The UK government has recently issued updated guidance on these rules, which are cast very widely and apply equally to electronic as well as physical transfers. Organisations that may be affected need to have effective measures in place to ensure that no such transfers take place without a licence.
In fact, while there are helpful clarifications on electronic transfers and the use of cloud services, most of the guidance is not new. This reflects the fact that the underlying UK law has not changed except that, post-Brexit, export controls now apply to dual use transfers between Great Britain (GB) and the EU. The EU is in the process of adopting a recast of its Dual Use Regulation (428/2009), including changes that will affect transfers of technology. This is expected to be in force across the EU and Northern Ireland after the summer. But the UK is under no obligation to apply any of the changes in GB and has so far given no indication of its intentions.
Who is affected?
The controls apply to any person in the UK transferring technology to any person outside the UK (but no licence is required for transfers of most dual use technology from Northern Ireland to the EU).
What is controlled technology?
This remains defined as specific information that is necessary for the development, production or use of controlled goods or software; this is further defined (except for nuclear technology) as only the specific technology which is ‘required’ for achieving the controlled performance characteristics. This can take any form including, for example, blueprints, plans, diagrams, models, formulae, tables, source code, engineering designs and specifications, manuals and instructions.
Controls also apply to any technology if its end-use is related to:
- unauthorised military exports or military use in a country subject to an arms embargo; or
- a programme for weapons of mass destruction; such controls also apply to transfers within the UK, transfers by a UK person located outside the UK, and technical assistance.
What are transfers?
Transfers can be made in tangible/non-electronic form such as documents, portable memory drives, laptops, phones and tablets sent or taken overseas, or in intangible/electronic form, for example:
- Phone calls, video conferencing: a licence is required when the relevant part of a document is either read out or is described in such a way as to achieve substantially the same result as if it had been read out. A licence is also required where presentations – live and recorded - display controlled technology and are viewed by an individual or a group overseas;
- Email: emails containing controlled technology require an export licence based on the location of the intended recipient overseas. Companies using automatic forwarding to addresses overseas or diversion for malware checking need to have mechanisms to prevent inadvertent transfers;
- Transfers within companies: companies that share IT systems must obtain an export licence to transfer controlled technology to their overseas offices or subsidiaries. If an employee accesses controlled technology while overseas, even if they have no intention of passing it on to another person, a licence is required.
Remote access and use of cloud services
The updated guidance confirms that uploading controlled technology to cloud-based storage is not licensable, irrespective of where it is stored or routed, provided that access is restricted to only persons located in the UK. Examples of suitable safeguards include “industry standard methods of end-to-end encryption and identity and access management”. This is still far less detailed than the equivalent requirements in, for example, US regulations, and places responsibility on the UK person concerned to judge which measures amount to “suitable safeguards”. But, provided that such measures are in place, an export licence is only required for transfer to the country where the intended recipient is located.
A licence or licences must be obtained before controlled technology is made accessible to an individual or a group overseas, covering each country where the intended recipients are located.
If a third-party cloud service supplier manages controlled technology, the owner of the technology has exclusive responsibility for compliance with export controls, not the service provider. The contract should define the export control accountabilities of all parties; in particular, if the owner delegates to the service provider the power to grant access to controlled technology to a person located overseas, the owner still has responsibility for how this is exercised. If staff of the service provider located overseas will intentionally have access to controlled technology (for example for maintenance or penetration testing), an export licence will be required to the country(ies) where the access will occur. No export licence is required if the service provider’s personnel outside the UK will not have access to controlled technology.
The guidance on exceptions has not changed and remains essentially as follows.
Technology in the public domain
Export controls do not apply if the technology is freely available, with no restriction on its dissemination other than copyright. This includes if it has to be paid for (e.g. in a book, a subscription journal) provided that it is accessible to anyone. It is not in the public domain if:
- access is restricted to certain persons;
- it is subject to the Official Secrets Act, or government security classifications;
- if it has been placed in the public domain in contravention of a statutory prohibition;
- it is intended to publish a paper containing controlled technology but it has not yet been published. Any collaboration or sharing of controlled technology overseas, such as through a peer review before publication would require a licence. (The act of publication is not controlled unless it is otherwise restricted e.g. by contract or it contains classified information).
Basic scientific research
This is defined as “experimental or theoretical work undertaken principally to acquire knowledge of the fundamental principles or phenomena or observable facts and not primarily directed towards a specific practical aim or objective”. For example, research conducted for a Research Council for the purposes of understanding fundamental phenomena. By contrast, research conducted for a commercial sponsor for a practical purpose is not basic research. This exception does not apply if the technology is for WMD end-use.
Technology required for installation, operation, maintenance or repair, or patent applications
A licence is not required for the transfer of technology that is the minimum required for:
- patent applications (except nuclear technology);
- installation, operation, maintenance or repair of goods that are not controlled or whose export has been previously authorised to the same destination and end-use.
Some Open General Export Licences (OGELs) specifically cover transfers of technology, notably those for military goods and for dual-use items. If no suitable OGEL is available, exporters must apply for either a standard individual export licence (SIEL) or an open individual export licence (OIEL). Licensees must comply with the terms and conditions in each type of licence. Holders of open licences or a SIEL for technology transfer are audited by the Export Control Joint Unit’s Compliance Team.
Sign up to our email digest