Frequently Asked Questions about Export Controls at a University
What are export controls?
Loosely speaking, the phrase “export controls” refers most frequently to the Export Administration Regulations (EAR), the International Traffic in Arms Regulations (ITAR), and the Foreign Assets Control Regulations. More strictly speaking, though, the term can also include the export rules of the Nuclear Regulatory Commission, the Department of Energy, and the various export licensing regimes imposed in many non-U.S. countries.
Why do U.S. universities need to worry about export controls?
Export control regulations can apply to a number of research and educational activities in sometimes surprising and even counter-intuitive ways. For example, the rules might impact—
- The carriage or shipment of certain sensitive hardware, software, microorganisms, and other items out of the U.S.;
- The disclosure of certain non-public data or source code to non-U.S. persons in the U.S. (a “deemed export”); and
- Travel to—and activities in—countries subject to U.S. trade sanctions.
Exports or transactions that occur without the appropriate government authorization can result in federal audits and investigations, civil fines, and even incarceration, for deliberate, criminal misconduct.
Universities typically have many students, staff, and researchers who are visiting the U.S. on some sort of visa. How do institutions deal with the risk of “deemed exports” of data or code, given the presence of so many non-U.S. persons?
Universities typically employ some combination of two principal approaches to the “deemed export” problem.
- The Fundamental Research Exclusion (FRE) is a regulatory concept that excludes the results of fundamental research typically undertaken at universities from the scope of data subject the EAR and ITAR. In other words, the results of fundamental research may generally be disclosed to non-U.S. students, staff, and researchers without federal authorization because the results are not regulated by export controls, as a threshold matter. (Grant or contract terms that restrict publication or impose citizenship/nationality requirements can invalidate the FRE; research results from projects subject to those terms may be subject to the EAR or ITAR. In addition, the FRE does not apply to proprietary information that outside parties may furnish.)
- When data or code does not qualify for the FRE, universities can protect that information from unauthorized release by the implementation of a Technology Control Plan (TCP). TCPs vary significantly in their details, but generally include instructions on the identification, segregation, and security of controlled information. If a researcher identifies a need to disclose controlled information to a non-U.S. student or employee, it may be possible to obtain U.S. government authorization (or make use of a regulatory exception or exemption) for the “deemed export,” depending on the technology, nationality, and other circumstances involved.
How universities apply these approaches can fall along a spectrum. Some institutions prefer to engage in only fundamental research as a matter of default policy, thus reducing the need for TCPs and licenses for “deemed exports.” The benefits of this approach include lower regulatory risks and compliance costs. The chief downside is that many grants and contracts (especially for the Department of Defense and its contractors) have mandatory terms that are inconsistent with the FRE, and cannot be accepted.
At the other end of the spectrum, some institutions readily accept grants and contracts for proprietary or restricted research that falls outside of the FRE. These institutions must implement TCPs and related measures to ensure that they comply with the relevant export control and security requirements. This approach grants researchers the flexibility to pursue non-fundamental research opportunities, but requires a greater investment in the institution’s compliance infrastructure.
Does my institution need an export compliance office or program?
Quite possibly, yes, but the needs of different universities may vary. Factors to consider include—
- Whether your institution conducts research from which sensitive, controlled technologies might arise, especially in the aerospace, defense/military, encryption, composite materials, communications, and computer engineering fields.
- Whether your institution accepts grant or contract terms that impose nationality or publication restrictions.
- Whether your institution sends personnel to, accepts students or scholars from, or collaborates with researchers in sanctioned countries.
- Whether personnel at your institution ship (or carry) controlled items, including listed pathogenic organisms and related materials, for use abroad.
- Whether your institution has significant international collaborations or accepts funding from non-U.S. entities.
Where should my university’s export control responsibilities be housed?
Each university is designed a little differently. Many house the responsibilities in the Office of Research, in either Research Compliance or Sponsored Programs. There are other possibilities, though, depending on how your university is staffed and organized, such as leaving the responsibility solely in the Office of General Counsel, although this is less common. As each institution is unique, it is best to assess the needs of your organization first and then select the best home for your program.
Where can I get help to better understand how my university should deal with export controls?
There is no single best source of information. Here are a few potential avenues to pursue:
- The annual Conference on the Impact of Export Controls on Higher Education and Scientific Institutions offers an opportunity to take in relevant and timely presentations, network with university experts, and benchmark with other institutions. This Conference is typically held in May or June of each year.
- The regulatory agencies publish regulations, enforcement information, guidance documents, and a variety of related materials online.
- For a price, you can find any number of capable attorneys, consultants, and software providers specializing in export compliance. AUECO, however, does not endorse specific businesses or individuals.
- You are welcome to send an inquiry to the AUECO Executive Board. One of the board members will gladly chat informally with you in general terms about the basic regulatory concepts, key risk areas, and potential ways to develop solutions.