Thousands of Americans export data overseas every day without U.S. government authorizations and don’t even know it. How? By using cloud-computing services, ranging from personal services like Gmail to large-scale enterprise data storage solutions. While cloud-based services have become a valuable tool for improving efficiency, outdated government regulation leaves cloud users exposed.
Here’s an example. Imagine you’re an engineer working for a small firm in Indiana that uses a cloud service for data storage. One day you realize the company’s aluminum valves, used only by U.S. customers, could be improved with a redesigned “butterfly” mechanism. You revise the design specifications on your desktop computer and click “save.” Your company’s cloud provider routes your document to its network’s least burdened location—which happens to be in India—for storage.
Guess what? Controlled technical information was just exported to India without U.S. government authorization.
Under a literal interpretation of the U.S. Department of Commerce’s Export Administration Regulations (EAR), you and your company would be subject to penalties totaling up to $250,000 per violation. (If the data were military technology under the U.S. State Department’s purview, civil penalties could reach $500,000 per violation.) Violations are subject to “strict liability”—you would be on the hook even if you didn’t intend to “export,” or even if you didn’t know your technology is subject to controls.
But here’s the kicker: It’s unclear whether the U.S. would apply the rules literally, though there’s reason to conclude that the government would pursue this kind of case if the data involved were particularly sensitive and if the cloud user had failed to take appropriate steps to minimize risk. Only one of the various federal agencies responsible for trade controls has addressed cloud computing, however, and its guidance raised as many questions as it answered. This leaves compliance-minded companies in limbo. But while the lack of clarity causes heartburn for many, it also creates a golden compliance opportunity.
How Cloud Computing Causes Exports
Before analyzing the limited official guidance available, it’s important to understand how these services lead to inadvertent exports. Cloud computing is an innovative approach to reducing the growing cost of data storage and processing power. Instead of expanding their own IT infrastructure, companies can rely on outside providers for data storage and data processing.
Of course, “cloud” computing—so named because of the images that represent the Internet on data transmission diagrams—actually takes place on physical servers located somewhere, not in the mythical ether. And because cloud services are primarily valued for their cost-effectiveness, that “somewhere” is often an inexpensive location overseas.
Cloud users often have no control over—or even knowledge of—the locations where their data is stored. Moreover, the storage location can change at any time, based on the cloud provider’s resource needs and without the user’s input or knowledge. This easy mobility is one of the great virtues of the cloud, as providers can shift data rapidly in response to network events or take advantage of less congested storage options.
The compliance challenge for cloud users arises because of the fundamental tension between cross-boundary remote computing and trade controls. The applicable regulations—principally those enforced by the Departments of Commerce and State—define “exports” broadly to include data shipped or transmitted (even in electronic form) from the United States to a location abroad (or to a foreign national within the United States). These regulations extend far beyond data related to high-sensitivity or military-grade products. They can apply to a huge array of products and technical data—including seemingly low-sensitivity goods like certain engines, pipes, chemicals, ovens, and metals.
