Canadian exporters of encryption-related items have been facing significant challenges with transfers of these items from Canada and have been expressing concerns regarding the impact of these controls on their competitive position in the international marketplace.

In response, ECD has been considering means of facilitating the permit process while still complying with Canada’s international commitments in this area. These consultations are further described in our earlier legal alerts: Canadian Government Launches Consultations on Encryption Controls andCanadian Government Undertaking Industry Consultations on Cryptography Export Permit Process. Late last year, ECD clarified and announced certain changes to its policy regarding the issuance of permits for cryptographic goods, software and technology. Further information on these guidelines can be found in our alert, Canada Issues New Guidance on Encryption Controls.

Key Conditions for EU+5 Permit

The new “EU+5″ permit appears to be designed to offer some flexibility in the terms and conditions applicable to transfers to the identified countries. The key points are:

1. it applies to hardware, software, source and object code, and technology that incorporate cryptography controlled in Category 5, Part 2 of Group 1 of the Export Control List, excluding items in 1-5.A.2.a.2 (designed or modified to perform cryptanalytic functions), 1-5.A.2.a.4 (specially designed or modified to reduce the compromising emanations of information-bearing signals), and 1-5.A.2.a.9 (designed or modified to use quantum cryptography);
2. it authorizes exports to final consignees in Australia, Austria, Belgium, Bulgaria, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, and the United Kingdom;
3. it excludes any exports or transfers involving countries on Canada’s Area Control List or subject to Canadian economic sanctions; at the present time these are Afghanistan, Belarus, Burma (Myanmar), Congo, Côte d’Ivoire, Cuba, Eritrea, Guinea, Iran, Iraq, Lebanon, Liberia, North Korea, Pakistan, Rwanda, Sierra Leone, Somalia, Sudan, Syria, and Zimbabwe;
4. it excludes exports for end-use that is directly or indirectly related to research, development or production of chemical, biological or nuclear weapons, or any missile programmes for such weapons;
5. it has a validity period of five years and requests to extend the validity of export permits may be made up to three weeks before the expiry date;
6. there are no reporting requirements, however, exporters using this permit must retain documentation which demonstrates that the exporter has undertaken due diligence to verify that the transaction complies with the permit terms and conditions; this documentation includes contracts, invoices, requests for products, statements of work, specific correspondence, (if applicable) vendor/reseller/distributor agreements, and bills of lading.

More information on the EU+5 permit can be found on ECD’s website.

Canadian Encryption Controls

Canada continues to apply broad export and technology transfer controls to information security items. Subject to certain exceptions, all hardware, software and related technology designed or modified to use, work with or perform cryptographic functions (employing a key length in excess of 56 bits) is controlled for export or transfer to any non-US destination.

Failure to comply with these controls can have significant financial and reputational consequences. In many cases when product is detained or seized by the Canada Border Services Agency just prior to export because of compliance uncertainties, the ensuing delays can strain customer relations and result in lost business. Any businesses that use or transfer encryption should be carefully following developments in this area, not just to ensure that they are in full compliance with the requirements but also that they are using all available mechanisms to maintain or enhance their competitive position internationally.

In response to significant concerns expressed in the Canadian business community regarding the impact of these controls on their competitive position in the international marketplace, ECD has been considering means of facilitating the permit process while still complying with Canada’s international commitments in this area. These consultations are further described in our earlier legal alerts: Canadian Government Launches Consultations on Encryption Controls and Canadian Government Undertaking Industry Consultations on Cryptography Export Permit Process.

This week, ECD clarified and announced changes to its policy regarding the issuance of permits for cryptographic goods, software and technology. These new guidelines can be found at Export Permits for Cryptographic Items. Among other things, they specify that exporters must now have a comprehensive compliance plan in place regarding the export and transfer of controlled goods and technology.

Below is a summary of the key points in ECD’s new guidelines.

1.  Multi-destination Permits Available to Exporters

ECD has identified a number of multi-destination permits that are now available to exporters of cryptographic items. These enable exporters to ship or transfer items to consignees in multiple countries and may offer some flexibility in certain circumstances. They include the following:

• Broadbased permit: for exports of hardware, executable software, and associated information and enhancements to a wide range of countries; requires reporting every six months; applicants to whom export permits have not previously been issued or who have a history of non-compliance will be subject to a shorter validity period;
• Co-development permit: for exports of controlled software, source code and other technology containing cryptographic functionality and related technical data and assistance for product development to affiliates in a wide range of countries; locations of those affiliates must be reported but are not required to be declared at the time of application;
• Bona fide Canadian and US corporations permit: for exports of hardware, executable software, and associated information and enhancements to foreign consignees that are majority-owned by Canadian or US-based parent companies; no reporting requirements;
• Regime decontrol (ancillary cryptography) permit: for exports of any goods or technology that meet the definition of “ancillary” cryptography; no reporting requirements (this is more fully described in our legal alert at Export Controls Alert: Canada’s Response to Liberalization of Controls on Ancillary Encryption);
• Java permit: for exports of hardware and executable software into which the Java Runtime Environment has been integrated, as well as associated information and enhancements, to a wide range of countries; no reporting requirements; and
• Financial institutions permit: for exports of hardware, executable software, and associated information and enhancements to financial institutions in a number of countries that have enacted legislation to counter money laundering; no reporting requirements.

It is important to keep in mind that these are not exemptions or de-controls. In these circumstances, exporters must still apply for and obtain these multi-destination permits prior to exporting or transferring the covered cryptographic items. Experience suggests that this can be a lengthy application process. ECD’s document provides additional guidance on the information required in such applications.

2.  Export Compliance Plan Is Now Required

Although it has always been very strongly recommended that exporters have a comprehensive compliance plan in place, ECD is very clear that any exporter seeking to rely on these more flexible multi-destination permits must have such a plan.

ECD states that this must consist of defined or prescribed processes and procedures to ensure that employees at all levels of a company understand and act in accordance with the letter and spirit of the applicable export requirements under the Export and Import Permits Act, the Customs Act, and other trade-related legislation, including economic sanctions.

ECD requires that such a plan establish the steps and due diligence process a company follows when planning, marketing, and shipping items included in the Export Control List to foreign clients, and should also cover download practices. It must provide for a “defined process to provide a reasonable level of assurance (due diligence) that goods or technology may not be exported to unauthorized or illegitimate end-uses or end-users.”

3.  Application Review Periods

Applications for individual export permits (i.e., for the export to specified consignees in a single country) for cryptographic items in respect of many destination countries, including most European countries, Japan, South Korea, Australia and New Zealand, will be reviewed within 10 business days from the submission of a complete application. For exports or transfers to other destinations, that period is extended to eight weeks.

Applications for multi-destination permits will be reviewed within eight weeks of submission of a complete application.

4.  Extended Validity Periods

Individual export permits for cryptography are usually valid for two years. Exporters may request a longer validity periods of up to five years. Individual applications may also be made to extend the validity period of existing permits by up to one year at a time.

The default validity period for multi-destination export permits for cryptography is typically two years, and exporters may request a longer validity period of up to five years. ECD notes that applicants whose product development cycles are shorter than two years may wish to request shorter validity periods since a new application will be required for new versions of a cryptography item.

Canada’s Encryption Controls

Encryption controls continue to be a challenge for many Canadian businesses. Failure to comply can have significant financial and reputational consequences. In many cases when product is detained or seized by the Canada Border Services Agency just prior to export because of compliance uncertainties, the ensuing delays can strain customer relations and result in lost business.

Further, any businesses that use or transfer encryption should be carefully following developments in this area, not just to ensure that they are in full compliance with the requirements but also that they are using all available mechanisms to maintain or enhance their competitive position internationally.

McCarthy Tétrault’s International Trade and Investment Law Group has significant expertise in encryption controls, and regularly assists clients in developing solutions to compliance and enforcement issues in this area. We are available to advise on these or any other export control, economic sanction or trade matters. Please feel free to contact any of our partners below:

Toronto
John W. Boscariol

Orlando E. Silva

Ottawa
Brenda C. Swick

Montréal
Simon V. Potter

Canada, as a Participating State of the Wassenaar Arrangement, controls cryptography under Category 5, Group 1 of its Export Control List. The threshold for control is relatively low — e.g., cryptography having a symmetric algorithm employing a key length exceeding 56 bits. Those seeking to export or transfer from Canada covered goods, software and related technology employing cryptography must apply for and obtain a permit for destinations other than the United States.

Because of the administrative burden, uncertainty and delays experienced in having to obtain permits prior to shipment of these items, and the difficulties these present for the just-in-time business models employed across industry, some Canadian exporters and vendors of these items have been expressing significant concerns with the current process. They have also found that streamlined export licensing procedures and more flexible interpretations of exemptions in the United States and other countries have placed them at a competitive disadvantage when selling and supporting their products in the international market place.

These competitive issues have intensified recently with further steps being taken in the United States to liberalize export controls, and in particular the controls over encryption items, putting Canadian vendors and exporters at a further disadvantage.

The ECD has stated that it is now seeking the views of industry stakeholders on ways to improve the efficiencies of the administration of export controls on these items while continuing to meet Canada’s Wassenaar commitments and national security requirements. The ECD has drafted a brief paper intended to provide broad context for these consultations:Export Controls on Information Security (Cryptography) Items. The ECD has also created anInformation Security (Cryptography) Questionnaire that allows interested parties to provide information and express their views on this issue and that is available upon request.

The deadline for filing submissions is August 5, 2010.

As noted in our last update, Canadian Government Launches Consultations on Encryption Controls, Canadian authorities have been consulting with the business community on how the mass market exemption for encryption items is interpreted and administered in jurisdictions outside Canada. This appears to be part of an effort to address concerns that, because of the burdens imposed by the permit regime, Canadian companies are not on a level playing field with their competitors in the United States and other countries when it comes to the sale of their products and technology in international markets.

Ancillary Encryption

Recently, another encryption control issue has arisen, this time regarding the liberalization of international controls over “ancillary encryption” items. These are items that contain or are designed to work with encryption, but encryption is not their primary function. These goods, software and related technology still require permits in order to be exported or transferred from Canada.

In December of 2009, the Wassenaar Arrangement Participating States, including Canada, agreed to exempt from export control items incorporating information security cryptography that is ancillary to and not the primary function of those items. The exemption has been implemented in the form of a Note to the Wassenaar Arrangement Category 5 — Part 2 (“Information Security”) as follows:

Note 4: Category 5 — Part 2 does not apply to items incorporating or using “cryptography” and meeting all of the following:

Provided these conditions are met, exporters of these items should no longer be required to undertake the process of applying for and obtaining an export permit prior to supplying their customers outside of Canada. However, the Canadian government does not anticipate incorporating these provisions into law until the end of 2010 or early 2011.

Broadbase Permit Pending Implementation

In an attempt to address concerns that Canadian companies will be put at a competitive disadvantage by this implementation delay, the Export Controls Division of Foreign Affairs and International Trade Canada has developed a new broadbase permit that may be applied for, and that, under certain conditions, will permit these shipments or transfers to proceed. Once the broadbase permit has been negotiated and obtained, the exporter is free to ship or transfer such items without any reporting requirements, although recordkeeping requirements still apply.

A procedure has been established to allow ancillary cryptography exporters to apply for these permits under certain terms and conditions, including the following:

1. The exporter provides full technical specifications with sufficient detail to disclose the true nature of the goods, their country of manufacture, their intended application, and the justification for qualifying for the ancillary exemption.
2. The permit will not authorize exports to any end-user directly or indirectly involved in research, development or production of chemical, biological and nuclear weapons, or any missile program; or to any country on Canada’s Area Control List (currently Burma and Belarus, and soon North Korea will be added) or any other country subject to existing Canadian economic sanctions.
3. The exporter must maintain all records necessary to determine compliance with Canadian legal requirements for a period of six years after the date of export from Canada.

Until the Wassenaar Arrangement exemption for ancillary encryption is fully implemented into Canadian law, exporters will have to apply for and obtain an individual broadbase permit before exporting these items or transferring related technology. After implementation of this new exemption, exporters will be able to self-classify exports and transfers without having to notify the Export Controls Division.

Continuing Challenge of Canadian Encryption Controls

Many Canadian companies continue to struggle with the burden imposed by Canada’s broad system of encryption controls.

Vendors are often surprised to learn that the export or transfer of their encryption goods and technology requires a permit before shipment to their foreign customers. Often, they first discover this when the Canada Border Services Agency detains these goods just prior to export. Others fail to realize that transfers of related technology that do not involve physical shipments also require a permit – these technology transfers can occur as a result of communications by fax or e-mail, during teleconferences or training sessions, or by remote server download or upload.

Because failure to obtain a permit prior to exporting or transferring controlled goods or technology can attract heavy penalties — and, often more significantly, can lead to long delays in order fulfillment and lost business — it is important that any organization dealing in encryption or items designed to work with encryption carefully address these issues to minimize risk exposure and administrative burden.

McCarthy Tétrault’s International Trade and Investment Law Group has significant expertise in encryption controls, and regularly assists clients in developing solutions to compliance and enforcement issues in this area. We are available to advise on these or any other export control, economic sanctions or trade matters.

Encryption controls have been a challenge for many Canadian software and hardware vendors. Category 5 — Part 2 of Canada’s Export Control List identifies information security items that require a permit in order to be exported from Canada to destinations other than the United States. Because the threshold for control is very low — key lengths in excess of 64 bits (in the case of symmetric algorithms) — many vendors have been surprised to learn that the export or transfer of their encryption goods and technology requires a permit before shipment to their foreign customers. Often, they first discover this when the Canada Border Services Agency detains these goods just prior to export. Failure to obtain a permit prior to exporting or transferring controlled goods or technology can attract significant penalties.

Mass Market Exemption

Many vendors who may be aware of the encryption controls are of the view that they qualify for an exemption because the encryption functionality of their product is based on open source, publicly available encryption libraries or because their product or technology is “mass market.” With regard to this latter basis, the ECL’s Cryptography Note provides an exemption for encryption items if they meet all of the following criteria:

1. they are generally available to the public by being sold, without restriction, from stock at retail selling points by means of over-the-counter transactions, mail order transactions, electronic transactions, or telephone call transactions;
2. their cryptographic functionality cannot be easily changed by the user;
3. they are designed for installation by the user without further substantial support by the supplier; and
4. when necessary, details of the items are accessible, and will be provided, upon request, to Canadian authorities in order to ascertain compliance with the above conditions.

These encryption controls and exemptions are based on the 1996 Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technology agreed to by Canada, the United States, and 38 other Participating States. These requirements are incorporated into the domestic laws of Participating States and then subject to the interpretation and enforcement policies of each state.

Contrast With U.S. Interpretation

In the past, the ECD has narrowly interpreted this exemption in many cases to be restricted to retail transactions with consumers. This is to be contrasted with the experience of many vendors in the United States who appear to be able to qualify their encryption items for the mass market exemption based on a broader interpretation employed by the U.S. Department of Commerce under the review procedures for mass market encryption commodities and software set out in Section 742.15(b)(2) of the U.S. Export Administration Regulations.

Because of the administrative burden and delays imposed by having to obtain permits prior to shipment of controlled goods or transfers of related technology, and its impact on the just-in-time business models employed by many, a more liberal interpretation of the mass market exemption in the United States and other countries can put Canadian software and hardware vendors at a competitive disadvantage in their export markets.

ECD Consultations

The ECD’s consultations have been launched with a view to seeking input on the mass market exemption from Canadian companies that have obtained either (i) a formal government ruling from the United States or another Wassenaar Participating State in respect of an item assessed as complying with its mass market exemption; or
(ii) supplemental information issued by a Participating State’s export control authority clarifying any of the provisions of the mass market exemption, including a presentation, briefing, or correspondence issued by the government authority.

The ECD is requesting specific information regarding these materials and has undertaken to treat all submissions received as company protected information. Submissions are due by April 30, 2010. More information can be found at http://www.international.gc.ca/controls-controles/about-a_propos/expor/Wassenaar_crypto.aspx?lang=eng.