On July 29, the US government proposed big changes to rules about supporting or exporting to foreign military, intelligence, and security entities.
The US Department of Commerce’s Bureau of Industry and Security (BIS) is seeking to expand the types of activities that US persons have to get a license for, as well as beef up restrictions on exports, reexports, and transfers of items subject to US export controls that everyone needs to get a license for.
There are two proposed rules: one updating the rules for military end users (MEUs) and introducing new controls pertaining to military-support end users (MSEU), “military-production activities,” and certain intelligence end-users (MEU Plus Proposed Rule); and a second one for facial recognition technology and introducing controls for ‘foreign-security end users’ (Crime Control Proposed Rule). DDTC published a proposed and long-awaited definition of defense services on the same date, which will be the subject of another alert.
Comments on BIS’s proposed rules are due 60 days after its publication in the Federal Register, making the deadline September 27. Knowing whether to comment or what the rules mean will be tricky, as BIS didn’t make it easy to figure out the scope of the new end-user/use controls and US person activity restrictions.
Overview: What Do the New Rules Propose to Do?
The MEU Plus Proposed Rule and the Crime Control Proposed Rule are long and complex and figuring out all the changes will take a while. We believe these are the big ticket items:
- MEUs: updated definition, expanded export controls that include all items subject to the EAR, not just those in Supplement 2 to Part 744 of the Export Administration Regulations (EAR). MEUs include Entity List entities with Footnotes 3 (preexisting) and 5 (new).
- Four new types of proscribed end uses/users:
- MSEUs: new license requirements and US person restrictions. Includes Entity List entities with Footnote 6.
- Military Production Activities: new US person restrictions.
- Intelligence End Users: new license requirements and US person restrictions. Includes Entity List entities with Footnote 7.
- Foreign Security End Users (FSEUs): new license requirements and US person restrictions. Includes Entity List entities with Footnote 8.
- US persons now need a license to “support” the above end users (although the prohibited end users are limited to footnoted entities on the Entity List for MSEUs and FSEUs), a major expansion of US person controls.
- New proposed export controls on facial recognition technologies.
We have boiled down these new rules into a chart — see below — where you can (hopefully) see at a glance which controls may affect you and your company. We say “you and your company” because, yes, many of you reading this may be US persons (individuals). As a reminder, the term “US person” includes:
- Any individual who is a citizen of the United States, a permanent resident alien of the United States, or a protected individual as defined by 8 U.S.C. 1324b(a)(3);
- Any juridical person organized under the laws of the United States or any jurisdiction within the United States, including foreign branches; and
- Any person in the United States.
Proposed Facial Recognition Controls
Let’s get the easy part done first. The Crime Control Proposed Rule proposes new Crime Control (CC) Column 1 controls on facial recognition systems (in ECCN 3A981) and facial recognition software (in ECCN 3D980). CC Column 1 is a strict control meaning that if BIS sticks to its guns, facial recognition exports will require a license to most countries.[1] The proposed control would exempt facial recognition solely for person or object detection or for individual authentication to facilitate individual access to personal devices or facilities, following well-worn exceptions in the fingerprint matching control areas. As explained in BIS’s preamble to the Crime Control Proposed Rule, the agency intends to control “facial recognition systems specially designed for surveillance and crowd scanning.” There are certain to be difficult classification issues. For example, what about systems in airports that scan your face to display your flight and gate number, but the images are stored in a database accessible by the police? Those systems are facilitating passengers’ access to their gates and flights, to be sure, but to do so they may also aid surveillance for security reasons. Controlled or exempt?
Footnote Frenzy: Charting the Proposed End-User/US Person Activity Controls
BIS starts out with a laudable objective of unpacking the military end use and military end-user definitions into bite-size chunks that we can understand. Currently, an MEU can be a company producing military items, a government body doing the same, an intelligence agency, or the national police. What BIS proposes to do is separate these end-users and activities into different definitions and under EAR Part 744, so that they are, perhaps, more understandable, taken one at a time. So far, we’re on board.
However, taken together, the proposed rules are complex and mind-boggling. While the Bible was satisfied with the Four Horsemen of the Apocalypse, BIS’s latest action has us trying to come to grips with five types of proscribed end uses/users: MEUs, MSEUs, military production activities, intelligence end-users, and FSEUs. The definitions of the restricted activities and end-users are broad, and the geographic scope varies across different parts of the new rules. Some of the end users will be easily identifiable by a footnote on the Entity List (see our discussion of Footnote Frenzy below), but some parts of the new rules will require exporters and US persons to determine for themselves when and to whom the controls apply. We can see industry already tearing their hair out about the added due diligence headache.
Apparently recognizing that some of the new proposed definitions are shockingly broad – for example, an FSEU as proposed would include “analytic and data centers (e.g., genomic data centers) [and] forensic laboratories” – BIS has come up with four more Entity List footnotes to narrow the definitions (but again, only in some cases). We should have known, after BIS started assigning footnotes to Entity List entities in 2020, that we had not seen the end of this pernicious trend. Besides currently existing footnotes 1 (Huawei entities), 3 (Russia military end users), and 4 (other companies like Huawei), BIS proposes to introduce a new MEU footnote 5, a new MSEU footnote 6, a new Intelligence End User footnote 7, and a new FSEU Footnote 8. Dr. Seuss wisely stopped at Thing One and Thing Two.
Overlay onto this the fact that, under the proposed regulation, a US person would need a license to “support” nearly all of these end-users as well as military production activities, and you have one hot mess. Support is broadly defined to mean:
- Shipping or transmitting from one foreign country to another foreign country any item not subject to the EAR you know will be used in or by any of the restricted end uses or end users, including the sending or taking of such item to or from foreign countries in any manner.
- Transferring (in-country) any item not subject to the EAR you know will be used in or by any of the restricted end uses or end users.
- Facilitating such shipment, transmission, or transfer (in-country).
- Performing any contract, service, or employment you know may assist or benefit any of the restricted end uses or end users, including, but not limited to: ordering, buying, removing, concealing, storing, using, selling, loaning, disposing, servicing, financing, transporting, freight forwarding, or conducting negotiations to facilitate such activities.
Given this whopping definition of pretty much anything a US person can do, there are some welcome exclusions:
- Activities related to “published” items described Section 734.3(b) of the EAR.
- Activities related to items on the US Munitions List and US Munitions Import List to the extent they are subject to International Traffic in Arms Regulations (ITAR) control.
- Activities related to administrative services which includes our personal favorite – “activities by an attorney that are limited to the provision of legal advice”.
- For the new US person controls only (not MEUs and the other preexisting controls) commercial activities related to the movement of goods by common carrier.
- A whole bunch of US government exclusions.
The chart below attempts to fit all the definitions, controls, geography and yes, footnotes onto a single page:
What Should the Industry Do If the New Rule Goes Into Effect?
- Monitor US person activities.
- Monitor where items subject to the EAR are being exported to.
- If your transaction involves US persons or items subject to the EAR, conduct due diligence similar to what is appropriate for managing the risks of transacting with sanctioned parties, MEUs, companies on the Entity List, etc.
- Update end-use certificates and statements to reflect the above updated controls.
- Provide updated trainings and update policies and procedures to reflect these new controls.
[1] Countries that would not require a license are: Albania, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, India, Ireland, Italy, Japan, South Korea, Latvia, Liechtenstein, Lithuania, Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, and the United Kingdom.
[View source.]