There is some good news in all this from an export controls perspective. First, with recent changes as part of the US Export Control Reform efforts, information is not needed with respect to all company employees, or even all company employees (or subcontractors) with access to a particular part of your IT system where controlled technical information is stored. A new rule published September 8, 2016, confirms that the US State Department no longer views theoretical or potential access as an export or re-export in and of itself. Rather, an individual would need to actually access ITAR-controlled technical data for authorization to be required. (The US Commerce Department has always required actual access in order to find that an export, re-export or release had occurred.) If there is no release or re-export, no authorization is required. As a result, information about employee nationalities need only be obtained for those employees who may have actual access to controlled technology.
Second, unlike under the prior approach taken by the US State Department, it is not necessary to gather information about the country of birth for those employees who will need authorization to access controlled technical information. The recently revised rules focus solely on citizenship and permanent residency. But, if access to ITAR-controlled data is at issue, take careful note of the fact that the State Department takes into account ALL citizenships ever held by an individual—past and present—even if the individually has formally renounced a citizenship. So, if the country in which someone was born grants citizenship as a matter of law to anyone who is born in the country (as is the case in the United States), then a person’s country of birth can still be relevant.
Further, both the Departments of State and Commerce have taken some steps to make it easier to balance the labor and privacy law requirements with the need to gather information to ensure proper authorization for sharing controlled technical information with company employees who are from a country other than the country in which the company is located (or in the case of the ITAR, may be dual- or third-country nationals). Primarily, they have shifted their approaches to allow the non-US parties receiving controlled technical information to determine which of their employees require access to such information and to vet those individuals internally for compliance with the ITAR and EAR requirements. This differs from earlier years when information about individual employees’ nationalities would have to be shared in some form with the US party seeking to obtain authorization from the US government to send the technical information overseas.
Under the EAR, Commerce will issue technology licenses with license conditions that indicate any limits on re-exports of the technology to “permanent and regular employees” of the non-US company who are nationals of a country other than the one in which the company is located (i.e., a Dutch national working for a Belgian company). Information about individual employees’ nationality need not be provided to the US party that is applying for the license. The non-US company can take steps internally to ensure that the individuals who have access to the controlled technology fall within the permitted categories allowed under the license.
Alternatively, both Commerce and State allow non-US companies to vet their own employees (provided they meet the definition for Commerce of “permanent and regular employee” and for State of “bona fide regular employee”). If a person has a security clearance approved by the host nation government of the entity outside the United States, further information is not needed from the individual. If confirmation can be obtained that the individual employee is a national only of countries that are members of NATO or the EU, or of Australia, Japan, New Zealand or Switzerland, and the transfer is occurring within one of those countries, additional information is not needed from the individual. Special provisions can also be relied on particularly for nationals of the United Kingdom, Canada, Australia and the Netherlands in certain circumstances. For other employees, additional information would need to be obtained from the individuals about their “substantive contacts” to countries subject to a policy of denial or an arms embargo under US export controls. Although this does require collection of additional information, the specific responses are not required to be given to the US applicant; the information does need to be made available to the US government if specifically requested.
Individuals who are not regular employees under the Commerce or State definitions are not eligible to receive controlled technical information under the above provisions. In such cases, additional information would need to be obtained about the person individually and other provisions of the ITAR or EAR relied upon to seek specific authorization.
Needless to say, although the rules may be more accommodating to the labor and privacy law concerns, they continue to be complex and warrant great attention to the details to ensure compliance.
Authors of this post are :