Same Stuff, Different Way: New ITAR Rules on Transfers to Dual and Third-Country Nationals Move U.S. Companies into Oversight Role, but Don’t Lighten the Compliance Load

This post was written by Joelle E.K. Laszlo.

A relaxation of export controls is not very relaxing when all it really does is shift the majority of the compliance burden from one party to another. But it appears that that will be the result of recent amendments to the International Traffic in Arms Regulations (“ITAR”) regarding transfers of unclassified technical data and defense articles to dual and third-country nationals employed by approved end-users. Under the new rules, U.S. companies will no longer have the responsibility to collect and submit to the State Department’s Directorate of Defense Trade Controls (“DDTC”) certain biographical information about the employees of their foreign business partners, in order to ensure there will be no diversion of unclassified defense articles or controlled technical data to unauthorized countries or entities. Instead, the bulk of anti-diversion tasks will fall to the foreign business partners. Since the U.S. companies in these arrangements will remain responsible for everyone’s ITAR compliance, however, their new role may be one of strenuous oversight of their business partners’ anti-diversion measures.

Under DDTC’s current policy, a U.S. company seeking authorization under the ITAR via a Technical Assistance Agreement or a Manufacturing License Agreement for the transfer of unclassified defense articles and/or technical data to a foreign business partner has typically been required to collect and provide the nationality and country of birth of each of the business partner’s dual- and third-country national employees who will have access to the transferred defense articles, and submit this information with the associated agreement application. (A dual national is a citizen or national of the country of his employer and of another country, neither of which is the United States. A third-country national is a citizen or national of neither the United States nor the country of his employer.) The collection of employee personal data is not required if every individual who will have access to the transferred articles is a national of a NATO or European Union member country, Australia, Japan, New Zealand, or Switzerland. In order to qualify under this exemption, however, the transfer to any national of one of the named countries must take place entirely within the physical territory of the country, or the United States, and the foreign business partner that employs the national must be a signatory to the agreement under which the transfer is made, or must have executed a Non Disclosure Agreement. As noted by commenters to the new rules, the personal data collection required for any proposed transfer of defense articles that doesn’t meet the precise specifications of the exemption imposes a significant administrative burden on U.S. companies, and potentially violates foreign data privacy, labor, and “human rights” laws.

The new rules add an exemption to the current policy, that will permit transfers of unclassified defense articles and technical data to dual and third-country national employees of a foreign business partner (including any corporate or governmental entity or international organization, whether the partner is an end-user, consignee, or sub-licensee) without prior DDTC authorization (and the personal data collection pursuant thereto), provided four conditions are met:

• First, any dual or third-country nationals who will have access to the transferred articles or technical data must be either (a) “permanently and directly employed” by the foreign business partner, or (b) “in a long term contractual relationship” with the business partner and meet certain other employment criteria detailed in the exemption;
• Second, the transfer must take place entirely within the physical territory of the country where the business partner is located or operates;
• Third, the transfer must be within the scope of an approved export license or other export authorization (or a license exemption); and
• Fourth, the foreign business partner “must have effective procedures to prevent diversion” of the transferred articles.

This fourth condition is the one shifts the compliance burden, and there are two ways that it may be met. First, the foreign business partner will be considered to have “effective procedures to prevent diversion” if it has a security clearance for its employees issued by the government of the country in which it operates. Alternatively, a business partner lacking such a clearance must (a) have in place an active “technology security/clearance plan” that includes a process to screen employees for “substantive contacts” with restricted countries and (b) maintain a Non Disclosure Agreement with any employee to whom the defense article is to be transferred. The business partner must keep records of its screening activities for five years, and provide details of its plan and records to DDTC upon request “for civil and criminal law enforcement purposes.”
While the provision equating the foreign business partner’s holding of a general security clearance with “effective procedures to prevent diversion” arguably should lessen the compliance burden for all parties, it also has distinctly limited applicability. Otherwise, the new rules impose a substantial burden on business partners to develop comprehensive plans for employee screening with virtually no guidance about what will make those plans “effective” to prevent diversion. Though the new rules put forward seven kinds of activities constituting “substantive contacts” for which dual and third-country national employees should be screened, the seventh is the very broad “acts otherwise indicating a risk of diversion.” Thus absent further guidance from DDTC, foreign business partners will have to devise their screening plans largely from scratch, and in light of the same data privacy, labor, and “human rights” laws that make compliance with the current policy difficult. Given that they will be held wholly responsible if something goes wrong, U.S. companies will not only want a say in the development of those screening plans, but will have to devise some means of monitoring to ensure that the plans are being followed, and that they are being “effective.” As a result, U.S. companies that wish to take advantage of the new exemption and still meet the obligations of anti-diversion compliance, will also be required to shoulder some of the burdens risk analysis and anti-diversion enforcement.

The new rules will take effect on August 15, 2011. In the meantime, we’ll be watching State closely in anticipation of further guidance.

Research assistance for this post was provided by former Reed Smith Intern Henry R. Barnes.