Exporting Encryption

October 27, 2010

On 14 October 2010, the UK Export Control Organisation (‘ECO’) granted a new Open General Export Licence (‘the OGEL’) to allow for the license-free export of certain cryptographic hardware, software, and technology to a wide range of countries. The new OGEL implements, in part, certain changes made to the Wassenaar Arrangement’s control list of dual-use goods in early December 2009.    

The new OGEL allows the export, without a licence, of cryptographic hardware, software, or technology where the following criteria are met:

(a) The primary function or set of functions of the cryptographic item is not any of the following:

1. ‘Information security;’

2. A computer, including operating systems, parts, and components therefor;

3. Sending, receiving, or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management, or medical records management); or

4. Networking (includes operation, administration, management, and provisioning);      and

(b) The cryptographic functionality is limited to supporting an item’s primary function or set of functions.

Exports of such items will be permitted from the UK, or any other Member State by any person established in the UK, to any destination except Iran and North Korea.

This new UK OGEL follows the approach seen earlier this year in the United States, when the US Commerce Department’s Bureau of Industry and Security (‘BIS’) revised its encryption rules, found in the Export Administration Regulations, to implement the Wassanaar Arrangement’s approach. The new OGEL represents a significant easing of UK export controls for the encryption items that fall within its scope. To the extent the US regulations can serve as a guide as to how such products may be treated, the preamble to the US rule implementing this decontrol provides the following examples of products that qualify: Piracy and theft prevention for software or music; games and gaming; household utilities and appliances; printing, reproduction, imaging and video recording or playback (not videoconferencing); business process modelling and automation (e.g., supply chain management, inventory, scheduling, and delivery); industrial, manufacturing or mechanical systems (e.g., robotics, heavy equipment, and facilities systems such as fire alarm and HVAC); automotive, aviation, and other transportation systems; LCD TV, Blu-ray/DVD, video on demand (VoD), cinema, digital video recorders (DVRs)/personal video recorders (PVRs); on-line media guides, commercial content integrity and protection, HDMI and other component interfaces; medical/clinical—including diagnostic applications, patient scheduling, and medical data records confidentiality; academic instruction and testing/on-line training—tools and software; applied geosciences—mining drilling, atmospheric sampling/weather monitoring, mapping/surveying, dams/hydrology; scientific visualization/simulation/co-simulation (excluding such tools for computing, networking, or cryptanalysis); data synthesis tools for social, economic, and political sciences (e.g., economic, population, global climate change, public opinion polling, forecasting, and modelling); software and hardware design IP protection; and computer aided design (CAD) software and other drafting tools.

In contrast to the US regulations, the UK does not have a broad license exception for commercial encryption items, so these items previously would have required a specific license for export to most destinations. 

Continuing Requirement of Registration and Record-Keeping 

Companies that may be interested in using the Cryptography OGEL should note that exporters are required to register with ECO within 30 days of the first use of the OGEL. The notification must be made using the Export Control Organisation’s electronic licensing system, SPIRE, at www.spire.bis.gov.uk. Notably, registering for OGELs typically triggers occasional audits by ECO’s compliance unit, so companies interested in utilizing the new OGEL should ensure that they have adequate export controls compliance procedures in place. The OGEL also imposes certain record-keeping requirements which companies should bear in mind.

Finally, we note that the new OGEL will likely serve as a temporary instrument. The European Union is expected to amend the EU Dual Use Regulation—which is the primary instrument imposing encryption-related export controls on the UK and other EU Member States—to incorporate the recent Wassenaar changes. Once the Dual Use Regulation is amended, the UK Cryptography OGEL may carry less importance. However, the scope and timing of the potential amendments to the Dual Use Regulation are not yet known, so UK companies with immediate cryptography export needs in the area may find it useful to take advantage of the UK OGEL at least in the short term. 

David Lorello is a partner in the London office of Steptoe & Johnson, Julia Court Ryan is of counsel in the Washington office of that firm and Sheena Sheikh is an associate in its London office.