New milestone for the Medical Device Addendum.
Do you know your ITAR as good as you should?
In an increasingly complex world, where companies and countries are cooperating to secure, develop and protect their defence capabilities.
Export and import regulation is no longer something one shall address or handle as a reporting element. It is rather one intricate and pivotal aspect, which will validate your business transaction and ensure that you will be the selected partner and not be fined, disbarred from future business or go to jail.
When dealing with the US you need to know your ITAR.
ITAR (International Traffic in Arms Regulations) and the EAR (Export Administration Regulations) are export control regulations run by different departments of the US Government. Both of them are designed to help ensure that defense-related technology does not get into the wrong hands.
Here in Nevada in the US at the Basic ITAR course, CPO Vidar Olsen and CEO Didrik Bech are enjoying meeting our partners in the industry and getting the latest update on ITAR regulations.
During day one we started with addressed aspects as what agency has jurisdiction, what is an item, how is it controlled, what must be registered, what data can be transmitted and how can it be transmitted?
Then the question is, what is a defence article or service?
First of all, you must analyze if your product is on the U.S. Munition list (USML) or ITAR § 121.1 If you find your product here, then most likely you are subject to ITAR
Remember that the US has a “catch and release” strategy, which means they first want to secure that as much as possible is subject to regulation (catch) and then you can arbitrate, if you are actually subject or not (release)
What is a Commercial Item
Many will argue (release) that your article is a Commercial Item and on the Commercial Control List (CCL) also called the EAR 600 list. Items on the CCL are dual-use commodities, software, and technology, which are subject to the export licensing authority of the Bureau of Industry and Security. If you are on this list, then you can disregard the export and import regulations set by ITAR. However, this specifically means that you have done Zero changes to the product in order to sell it to a defense company and ultimately USDOD. Remember you must be able to prove this before any data is shared or else you will be considered in breach of ITAR if DDTC disagrees with your analysis and subject to fines, disbarment, and jail.
Are any alterations done? Be aware
If your item falls under U.S. Department of Commerce jurisdiction and is not listed on the CCL, it is designated as EAR99. EAR99 items generally consist of low-technology consumer goods and do not require a license in most situations. However, if your proposed export of an EAR99 item is to an embargoed country, to an end-user of concern, or in support of a prohibited end-use, you may be required to obtain a license.
The next thing you need to analyze is ITAR § 120.41, is my product Specifically Designed for Defense?
The question you need to ask yourself, have I done any changes to my product in order to sell it to a defense company?
If you have made and form, fit, function, performance alteration as a software modification, altered the color or added any kind of extra feature which will enhance its usefulness or effectiveness, then you are subject to ITAR. Historical documentation is key if you are going to use this argument.
We did the analysis for our product, Printed Circuit boards (PCB) and the result was as follows.
Our product is on the §ITAR 121.1 USML list Category XI – Military Electronics point 12.
- (2) Printed Circuit Boards (PCBs) and populated circuit card assemblies for which the layout is specially designed for defense articles in this subchapter;
- 120.41 Specially designed for the catch is 120.41 (a)(2) Is a “part”, “component”, “accessory” or “software” or “attachment” for use in or with a commodity or defense article enumerated or otherwise described on the USML
The Printed Circuit is unique and only to use for the product is has been developed for. If it is developed in the US for defence then it is subject to ITAR. This knowledge combined with experience with DFARS (Defence Federal Acquisitions Reglement Supplement) means that we are subject to DFARS when e.g developed outside the US and the product is also transformed to an ITAR product once it enters the US
We are looking forward to tomorrow, then we will address subjects as Technical Data under ITAR, Deemed Export, Release vs Access to Technical Data, Dual Nationals and Violations of ITAR.
The” teacher” quickly challenged the class by asking everybody to consider “What routines do you have in place and how are you marking your Technical data controlled under ITAR?. Thereafter emphasizing that “If you do not mark your data properly and ensure that this marking and information flows down your entire supply chain, then you will be liable”. First, you must determine if the Technical data is subject to ITAR § 120.10 or in the public domain (ITAR § 120.11). You should ask the following questions
- Is it “Technical data”?
- Is there and Export?
- Is the information in the Public Domain?
- Is it Basic information, Engineering or Mathematical Principles?
- Is it Basic Marketing Information?
- Is there and Applicable Exemption?
Is the data (blueprints, drawings, photographs, plans, instructions, documentation) required for design, development, production, manufacturing, assembly, operation, repair, testing, or modification of defense articles. If the response to any of these questions is yes, then you have identified your Technical data. When considering if it is Basic Marketing information, which you are allowed to share, then you can just ask yourself. Does the marketing information explain what it does or how it operates? What it does is ok, but sharing how it does it, is controlled Technical Data.
What is the export? Sharing of data through email, verbal exchange, visual inspection, and social media to a foreign person is deemed as export of technical data. However, theoretical or potential access to this technical data is not a release. This is an important distinction as it places the burden of proof on the entity, which might claim that it is a release of technical data. However, remember that even though the information is on the open internet, it might still be a release violation as you do not know if the original data was released properly.
A release to a foreign person in the US is deemed to be an export to all countries in which the foreign person with dual citizenship has held or holds citizenship or holds permanent residency. However, if this person becomes a US citizen, then it is not deemed as export, but remember that you still need to do a security clearance of the person.
Violations of AECA and ITAR and penalties are controlled under AECA 22 U.S.C § 2778(c)-(d). The criminal violation is up to §1 000 000 USD per violation or imprisonment of no more than 20 years or both. Civil fines are up to 1 134 602 USD per violation, adjusted each year. The administration penalties in ITAR § 127.6-8 is debarment, seizure, external audits, and criminal penalties and let’s not forget about the lawyer and internal cost, which can be even higher. Hence make sure you know what you are doing and who you are doing it with.
Tomorrow I will dive further into subjects from the “Advanced ITAR Workshop class” and examine aspects as “specifically designed”, ITAR Compliance programs and case studies in further detail.
After some intensive days with basic ITAR, the course continued with an “Advanced ITAR Workshop”, analyzing the latest updates from Directorate of Defence Trade Controls (DDTC). The focus this day was on practical exercises and understanding best practices.
There are new USML clarifications to consider as “specially designed for a military end user”. A “military end user” means (specially designed is merely “achieving or exceeding the controlled performance”)
- the national armed services; army, navy, marines, air force and coast guard
- national guard and national police
- government intelligence or reconnaissance organizations or
- any person or entity who supports military end users
This is another example of “catch and release” by the US, so it is vital to clarify and understand exactly who one is supplying to, as there are no excuses for possible misconceptions. One can also state that it was developed for both military and non-military end users, however, do make sure that your documents can verify and prove this statement. Remember that most Commodity Jurisdiction (CJ) are in relation to “specifically designed” for and most of these cases are post export enumerated on the USML
There has been a harmonization and clarification of ITAR/EAR Tech Data Definitions or Technical Data in ITAR § 121.10, which is that information required for a defense article:
- Development: including design, modifications & integration design
- Production: including manufacture, assembly, & integration design
- Operation, Installation, Maintenance, Repair, Overhaul or Refurbishment
- Forms: blueprints, drawings, photos, plans, instructions or documentation
A consequence of this clarification for Printed Circuit, is that if you are a foreign (non-US) defence company or deliver a product determined as a defence article according to USML, then the Printed Circuit will be subject to ITAR regulation if you decide to produce in the US. The article will become an ITAR article as production is considered as an export of Technical expertise in relation to manufacturing and defence and USML. It is consequently important to consider this aspect when deciding your partners and compliance regulations and program for your article. If it is deemed as an ITAR article, you will have to report and get approval for all re-export/sales from DDTC before they occur.
When dealing with ITAR regulations it is important to consider partnering up with companies in countries according to ITAR § 120.31, “NATO” and TAR § 120.32, “Major non-Nato ally”. However, this is no instant approval of any supplier, you still need to ensure aspects as people vetting,cybersecurityy, dual nationals, compliance programs etc.
One must also consider ITAR § 120.37 “Foreign ownership and foreign control” as this states that foreign control is presumed to exist where foreign person’s owns 25 % or more and do not forget about ITAR § 120.4 “Affiliate” definition, as this can easily group people in a way that one is over the 25% threshold. Finally, do not forget about ITAR or DFARS prohibited sources. The recent news coverage of the F-35 case and the English manufacturer Exception PCB, which was bought by a Chinese company, was discussed in relation to these regulations. It will be interesting to see how DDTC address this matter F-35 – Exception PCB
As the week came to an end we found our self with approximately 2000 pages of material, regulations and cases, which we had read, discussed or debated. We summarized the class in one sentence “hard, interesting and glad we came”, now the journey is at its end and we shall start the long trip back to Norway. I wish all those who have read this blog and hopefully learned a thing or two, a great summer vacation with relaxation, great food, quantity family time and some great laughs :)