A subject that receives little attention (academically or in practice) is the intersection of three distinct, yet often overlapping, compliance areas: (1) data privacy; (2) information security; and (3) export compliance.
For example, a global company that provides cloud services might host technical data that is potentially subject to U.S. export regulations. It is quite likely that this company has not given much thought to whether it is in compliance with U.S. export control laws, much less built a compliance program to assess and address potential risks. This is understandable, given that the term “export” is normally associated with the shipment of physical goods to foreign markets. Companies whose only “product” is intangible (in this case, providing IT infrastructure for the management of technical data) are unlikely to think of themselves as “exporters.”
This view, however, is shortsighted and potentially dangerous. In reality, the U.S. export control regime is so vast that it encompasses many transactions that, at first glance, would not appear to be “exports.” For instance, “release of controlled technical data” to a non-U.S. employee might, in and of itself, be considered an export violation.
For this reason, companies that handle large quantities of technical data must, at a minimum, be aware that they may be subject to U.S. export controls. Even if a company has implemented a sophisticated compliance program to protect personal information in accordance with U.S. and EU law, it may not have sufficiently addressed its potential exposure to U.S. export regulations.
To help companies address these challenges, we provide on-site “Export Compliance Workshops” and assist with the development and implementation of “Export Compliance Programs.”