Export Control Issues in Technology Services Outsourcing
It’s all too rare that I have the good fortune to stumble across legal articles that are both well written and extremely informative, and also a thoroughly entertaining read. The article written by John W. Brooks and Lenin Lopez from the AmLaw 200 firm, Luce, Forward, Hamilton & Scripps LLP, clearly ticks all of these boxes. I would like to thank John W. Brooks for granting me permission to use the article in my blog.
I have spoken many times about the importance for law firms and corporations in ensuring full compliance with the Export Control Laws and Export Administration Regulations, when engaging in the outsourcing of potentially sensitive technological information. The issue will be revisited once again at the upcoming IAOP Legal Outsourcing Chapter webinar on July 16. Please contact me directly if you are interested in attending the webinar. In the interim, enjoy the below article:
Export Control Issues in Technology Services Outsourcing
By: John W. Brooks and Lenin Lopez
Technology services outsourcing (TSO) has accelerated to tsunami strength in the last ten years, particularly to foreign destinations (India being one of the most popular), and the desired rewards of low labor costs, round-the-clock workforces, and quality work are being enjoyed by many companies in many countries. But for those companies choosing to outsource from the United States, there are some important (but not very well known) legal issues surrounding these everyday TSO practices. The following fictionalized story illustrates some of these issues.
A San Diego-based U.S. Company (SDCo) has designed an experimental “widget” and asks Bangalore Software Pte. Ltd., a Bangalore-based Indian company (BSPL), to write a program to control the manufacture of the first run of production widgets. SDCo sends BSPL an email with some specifications to help BSPL better understand the widget technology.
BSPL does as asked and in due time sends the requested software code back to SDCo. SDCo reviews it and is about to reply with some technical comments/additional requests to BSPL when it receives a short email from BSPL. The email says it just so happens the guy who wrote the code (Senior Programmer Gupta) will be coming to San Diego with his family the following week on vacation, and if SDCo has any questions about the work product SDCo should let BSPL know, and BSPL will ask Mr. Gupta to drop by SDCo’s offices to talk things over with its Chief Information Officer (CIO).
SDCo thinks that talking about possible program changes with Mr. Gupta in San Diego might be more efficient than sending written comments to Bangalore, India, but that night at dinner the CIO’s daughter (who’s studying international relations at a local school) suggests this might present a problem, and maybe Dad should call his lawyer first. For quick credit, what did SDCo’s lawyer say? Don’t peek below, but I can tell you the words in bold italics are key to understanding these complicated issues.
So, at his daughter’s urging, Dad pays a visit to SDCo’s lawyer (a Ms. Justice) and describes both the outsourcing relationship and Mr. Gupta’s upcoming visit. Ms. Justice understandably isn’t happy to be brought into the problem so late in the game, and asks the CIO if he has looked into the U.S. Export Control Laws and the Export Administration Regulations (EAR). He says he hasn’t. Much to his surprise, she tells him that SDCo’s outsourcing relationship with BSPL might involve an unlawful export of controlled materials to India. She calmly tells him that all U.S. technology is subject to the EAR and might require an export license.
Ms. Justice leans forward in her chair and asks the CIO whether, at the very outset, SDCo had checked to see if BSPL and its principals, including Mr. Gupta, appears on the Entity List and the Denied Persons List maintained by the U.S. Department of Commerce (DOC). Doesn’t the CIO know that dealing with a prohibited entity or denied person has serious consequences for SDCo? Then she leans back and asks whether SDCo has classified the widgets and the technical information it sent to BSPL under the Commerce Control List (CCL). The DOC publishes the CCL, she says, to assist in determining if a commodity or information is controlled by the EAR. If the widget or any of the information sent by SDCo is classified under the CCL and subject to controls, then a license from the DOC may have been required to send the original email containing this information to India. She calmly explains the email itself constituted an export of the information to India. The CIO is becoming visibly depressed. Even if no license is required, Ms. Justice continues, the U.S. technology remains subject to the EAR even after it reaches BSPL’s hands, and SDCo should have taken steps to make sure that BSPL didn’t re-export the materials received from SDCo or use the materials in a prohibited activity.
After bringing the CIO a glass of water, Ms. Justice asks whether the software Mr. Gupta had written was a derivative of the materials sent by SDCo or whether it was written by Mr. Gupta from scratch, explaining that derivatives of the materials sent by a U.S. company remain U.S. technology and therefore subject to control by the EAR from the moment of creation. So, she explains, if BSPL had sent the materials, for instance, to its affiliate in Pakistan for quality assurance purposes, that act could have constituted a re-export of SDCo’s materials and could involve a separate violation of the EAR. In any case, even if the program was written by Mr. Gupta from scratch and didn’t result from U.S. technology, it becomes U.S. technology and subject to the EAR as soon as SDCo receives it back from BSPL. The CIO begins to look faint.
Ms. Justice sighs, but nevertheless plows ahead asking if SDCo had classified the program it received from BSPL, pointing out that if the program itself is controlled by the EAR, a license from the DOC may be required before it is sent back to India for debugging. The CIO says SDCo hadn’t done that, but couldn’t he just ask Mr. Gupta to review the program in San Diego, eliminating the need to send it back to India. The ever-patient Ms. Justice explains a disclosure to Gupta of the software written by Gupta, much less SDCo’s technical comments on the software, even while Gupta was visiting in San Diego, would be a deemed export to India because India is Gupta’s country of citizenship, and therefore would require the same analysis as if the software or the comments were physically sent to India.
The CIO stands up shakily, thanks Ms. Justice, and drives back to his office. He calls BSPL to cancel not only his meeting with Mr. Gupta, but all further development work as well, until SDCo figures out (with Ms. Justice’s assistance) how many violations of the U.S. Export Control Laws had taken place and how to correct them. At dinner that night, he also thanks his daughter.
Don’t let this fictionalized scenario become your real problem. U.S. Export Control Laws are far-reaching and complicated, and violations carry heavy penalties, including fines, jail time for executives, and loss of export privileges. A thorough review of Export Control Law compliance needs to be a core part of an upfront analysis of any proposed TSO relationship, no matter how appealing the rewards may otherwise seem.
© John W. Brooks and Lenin Lopez. 2008. All rights reserved.
For more information on compliance with the U.S. Export Control Laws, please contact John W. Brooks, Senior International Counsel (619.699.2410 or jwbrooks@luce.com) or Lenin Lopez, Associate (619.533.7375 or llopez@luce.com)
I have spoken many times about the importance for law firms and corporations in ensuring full compliance with the Export Control Laws and Export Administration Regulations, when engaging in the outsourcing of potentially sensitive technological information. The issue will be revisited once again at the upcoming IAOP Legal Outsourcing Chapter webinar on July 16. Please contact me directly if you are interested in attending the webinar. In the interim, enjoy the below article:
Export Control Issues in Technology Services Outsourcing
By: John W. Brooks and Lenin Lopez
Technology services outsourcing (TSO) has accelerated to tsunami strength in the last ten years, particularly to foreign destinations (India being one of the most popular), and the desired rewards of low labor costs, round-the-clock workforces, and quality work are being enjoyed by many companies in many countries. But for those companies choosing to outsource from the United States, there are some important (but not very well known) legal issues surrounding these everyday TSO practices. The following fictionalized story illustrates some of these issues.
A San Diego-based U.S. Company (SDCo) has designed an experimental “widget” and asks Bangalore Software Pte. Ltd., a Bangalore-based Indian company (BSPL), to write a program to control the manufacture of the first run of production widgets. SDCo sends BSPL an email with some specifications to help BSPL better understand the widget technology.
BSPL does as asked and in due time sends the requested software code back to SDCo. SDCo reviews it and is about to reply with some technical comments/additional requests to BSPL when it receives a short email from BSPL. The email says it just so happens the guy who wrote the code (Senior Programmer Gupta) will be coming to San Diego with his family the following week on vacation, and if SDCo has any questions about the work product SDCo should let BSPL know, and BSPL will ask Mr. Gupta to drop by SDCo’s offices to talk things over with its Chief Information Officer (CIO).
SDCo thinks that talking about possible program changes with Mr. Gupta in San Diego might be more efficient than sending written comments to Bangalore, India, but that night at dinner the CIO’s daughter (who’s studying international relations at a local school) suggests this might present a problem, and maybe Dad should call his lawyer first. For quick credit, what did SDCo’s lawyer say? Don’t peek below, but I can tell you the words in bold italics are key to understanding these complicated issues.
So, at his daughter’s urging, Dad pays a visit to SDCo’s lawyer (a Ms. Justice) and describes both the outsourcing relationship and Mr. Gupta’s upcoming visit. Ms. Justice understandably isn’t happy to be brought into the problem so late in the game, and asks the CIO if he has looked into the U.S. Export Control Laws and the Export Administration Regulations (EAR). He says he hasn’t. Much to his surprise, she tells him that SDCo’s outsourcing relationship with BSPL might involve an unlawful export of controlled materials to India. She calmly tells him that all U.S. technology is subject to the EAR and might require an export license.
Ms. Justice leans forward in her chair and asks the CIO whether, at the very outset, SDCo had checked to see if BSPL and its principals, including Mr. Gupta, appears on the Entity List and the Denied Persons List maintained by the U.S. Department of Commerce (DOC). Doesn’t the CIO know that dealing with a prohibited entity or denied person has serious consequences for SDCo? Then she leans back and asks whether SDCo has classified the widgets and the technical information it sent to BSPL under the Commerce Control List (CCL). The DOC publishes the CCL, she says, to assist in determining if a commodity or information is controlled by the EAR. If the widget or any of the information sent by SDCo is classified under the CCL and subject to controls, then a license from the DOC may have been required to send the original email containing this information to India. She calmly explains the email itself constituted an export of the information to India. The CIO is becoming visibly depressed. Even if no license is required, Ms. Justice continues, the U.S. technology remains subject to the EAR even after it reaches BSPL’s hands, and SDCo should have taken steps to make sure that BSPL didn’t re-export the materials received from SDCo or use the materials in a prohibited activity.
After bringing the CIO a glass of water, Ms. Justice asks whether the software Mr. Gupta had written was a derivative of the materials sent by SDCo or whether it was written by Mr. Gupta from scratch, explaining that derivatives of the materials sent by a U.S. company remain U.S. technology and therefore subject to control by the EAR from the moment of creation. So, she explains, if BSPL had sent the materials, for instance, to its affiliate in Pakistan for quality assurance purposes, that act could have constituted a re-export of SDCo’s materials and could involve a separate violation of the EAR. In any case, even if the program was written by Mr. Gupta from scratch and didn’t result from U.S. technology, it becomes U.S. technology and subject to the EAR as soon as SDCo receives it back from BSPL. The CIO begins to look faint.
Ms. Justice sighs, but nevertheless plows ahead asking if SDCo had classified the program it received from BSPL, pointing out that if the program itself is controlled by the EAR, a license from the DOC may be required before it is sent back to India for debugging. The CIO says SDCo hadn’t done that, but couldn’t he just ask Mr. Gupta to review the program in San Diego, eliminating the need to send it back to India. The ever-patient Ms. Justice explains a disclosure to Gupta of the software written by Gupta, much less SDCo’s technical comments on the software, even while Gupta was visiting in San Diego, would be a deemed export to India because India is Gupta’s country of citizenship, and therefore would require the same analysis as if the software or the comments were physically sent to India.
The CIO stands up shakily, thanks Ms. Justice, and drives back to his office. He calls BSPL to cancel not only his meeting with Mr. Gupta, but all further development work as well, until SDCo figures out (with Ms. Justice’s assistance) how many violations of the U.S. Export Control Laws had taken place and how to correct them. At dinner that night, he also thanks his daughter.
Don’t let this fictionalized scenario become your real problem. U.S. Export Control Laws are far-reaching and complicated, and violations carry heavy penalties, including fines, jail time for executives, and loss of export privileges. A thorough review of Export Control Law compliance needs to be a core part of an upfront analysis of any proposed TSO relationship, no matter how appealing the rewards may otherwise seem.
© John W. Brooks and Lenin Lopez. 2008. All rights reserved.
For more information on compliance with the U.S. Export Control Laws, please contact John W. Brooks, Senior International Counsel (619.699.2410 or jwbrooks@luce.com) or Lenin Lopez, Associate (619.533.7375 or llopez@luce.com)
posted by Mark Ross at
3:22 PM
Subscribe RSS feed
1 Comments:
Whew! Thank you for posting the article.
Mohan Joseph
Post a Comment
Subscribe to Post Comments [Atom]
<< Home