This article is more than 1 year old
Life after Safe Harbour: Avoiding Uncle Sam's data rules gotchas
Do business, not time, across the Pond
Back in the day I used to work for a multi-national company with a big presence in the US. I learned a lot there, from the usefulness of a BA silver card to how to run the tendering process for a big global WAN.
I also learned what a big deal our US cousins make of their data export regulations.
This doesn't mean, of course, that other countries don't care as much about their data export controls – quite the contrary, in fact, which is why there was such a reaction when the EU Court of Justice rained on the picnic of the Safe Harbor agreement in 2015.
When you look at the scope of coverage, though, you see that the American data protection guys yelled “Supersize me!” when they asked for a helping of data export regulation.
Safe Harbour was a scope minnow
The Safe Harbor scheme targeted the movement of individuals' personal data, or personally identifiable information (PII) between the EU and the US. Important, yes, but not exactly a vast scope. US export controls go more than a little further, though, with ten categories of technology whose export is restricted. Although export controls apply primarily to exporting physical items, they also apply to data about those items. After all, exporting the design of something can be as harmful as exporting the finished product.
Some of the categories more than likely don't apply to the average company throwing data around the globe; not many of us deal with data relating to Category 0, for example (that's “Nuclear Materials Facilities & Equipment”, just in case your uncle in California wants to ask your opinion on the design for his new reactor). This said, though, it's pretty easy to find yourself working within some of the categories without really thinking about it: not least Category 4 (“Computers”), Category 5 Part 1 (“Telecommunications”) or my favourite: Category 5 Part 2 (“Information Security”).
The export of security-related technology has been a bone of contention for years, of course. Anyone who's older than about 40 will remember the days when it was illegal to export DES encryption outside the US – despite it being incredibly easy to do so since it was available widely once the Internet started to become commonplace – and when RSA encryption had the US version and the “export” version, the latter being much less robust thanks to a reduced key length.
In the case of these two examples the rules were relaxed due in part to public demand but primarily because public availability of the technology grew such that enforcement became an unfeasibly large problem. That hasn't stopped them attaching restrictions to newer technologies and concepts, though.
Indirect as well as direct
The desire not to permit the export of encryption technology is understandable: the country rightly wants to protect itself, and data encryption is key to that. They have, however, clearly sat down and thought about not just the export of directly relevant technology (i.e. software that can decrypt data) but also the indirect technologies that could be used against them by an outsider.
For example, Category 4 has rules around super-powerful computers and high-speed connectivity, so you'll see phrases such as:
“Digital computers” having an “Adjusted Peak Performance” (“APP”) exceeding 8.0 weighted TeraFLOPS
… and equipment providing:
...external interconnections which allow communications at unidirectonal [sic] data rates exceeding 2.0 Gbyte/s per link
That last one's interesting, isn't it? 2.0Gbyte/sec was screamingly fast and hard to afford when the rules were defined, but these days it's not actually that fast – a bonded pair of 10Gbit/sec WAN links will bust that limit, and though you'd never have considered such speeds ten years ago, they're increasingly feasible now.
It's not quite as bad as it sounds
If you take the time to read the docs the (check out the BIS advice here as a good starting point), you'll see that the export regulations aren't just a blanket “thou shalt not export data concerning these topics”.
Each document is a complex selection of definitions, conditions and exceptions and so a type of data might be freely exportable in one circumstance, exportable only under licence in another, and non-exportable in a third – the latter tends, unsurprisingly, to involve particular destination countries.
What's important, though, is that you take the time to understand your situation – the last thing you need is inadvertently to fall the wrong side of the line.
Cunning gotchas
My favourite example of US export control in my previous life was when a British colleague rocked up to the company data centre in the US mid-west to discover that our cabinets had stickers on the doors stating that only US citizens were permitted access. And it was all about “implied exports”.
Let's assume for a moment that your server in America holds some data items that aren't permitted to be exported to, say, China. You'd be sensible to avoid putting it on a USB stick and boarding a flight to Beijing, and likewise you'd probably decide not to email it to my_colleague@mycompany.cn or to drop it on your company's Shanghai FTP server.
Entertainingly, though, if one of your Chinese colleagues were to rock up – perfectly legally, assuming they had the right visa – to your server room in New York state and open the restricted file: you've just exported that data, without it ever leaving your server and hence without it ever leaving the shores of the US. How? Because it's been seen by a citizen of a country to which the export wouldn't be permitted, it's classed as having been implicitly exported.
That's why, in the mid-west example I mentioned, we paid a premium to the hosting provider in return for a guarantee that only suitable individuals would carry out maintenance, tape swaps and the like on our kit.
All of the above sounds a bit draconian in places, and you're right if you're thinking it's complex. There are, however, three simple steps you can take to avoid falling foul of the rules:
- Know that the rules exist, which you now do, having read this feature. As with any law, ignorance is no defence – but you now have the concept on your radar and can do something about it.
- Read up on the subject and check out some of the documentation the US government has published: it'll help you get a good grounding in the underlying fundamentals, and it'll confirm what I've said regarding it being complex, which will lead you onto the last step
- Engage expert assistance. Legal advice isn't cheap, but unless your business is large and/or unusual the chances are that a relatively small, inexpensive engagement will give you a model to work with.
And as for that BA card: holders also get priority boarding on American Airlines, which is a Godsend in the scrum that is the average internal flight departure gate in the US. ®