Export Controls and Cloud Computing
At issue are U.S. export control laws which regulate the transmission of data as well as the shipment of hardware.
Like hardware, the transmission of technical data could be subject to the jurisdiction of U.S. International Traffic in Arms Regulations (ITAR) or U.S. Export Administration Regulations (EAR). If it is, and depending on the data and country of destination, an export license may be required.
When data is uploaded in the cloud, it can find its way different servers that are located in different countries. Uploading data to a server outside the U.S. is considered an export and could require a license, if the data comes under jurisdiction of one of the relevant U.S. laws and the location of the server. This presents compliance challenges because the transmitter of the user doesn’t necessarily know where the server is located.
The location of users accessing cloud information also has an impact on these considerations. Data uploaded to a cloud cluster in the U.S. is not an export, but if the data is then accessed by a user in China, an export has just occurred and an export control license may be required.
The nationality of the cloud administrators is also a consideration under ITAR. In that case, the ability of foreign nationals, wherever they are located, to access data constitutes an export.
Bureau of Industry and Security opinions make it pretty clear that the onus of obtaining an export license is on the data owner and not the cloud services provider.
Experts say that companies can avoid these tangles by using the cloud only for nontechnical information that is not subject to export controls or “low-level” technology. If the latter case, companies must ensure against exports to a handful of prohibited countries. Companies can also contract with their cloud service providers to limit the locations of servers and the nationalities of administrators.