IT.Can Quarterly Roundtable Series September 24, 2008 Export-Controlled Technology: The Cost of Non-Compliance IT.Can Quarterly Roundtable Series September 24, 2008 Christopher J. Cochlin

Canadian Export Controls 1. Overview of Canadian Regime 2. Getting Started: Checklist for Export Controls 3. Internal Controls for Compliance 4. Common Misconceptions

Canadian Export Controls  Overview of Canadian Regime

A. DFAIT: Export Controls Division (Issuance of Export Permits; Administration of Export and Import Permits Act) B. DFAIT: Legal Affairs Bureau, Economic Law Section (Int’l Negotiations; Economic Sanctions) C. Canada Border Services Agency: Administration and Enforcement of Customs Act; Export Declarations D. Others: CSIS, DND, RCMP, Communications Security Establishment (CSE), Justice Canada, Industry Canada, International Like-Minded Community (e.g. other Wassenaar Arrangement countries) Overview of Canadian Regime: Who Is Behind It?

Overview of Canadian Regime: “Controlled”  Export “controlled” does not mean export “prohibited”: If a good is classified as “controlled”, an export permit is required  Permit issued at the discretion of Minister of Foreign Affairs: Briefing and recommendations by DFAIT, on consultation with OGDs

Overview of Canadian Regime: What is covered?  Permit required by destination: Area Control List (Myanmar, Belarus) United Nations Act (Regulations covering: Côte d’Ivoire, North Korea, Democratic Republic of the Congo, Iran, Iraq, Lebanon, Liberia, Rwanda, Sierra Leone, Sudan, Terrorists and Terrorist Organizations) Special Economic Measures Act (Myanmar, Zimbabwe)

Overview of Canadian Regime: What is covered?  Permit Required for Listed “Goods” and “Technology”: All items listed on the Export Control List All items listed in Canadian economic sanctions regulations (usually by reference to UNSC resolutions)

Overview of Canadian Regime: What is covered?  Identifying coverage based on product is a technical classification exercise: → Group 1 – Dual-Use List (commercial goods) Group 2 – Munitions List Group 3 – Nuclear Non-Proliferation List Group 4 – Nuclear-Related Dual Use List Group 5 – Miscellaneous Control Regime List (e.g. “stategic/5504 goods”) Group 6 – Missile Technology Control Regime List Group 7 – Chemical and Biological Weapons Non-Proliferation List

Overview of Canadian Regime: What is covered?  Group 1 “Dual-Use” (key categories for IT products): Category 1 – Advanced Materials Category 2 – Material Processing → Category 3 – Electronics → Category 4 – Computers → Category 5 – Part 1 (Telecoms) & Part 2 (Information Security) Category 6 – Sensors and Lasers Category 7 – Navigation and Avionics Category 8 – Marine Category 9 – Propulsion

Overview of Canadian Regime: What is covered?  “Goods”: Technical interpretation required for classification of tangible goods/equipment:  Exhaust all possible classifications  Identify all applicable definitions  Assess all available exceptions (including in general technical notes, category-specific notes, or definitions)

Overview of Canadian Regime: What is covered?  “Technology”: Same classification exercise as for “goods” “Technology” defined as information necessary for development, production or use of a product:  Covers “Technical Data” (e.g. tangible or intangible blueprints, plans, specifications, instructions, etc.)  Covers “Technical Assistance” (e.g. instruction, skills, training, consulting services) Found in “Part E” of every Category of Group 1 Control of technology linked to control of underlying good

Overview of Canadian Regime: What is covered?  “Software”: Same classification exercise as “goods” and “technology” “Software” defined as a collection of one or more programs or microprograms fixed in any tangible medium of expression Found in “Part D” of every Category of Group 1 Control of “software” linked to control of underlying good or technology

Overview of Canadian Regime: What is covered?  “Information Security” (Category 5 – Part 2): Covers stand-alone cryptographic products or other product solutions that include cryptographic elements (including third party elements) Covers relatively low encryption strengths – assess products against ECL Item 1-5.A.2(1)(a) & (b) Exceptions are limited: (1) “Note 2” - products accompanying user for the user’s personal use; (2) “Note 3” - generally available to the public + installed with little support + crypto not easily changed; (3) authentication or digital signature functions; (4) smart cards limited for radio, television, banking, etc.

Overview of Canadian Regime: What is covered? US-origin “goods” or “technology”: Canada tracks and controls re-export of US goods  Prevents Canada from being a diversion point for US- embargoed countries Re-export of US-origin product is controlled either because:  Product is specifically identified on Canada’s ECL; or  Product falls into the catch-all ECL Item 5400

Overview of Canadian Regime: What is covered?  Exception regarding destinations: No export permit required for shipments to the United States or its territories, dependencies or possessions if:  US location is final destination; and  Sale is for end use of the product in the US Exceptions to the US exception: permit required for shipment to US of specific munitions, strategic/military, and agricultural/forestry goods

Overview of Canadian Regime: Permits  Number of permit options: Individual Export Permit (IEP): general/default rule applicable for specific transactions General Export Permit (GEP) 12: for re-exports of US- origin goods to non-embargoed countries (IEP for embargoed countries) Multi-destination, multi-shipment permits: for companies with strong compliance/internal controls (requires after- the-fact reporting of shipment details; valid over a specified period of time and subject to conditions)

Overview of Canadian Regime: Conclusion  Take-away items: 1. Canadian regime is a product of the broader government security community (and implements international agreements) 2. Control is based on:  Shipment destination  Product characteristics (tangibles and intangibles)  Product/input origin (US content) 3. Controlled products = export permit application required 4. “Software” and “Technology” controlled to same extent as underlying good 5. “Encryption” = automatic assessment required 6. Exports to US (final destination + end use) = no permit required* 7. Multi-destination, multi-shipment permit is best bet: requires demonstrated compliance

Canadian Export Controls  Getting Started: Checklist for Canadian Export Controls

Checklist 1. Identify and compile all existing products (incl. inputs) 2. Identify in-house technical expertise: For use in classification exercise for each product and each input element (where applicable) Consider product from “good”, “software”, and/or “technology” perspectives for analysis purposes 3. Identify and assess any foreign export control documentation provided by suppliers of inputs (e.g. US export control classification)

Checklist 4. Identify and assess any US content (e.g. cost of acquisition as a percentage of value of final good) 5. Compile (and keep) transaction records for possible controlled products: POs, invoices, customs accounting documentation (tangible transfers), communications or FTP downloads (intangible transfers)

Checklist 6. If non-compliance is discovered for existing products:  Establish the facts, prepare the documentation (incl. all relevant transactions records), and DISCLOSE  To avoid “knowing” violations of EIPA, discontinue all shipments of the product until: (1) disclosure is made; (2) a permit application is processed; (3) and a permit is received  Retain outside counsel, if required

Checklist 7. Going forward: Be ahead of the curve on new product deployments to avoid delays relating to permit applications (e.g. consult with DFAIT during development phase) Establish a compliance-oriented track record with the Canadian governmental security community Do so through appropriate internal controls

Canadian Export Controls  Internal Controls for Compliance

Compliance  Canada’s approach is compliance-oriented but statutory penalties are severe: Section19 EIPA: Every person who contravenes any provision of this Act or the regulation is guilty of:  an offence punishable on summary conviction and liable to a fine not exceeding twenty-five thousand dollars or to imprisonment for a term not to exceed twelve months, or to both, or  an indictable offence and liable to a fine in an amount that is in the discretion of the court or to imprisonment for a term not exceeding ten years or to both. Penalties also under United Nations Act or Special Economic Measures Act  Canada Border Services Agency, RCMP, CSIS, etc., will be involved in investigating possible violations of EIPA

Internal Controls  Controls are key to compliance with Canada’s Export Control Regime  Recall that intangibles are covered: electronic transfers outside of Canada (e.g. FTP downloads); travel by technical support staff and any “technology” that they bring  Treat export control issues like any other accounting issue (do not re-invent the wheel)

Internal Controls  Consider, for example: 1. Establishing internal oversight and reporting relationships for export controls 2. Ensuring redundancy within operational units and proper record keeping 3. Appropriate tasking for appropriate personnel: sales staff (know your customer, know your destination); financial staff (oversight of sales staff); contracting/regulatory staff 4. Ensuring timely applications for export permits (DFAIT) and timely filing of export declarations (CBSA) 5. Anticipating permit expiry (multi-destination, multi-shipment) and ensure prompt and seamless renewal 6. Maintaining internal reporting of sales of controlled products or external reporting to DFAIT (depending on nature of permit): monthly; quarterly; annually 7. Provide for internal training and awareness to key staff regarding export control compliance requirements

Canadian Export Controls  Common Misconceptions

Common Misconceptions 1. Electronic transmission is not “exporting” for purposes of EIPA ECL Guide: “regardless of their destination or means of transmission (e.g. facsimile, electronic transfers, consulting services, etc.)” 2. If my supplier has an export permit, I will be “covered” by my supplier’s export permit Exporter of the good is responsible for obtaining permit Only Canadian residents may apply for permits

Common Misconceptions 3. If my company receives an export permit, no further export controls compliance activity is required Must adhere to conditions in export permit Must be on top of new products, new customers, and new export destinations Other issues to consider regarding extraterritorial application of other export controls/sanctions laws (e.g. US) and Canadian “blocking” legislation (i.e. FEMA)