Clouding Australian export control laws

Posted by Tim Hewitt - 4.30pm - 2 February 2011

The Department of Defence has announced that it is preparing proposals to amend Australia's export control laws to require licensing for intangible transfers of controlled technology. While these amendments are in recognition of a gap in Australia's export control regime caused by sophisticated transfers of controlled technology via intangible means, they may cause compliance woes for many organisations, particularly cloud computing service providers.

Currently, Australia's export control regime only requires licensing for exports of controlled items listed in the Defence and Strategic Goods List that are exported in a physical form (e.g., CD, DVD, HDD or on paper); whereas exports of controlled data, software or technology (collectively, 'controlled technology') via the internet, telephone lines, satellite and other intangible means are only prohibited if it can be deemed that the transferor believed or suspected that the transferee would or would likely use that controlled technology in connection with a weapon of mass destruction.

At this stage it is not clear what compliance measures will be required and many may be caught off guard. For example, a person in Australia sending encryption and information security software in an email to a colleague, client or other contact overseas will likely be considered to be making an export of controlled technology. The new regime may even extend to organisations providing the means of transfer such as cloud computing service providers.

It may seem an incongruous result that a cloud computing service provider would be considered the exporter of controlled technology given that the transfer is initiated by the cloud user. However, if the cloud users (i.e., the transferor and the transferee) who access an Australian-based cloud to initiate a transfer of controlled technology are both overseas, it may only be possible for Australian authorities to control that transfer by regulating the cloud computing service provider which receives the controlled technology on its server and then "exports" it to the transferee overseas.

Authorities in the U.S – where licensing is already required for intangible exports of controlled technology – are currently grappling with this issue. However, no legislative changes in the U.S have been made yet that can inform developments here in Australia regarding the compliance obligations of cloud computing service providers and other organisations indirectly involved in the export of controlled technology via intangible means.

Until further details of the proposed changes are released, organisations that transfer controlled technology via intangible means, as well as organisations like cloud computing service providers that may be indirectly involved in that transfer, need to "watch this space" for further developments and consider how those developments will impact their operations. If these developments are likely to cause complicated compliance procedures − for example, if it is proposed that every single transfer of controlled technology requires separate authorisation − it may be worth petitioning the Department of Defence and participating in any public consultations.

Special Counsel: Geoff Shelley