as a “member state”) has a national regulator responsible for overseeing licensing and enforcement for dual-use exports from that jurisdiction. Export licenses are required in many situations where dual-use goods are exported from a member state of the EU to locations outside the EU. Criminal and civil penalties can apply in respect of violations of EU dual-use controls.
It is important to note that U.S. export control law also applies to many re-exports of U.S.-origin goods from the EU, and that U.S. economic sanctions and trade embargoes can also apply to conduct in the EU (particularly where U.S. companies and individuals are involved). These controls under U.S. law are not the focus of this article, but U.S. companies must of course consider them alongside EU controls.
Back to top
What constitutes an "export" from the EU?
EU dual-use controls apply to any transfer of a dual-use item from the EU to a destination outside the EU. Controls do not apply to shipments between EU member states (with limited exceptions for certain highly sensitive items – e.g. some explosives, sonar equipment, and “cryptanalytic” items used for breaking encryption). The method of transport outside of the EU does not matter in determining whether an “export” has taken place. For example, physical shipment, regular mail, delivery by hand, downloading software from an Internet site, and transmission of software or technology via e-mail can all constitute an export from the EU. Likewise, controls generally apply regardless of the purpose for export – temporary exports (i.e. of items that will return to the EU), gifts, contributions to research projects, shipments to a subsidiary outside the EU --all of these can constitute an export which may be subject to EU export controls. However, unlike under U.S. law, there is no general “deemed export” rule prohibiting transfer of technology within the EU to nationals of non-EU countries.
Back to top
Licensing regime in the EU – some highlights
CGEA
The Community General Export Authorization is an export authorization for dual-use goods that is included in the Dual-Use Regulation, and covers most exports to Australia, Canada, Japan, New Zealand, Norway, Switzerland and the U.S.In order to use the CGEA, an exporter usually must register with the national export regulator. In Ireland, for example, an exporter, once registered with the regulator, simply notifies the regulator in writing of his/her name and the address where the export records may be inspected and the notification must be made before, or within thirty days of, the first such export. Additional conditions for use of the CGEA are specified within the authorisation itself. Companies should check local member state requirements for the CGEA.
Mass Market/Retail Exemption
EU dual-use export controls apply to encryption products, but include an exemption for exports of “mass market” items under the Cryptography Note included in the Dual-Use Regulation. Under the Cryptography Note the export controls set out in 5A002 and 5D002 of the EU control list do not apply to exports of goods or software that meet all of the following:
a.) Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:
1.Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;
b.) The cryptographic functionality cannot easily be changed by the user;
c.) Designed for installation by the user without further substantial support by the supplier; and
d.) When necessary, details of the goods are accessible and will be provided, upon request, to the competent authorities of the Member State in which the exporter is established in order to ascertain compliance with conditions described in paragraphs a. to c. above.
Licensing
For exports of dual-use items that are not within the CGEA, the Cryptography Note or another exception from controls, an appropriate export licence from the relevant EU regulator is generally required (any may not be available if an embargo applies). There are three types of licences:
• “General licences” are published by a national regulator, cover all exports of a particular description, and generally only require registration with the regulator. For example, the UK has issued a general license for certain exports of encryption software and technology to affiliates and business collaborators.
• “Open” or “global licences” can cover multiple countries (minus embargoed countries or countries which the local regulator deems inappropriate to participate in a “global licence”) and a large group of recipients. Global licences require an application to the relevant regulator. There are differences of approach among EU regulators on the granting of global licences and the extent to which certain countries are excluded from such licenses.
• “Individual licences” covered specified exports to specified recipients, often in a single country, and like general licences require an application.
Back to top
Potential Pitfalls – case study
In general, U.S. companies should expect that goods subject to U.S.dual-use export controls will be subject to similar EU dual-use controls when exported from the EU. But there are important exceptions. For example, EU exports of non-mass market encryption products (i.e. those not meeting the requirements of the Cryptography Note) having a USECCN of 5A002 and 5D002 generally require an export licence (unless the CGEA or a general licence applies). A common pitfall that we have encountered, particularly since the liberalisation of U.S. encryption controls in 2010, is that such products can often be exported from the U.S. under License Exception ENC of the U.S. Export Administration Regulations, with limited filing requirements. However, there is no comparable broad exception applicable under EU law, so that significant EU licensing requirements can sometimes apply to such encryption products that have largely been freed from U.S. controls. In many cases this has proven to be been a hidden "trap" for companies that have (wrongly) assumed that the fact that a U.S. export licence is not required for a particular category of export from the U.S.means that an EU export licence is not required either.
Back to top
Voluntary Disclosure
U.S. companies that discover violations of EU export controls frequently have questions about voluntary disclosure procedures like those under the US Export Administration Regulations. In fact, EU member states generally do not have explicit voluntary disclosure procedures, although some countries, such as the UK, do have judicial policies to mitigate penalties for companies that cooperate with investigations, including by a voluntary disclosure. Accordingly, when facing a compliance situation, it is advisable for the affected company to seek advice in the relevant EU member state on whether and how to approach national authorities.
Back to top
Conclusion
U.S. companies that export goods from the EU should ensure that their export compliance procedures, policies, training, software and personnel are updated to take account of both U.S. and EU export controls. EU dual-use export rules are implemented on a country-by-country basis, and the practical procedures can differ slightly between the various regulators in the EU. In particular, U.S.-origin non-mass market 5A002 and 5D002 encryption products should be reviewed carefully in the EU context to determine if an EU-based subsidiary may require an export license in the EU.
Back to top
Additional Resources
ACC Resources
Web Resources
Back to top
Published on August 24, 2011
