New Developments

advertisement
New Developments in Canadian Export Controls on Ancillary Encryption
Canadian controls over the export or transfer of goods, software and technology containing or
designed to work with encryption continue to present challenges for Canadian companies. Export
permits must be applied for and obtained in order to export information security items or transfer
any related technology from Canada to destinations other than the United States. Canada’s
Export Control List identifies the goods and technology covered by these requirements and
imposes a very low threshold of control – encryption with key lengths in excess of 64 bits (in the
case of symmetric algorithms). Further, the available exemptions for mass market items and
technology and software in the public domain may only be relied upon in very limited
circumstances.
As noted in our last update, Canadian Government Launches Consultations on Encryption
Controls, Canadian authorities have been consulting with the business community on how the
mass market exemption for encryption items is interpreted and administered in jurisdictions
outside Canada. This appears to be part of an effort to address concerns that, because of the
burdens imposed by the permit regime, Canadian companies are not on a level playing field with
their competitors in the United States and other countries when it comes to the sale of their
products and technology in international markets.
Ancillary Encryption
Recently, another encryption control issue has arisen, this time regarding the liberalization of
international controls over “ancillary encryption” items. These are items that contain or are
designed to work with encryption, but encryption is not their primary function. These goods,
software and related technology still require permits in order to be exported or transferred from
Canada.
In December of 2009, the Wassenaar Arrangement Participating States, including Canada,
agreed to exempt from export control items incorporating information security cryptography that
is ancillary to and not the primary function of those items. The exemption has been implemented
in the form of a Note to the Wassenaar Arrangement Category 5 – Part 2 (“Information
Security”) as follows:
Note 4:
Category 5–Part 2 does not apply to items incorporating or using "cryptography" and meeting all
of the following:
a.
The primary function or set of functions is not any of the following:
1. "information security";
2. a computer, including operating systems, parts and components therefore;
3. sending, receiving or storing information (except in support of entertainment, mass
commercial broadcasts, digital rights management or medical records management); or
4. networking (includes operation, administration, management and provisioning).
b.
The cryptographic functionality is limited to supporting their primary function or set of
functions.
McCarthy Tétrault LLP DOCS #1417863 v. 3
-2c.
When necessary, details of the items are accessible and will be provided, upon request, to the
appropriate authority in the exporter’s country in order to ascertain compliance with
conditions described in paragraphs a. and b. above.
Provided these conditions are met, exporters of these items should no longer be required to
undertake the process of applying for and obtaining an export permit prior to supplying their
customers outside of Canada. However, the Canadian government does not anticipate
incorporating these provisions into law until the end of 2010 or early 2011.
Broadbase Permit Pending Implementation
In an attempt to address concerns that Canadian companies will be put at a competitive
disadvantage by this implementation delay, the Export Controls Division of Foreign Affairs and
International Trade Canada has developed a new broadbase permit that may be applied for, and
that, under certain conditions, will permit these shipments or transfers to proceed. Once the
broadbase permit has been negotiated and obtained, the exporter is free to ship or transfer such
items without any reporting requirements, although recordkeeping requirements still apply.
A procedure has been established to allow ancillary cryptography exporters to apply for these
permits under certain terms and conditions, including the following:
(i)
The exporter provides full technical specifications with sufficient detail to disclose the
true nature of the goods, their country of manufacture, their intended application, and the
justification for qualifying for the ancillary exemption.
(ii)
The permit will not authorize exports to any end-user directly or indirectly involved in
research, development or production of chemical, biological and nuclear weapons, or any
missile program; or to any country on Canada’s Area Control List (currently Burma and
Belarus, and soon North Korea will be added) or any other country subject to existing
Canadian economic sanctions.
(iii)
The exporter must maintain all records necessary to determine compliance with Canadian
legal requirements for a period of six years after the date of export from Canada.
Until the Wassenaar Arrangement exemption for ancillary encryption is fully implemented into
Canadian law, exporters will have to apply for and obtain an individual broadbase permit before
exporting these items or transferring related technology. After implementation of this new
exemption, exporters will be able to self-classify exports and transfers without having to notify
the Export Controls Division.
Continuing Challenge of Canadian Encryption Controls
Many Canadian companies continue to struggle with the burden imposed by Canada’s broad
system of encryption controls.
Vendors are often surprised to learn that the export or transfer of their encryption goods and
technology requires a permit before shipment to their foreign customers. Often, they first
McCarthy Tétrault LLP DOCS #1417863 v. 3
-3discover this when the Canada Border Services Agency detains these goods just prior to export.
Others fail to realize that transfers of related technology that do not involve physical shipments
also require a permit – these technology transfers can occur as a result of communications by fax
or e-mail, during teleconferences or training sessions, or by remote server download or upload.
Because failure to obtain a permit prior to exporting or transferring controlled goods or
technology can attract heavy penalties — and, often more significantly, can lead to long delays
in order fulfillment and lost business — it is important that any organization dealing in
encryption or items designed to work with encryption carefully address these issues to minimize
risk exposure and administrative burden.
McCarthy Tétrault’s International Trade and Investment Law Group has significant expertise in
encryption controls, and regularly assists clients in developing solutions to compliance and
enforcement issues in this area. We are available to advise on these or any other export control,
economic sanctions or trade matters.
McCarthy Tétrault LLP DOCS #1417863 v. 3
Download