The Department of Commerce's Bureau of Export Administration (BXA), also called Bureau of Industry and Security (BIS), has implemented changes to U.S. export licensing requirements for software under the Export Administration Regulations (EAR). The export controls on software are integrated into the Commerce Control List (CCL) along with those for hardware and technology. The effect has been to relax requirements which has benefited international software distribution, particularly for mass-marketed software.

The term "embargoed destinations" means Cuba, Iraq, Libya, North Korea, Yugoslavia (i.e., Serbia and Montenegro) and certain parts of Croatia and Bosnia-Herzegovina.

Other Applicable Regulations

Not all software export licensing requirements are in the CCL. In addition to the CCL classifications, you must also consider the effects of several other sets of regulations. The International Traffic in Arms Regulations (ITAR) also contain software export licensing requirements. ITAR controls exports of software related to items specially designed for military use on the United States Munitions List (USML). ITAR controls software which includes but is not limited to the system functional design, logic flow, algorithms, application programs, operating systems and support software for design, implementation, test, operation, diagnosis, and repair of equipment controlled by the USML. In addition, USML Category XIII specifically controls cryptographic software for encoding and decoding.

Except for Canada, in most cases, exports of software controlled by ITAR require a validated export license issued by the State Department's Office of Defense Trade Controls (DTC). With respect to Canada, most software for unclassified defense items is excluded from the validated license requirement. Companies that export software controlled on the USML must also register with DTC.

ITAR controls on encryption features are often encountered in software export transactions and are described below. The Treasury Department's Office of Foreign Assets Control (OFAC) imposes a substantially complete export embargo on Cuba, Iraq, Libya, North Korea and Yugoslavia. The EAR, does not reflect the embargo on Iraq and Yugoslavia. Generally speaking, all software exports to Iraq and Yugoslavia and other OFAC-embargoed countries must be licensed or authorized by OFAC. There is a presumption of denial for such license applications except for certain humanitarian exports.

EAR Licenses For Software

The CCL treats software as software, not as technical data or hardware. In all sections of the EAR, except the CCL the term technical data includes software unless otherwise specified.

All software is controlled by the EAR. The control is what type of export license is needed. A separate export license is needed for the media on which software is delivered such as a diskette or CD-ROM. Only the export license for software is needed in the case of internet or other electronic/network delivery.

EAR Part 779 defines the export licenses available for software: General License GTDA, General License GTDU, General License GTDR and the validated export license. In addition, Part 771 defines two additional general licenses: GLX and GNSG. General License G-DEST is almost always available for the export of the media. These general licenses are critical to international software distribution since they authorize exports and reexports by meeting regulatory conditions instead of obtaining specific written authorization.

General License GTDA

General License GTDA, Technical Data Available to All Destinations, primarily authorizes exports of software generally available to the public or public domain software to all countries. This license is limited to software that is available to the public at a price that does not exceed the cost of reproduction and distribution (i.e., "shareware"). It does not authorize exports of most commercial software, including mass-marketed software available in retail stores.

General License GTDU

The term "General License GTDU" is an abbreviation for General License GTDR without a written assurance. General License GTDU, generally, authorizes exports to all destinations except the embargoed destinations. A substantial number of categories of software are eligible for this general license and are described below under Mass-Marketed Software, Operating Systems and Maintenance Deliverables. In addition, GTDU is the "bucket" export license. Software not requiring any other type of export license is eligible for export under GTDU.

General License GTDR

General License GTDR authorizes exports of eligible software to the free world countries. A validated license is required to export GTDR eligible software to all other countries except for Canada which requires no export license. GTDR authorization is contingent upon the exporter obtaining a written assurance from the recipient of the software prior to exporting the software that the recipient will not reexport the software or any direct product of the software to the former Soviet Union, certain former East Bloc nations, the PRC, or Country Groups S (Libya) and Z (Cuba and North Korea). The assurance may be contained in a stand-alone letter, as part of a larger commercial agreement, or in any other written form. The exporter may accept either a fax or an original signed copy. Oral assurance is not acceptable. When the assurance is part of an agreement, that provision must survive the expiration or termination of the agreement.

General License GLX

General License GLX relaxes U.S. export controls toward the former Warsaw Pact countries. GLX authorizes exports to the PRC and Country Groups Q, W, and Y (Albania, Armenia, Azerbaijan, Belarus, Bulgaria, Cambodia, Estonia, Georgia, Kazakhstan, Kyrgyzstan, Laos, Latvia, Lithuania, Moldova, Mongolia, Romania, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan and Vietnam). GLX may not be used for any export destined to a military end-use or end-user. GLX authorizes exports of a subset of the software eligible under GTDR, but there is no written assurance requirement for GLX.

General License GNSG

General License GNSG authorizes the export of certain software controlled for nuclear nonproliferation purposes to the 26 members of the Nuclear Suppliers Groups ("NSG") multilateral export control regime (Australia, Austria, Belgium, Bulgaria, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, the Netherlands, Norway, Poland, Portugal, Romania, Russia, Slovak Republic, Spain, Sweden, Switzerland, and the United Kingdom). Canada is also a member of the NSG but GNSG is not required for Canada because GNSG-eligible software does not require any export license for Canada.

Validated License

A validated export license is used when there are no general licenses available for a specific transaction. The exporter must submit an application requesting specific BXA approval. If approved, the BXA will issue a written license authorizing the specific transaction described in the application. In certain cases, BXA may attach conditions to the approved license. For example, an approved validated license to export software to Pakistan may specify "not to be used by/for nuclear end-users/uses."

Form BXA-622P must be submitted to the BXA's Office of Export Licensing. The license application should describe the proposed export transaction in sufficient detail to allow the official reviewing the application to fully understand the technical capabilities of the software and the nature of the end-use and end-user of the software. Depending on the capabilities of the software and the sensitivity of the proposed country of destination, BXA may approve exports to a distributor who will distribute the software within an identified sales territory to unidentified end-users.

Normal processing time for validated license application approval is three weeks to four months. The actual processing time depends on the sensitivity of the destination and products proposed in the application. In some instances, an application may be reviewed by several different government agencies. For example, an application for the export of software controlled under ECCN 6D22B to France could be routinely approved within three weeks with only BXA reviewing the application. On the other hand, an application to export the same software to the PRC or Pakistan could take four months to be approved or denied. An application to export such software to the PRC or Pakistan would likely be reviewed by the Departments of Commerce, State, and Defense, the Arms Control and Disarmament Agency and the intelligence community.

End-Use Prohibitions

The Iraqi war heightened concern about the threat of proliferation of missiles and nuclear, chemical and biological weapons. The revelation that U.S. companies had sold products to missile and nuclear, chemical and biological weapons related end-users in Iraq, Libya and other volatile countries before the war pointed out a need for stricter export controls to prevent the proliferation of weapons of mass destruction and the missiles to deliver them. The U.S. imposed end-use export controls based on a fundamentally different approach than the traditional CCL approach.

Under the traditional approach, determining the licensing requirements for a given product means comparing the performance specifications and functions of the product to the CCL. Once the ECCN is determined, the exporter determines whether the product is eligible for a general license or requires a validated license for any specific country. End-use controls, on the other hand, operate on the principle that any product exported for use in a prohibited end-use requires a validated license without regard to the ECCN.

Under the EAR, no software may be exported (except under GTDA) when the exporter knows it will be directly used in any activities related to the development or production of nuclear weapons, chemical/biological weapons or missiles in a long list of countries in Asia, Africa, South America, and the Middle East. Thus, even if an exporter determines that its software is eligible for export under GTDU, GTDR, GLX or GNSG, it may not export that software if it knows the software will be used in a heavy water plant in India or a missile development project in Iran. This prohibition does not cover application software for the administrative activities of such a facility, such as word processing or accounting software packages.

Because this new focus is based on the customer rather than the product to be exported, the exporter must have the honest cooperation of sales and marketing personnel who have the most direct contacts with potential customers. These end-use/end-user restrictions require procedures that ensure that, if something suspicious arises during a transaction, responsible people will make reasonable efforts to get to the bottom of the problem. If a potential customer is involved in nuclear, chemical or biological weapons or missile related activities, no exports should be made to that customer.

Lists Of Prohibited Customers

Another shift in the focus of U.S. export controls is the Treasury Department's list of Specially Designated Nationals (SDNs) of embargoed countries. This list includes thousands of companies and individuals throughout the world (including the U.S. and Western Europe) that OFAC has defined to be agents of the governments of Cuba, Iraq, Libya, North Korea or Yugoslavia. U.S. companies are strictly prohibited from participating in any transaction involving any of these entities regardless of the product involved.

BXA also publishes its own list of prohibited companies and individuals known as the Table of Denial Orders (TDO). U.S. exporters are strictly prohibited from participating in exports of any items involving any entity on the TDO. TDO parties are located throughout the world, including in the United States and Europe.

An exporter should implement a procedure for screening its existing customer lists and all new customers against the SDN and TDO. Once a screening procedure is implemented, an exporter must keep these lists current.

The Structure Of The EAR Software Controls

One of the first actions is to determine the Export Control Classification Numbers ("ECCN") in the CCL that describe the software.

Instead of reading the entire CCL to determine the ECCN for a particular software package, you can focus its search by becoming familiar with two basic concepts related to the structure of the CCL. The CCL is divided into 10 general categories numbered from 1 to 0 as follows:

1 - Materials
2 - Materials Processing
3 - Electronics
4 - Computers
5 - Telecommunications and Cryptography
6 - Sensors
7 - Avionics and Navigation
8 - Marine Technology
9 - Propulsion Systems and Transportation Equipment
0 - Miscellaneous

Each of these 10 general categories is divided into five groups of products, identified by the letters A through E as follows:

A - Equipment, Assemblies, and Components
B - Production and Test Equipment
C - Materials
D - Software
E - Technology

The first character of an ECCN identifies in which of the general categories the ECCN falls. Any ECCN that begins with "4" is in general category 4 - Computers. The second character identifies in which of the groups within the general category the ECCN falls. All ECCNs which control software have the letter "D" as their second character.

More than one ECCN in the CCL can describe a particular software package. When that happens, the export licensing requirements are determined by the most restrictive ECCN. For example, assume that an operating system is described by both ECCN 4D96G and ECCN 5D03A. Since ECCN 5D03A imposes the more restrictive licensing requirements, the operating system would be subject to those requirements.

Determining General License Eligibility

Once you identify the ECCN for a software package, you determine whether the software is eligible for export under GTDU, GTDR or GNSG by looking at the GTDU, GTDR and GNSG paragraphs in each ECCN.

When the ECCN states "GTDU: Yes," the software controlled by that ECCN is eligible for export under GTDU to all countries except the embargoed destinations. In certain ECCNs, the GTDU paragraph may exclude additional countries or certain types of software from eligibility under GTDR without a written assurance.

When the ECCN states "GTDR: Yes," the software controlled by that ECCN is eligible for export under GTDR to all countries in Country Groups T and V, excluding the PRC, Iran, Iraq, Syria and Yugoslavia. In certain ECCNs, the GTDR paragraph may exclude additional countries or certain types of software from eligibility under GTDR.

When the ECCN states "GNSG: Yes," the software controlled by that ECCN is eligible for export under GNSG to Australia, Austria, Belgium, Bulgaria, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, the Netherlands, Norway, Poland, Portugal, Romania, Russia, Slovak Republic, Spain, Sweden, Switzerland, and the United Kingdom.

Many types of software will fall into one of the GTDU bucket ECCNs, like ECCN 4D96G since it will not be covered by any other specific ECCN. ECCN 4D96G, controls "[o]ther software specially designed or modified for the development, production or use of computer equipment or materials, n.e.s." "N.E.S." means "not elsewhere specified." ECCN 4D96G controls all software that is not specifically controlled in any other software ECCN in CCL Category 4. Every category in the CCL except Category 0 has an xD96G that controls software "not elsewhere specified" within that category. Software classified under an xD96G bucket is eligible for export under GTDU.

There are no GLX eligibility paragraphs in any ECCNs. While GLX eligibility is based on the ECCN for the software in question, the EAR and CCL use a different approach to defining eligibility. Software is eligible for export under GLX if it satisfies either one of these criteria:

It is controlled by an ECCN listed in Supplement No. 1 to Part 771; or It is described by an Advisory Note in the CCL that indicates likelihood of approval for (i) Country Groups QWY and the PRC, (ii) the PRC, or (iii) specified destinations in Country Group Y.

Those Advisory Notes that apply only to Country Groups Q or W may not be used to determine GLX eligibility. GLX is also not available for items that the ECCN "Reason for Control" paragraph identifies as being controlled for missile technology, nuclear nonproliferation or foreign policy reasons to the recipient country.

Even when software is in an ECCN that does not authorize exports under GTDR, GNSG or GTDU, the software may be eligible for export under GTDU based on several definitional authorizations for mass-marketed software, operation software and software bug fixes.

Mass-Marketed Software - The General Software Note

The General Software Note ("GSN") in to the EAR is an important element of the CCL. The GSN authorizes exports under GTDU of mass-marketed software sold through retail sources that is generally available to the public to all countries, except Iran, Syria and the embargoed destinations. The GSN should not be confused with the longstanding and unchanged General License GTDA for software that is publicly available.

The GSN is not based on the functionalities or performance specifications of the software except that it does not apply to software under the jurisdiction of another set of regulations such as ITAR. To determine if software is generally available to the public, you only need to know how the software is sold or licensed. The first GSN criteria is that the software must be sold without restriction from stock from retail sources such as stores, phone order or mail order. Requiring a customer to sign a license agreement prior to delivering the software is not a restriction that eliminates GSN eligibility. Software that is sold only with bundled hardware is restricted and is not eligible under the GSN. Software that is sold both with bundled hardware and without bundled hardware is eligible under the GSN.

The second GSN criteria is that the software must be designed for installation by the user without substantial support from the supplier. Most software distributed through retail sources satisfies this criteria. Software that is designed for user installation satisfies this criteria even if the user may call for assistance during installation.

The GSN applies to all software under the jurisdiction of the EAR and overrules the licensing requirements described in an ECCN. Any software on the CCL is eligible for export under GTDU if it satisfies the requirements of the GSN, even software in an ECCN that requires a validated license for all destinations. For example, anti-virus software is con-trolled under ECCN 5D13A which states "GTDR: Yes" and "GTDU: No." If the anti-virus software satisfies the requirements of the GSN, however, it is eligible for export under GTDU to all countries except Iran, Syria and the embargoed countries.

The export controls for a software product which is a combination of software packages is determined how the finished unit is sold. The finished unit itself must satisfy the GSN criteria in order to qualify as a mass-market software package.

The GSN does not apply to software with encryption capability controlled by ITAR. When determining whether software is eligible for export under the GSN, you must confirm that the software does not have encryption capability that would put it under ITAR jurisdiction.

Operating Systems

Exporters should consider three approaches when determining the requirements for an operating system. First, the "Operation Technical Data/Operation Software" provisions in EAR Section 779.4(b)(1) authorize most exports of operating systems in object code when destined for use on computers known to be legally exported or reexported (under either a validated or general license). Second, when an operating system is being exported in source code or for use on unknown computers, the exporter must identify the ECCN for the operating system to determine the licensing requirements. Finally, a mass-marketed operating system that satisfies the GSN criteria is eligible for export under GTDU regardless of the ECCN that controls it or its eligibility under the "Operation Technical Data/Operation Software" authorization.

The "Operation Technical Data/Operation Software" authorization permits exports of operating system software under GTDU provided that:

• It is the minimum necessary to operate a computer that has been or will be legally exported or reexported; and
• It is in object code.

When both of these conditions are met, an operating system may be exported under GTDU to all countries even if it is controlled under an ECCN (e.g., 4D01A or 4D03A) that states "GTDU: No."

When operating systems are being exported for general distribution to unknown end-users and the exporter does not know that they will be used on computers legally exported or reexported, the exporter must identify the ECCN for the operating system to determine the export licensing requirements. Similarly, when an operating system will be exported in source code, its licensing requirements will be determined by its ECCN. ECCNs 4D01A, 4D93F and 4D03A are the primary ECCNs that control operating systems and are described in more detail below.

Real-Time Operating Systems

ECCN 4D03A controls operating systems specially designed for real-time processing equipment which guarantees a "global interrupt latency time" of less than 20 microseconds. Such real-time operating systems are eligible for GTDR with written assurance. Based on the definition of "global interrupt latency time" and the requirement that the operating system must guarantee 20 microseconds or less, as a practical matter, few real-time operating systems may be controlled under ECCN 4D03A. "Global interrupt latency time" does not necessarily mean the same thing as the term "latency time" that certain companies may use. Furthermore, while certain operating systems may have a global interrupt latency time of less than 20 microseconds, in certain instances, the time for lower priority interrupts may exceed 20 microseconds so that the time is not guaranteed. A real-time operating system with global interrupt latency times that are greater than and less than 20 microseconds does not guarantee less than 20 microseconds. Real-time operating systems that do not guarantee less than 20 microseconds are eligible for export under GTDU unless they are controlled for other reasons by an ECCN (e.g., 4D01A) that requires GTDR.

ECCN 4D93F controls operating systems for real-time processing equipment that guarantees a "global interrupt latency time" of less than 30 microseconds and greater than or equal to 20 microseconds. The same rules of interpretation apply to ECCN 4D93F as described above for ECCN 4D03A. Software controlled by ECCN 4D93F requires a validated export license for Iran, Syria and the embargoed countries (unless another GTDU authorization is available) and is eligible for GTDU for all other countries.

Other Operating Systems

ECCN 4D01A controls software "specially designed" for the use of controlled computers (e.g., computers with a Composite Theoretical Performance (CTP) greater than 260 million theoretical operations per second). An operating system is not "specially designed" for use on a controlled computer if it will operate on both controlled and uncontrolled computers. For example, since most UNIX operating systems will operate on both uncontrolled computers (i.e., CTP less than 260) and controlled computers (i.e., CTP greater than 260), such UNIX operating systems are not controlled by ECCN 4D01A and may be exported under GTDU. On the other hand, an operating system specially designed for use on a supercomputer (i.e., CTP or 1500 or more) likely would not be designed for use on a computer with a CTP of less than 260. Thus, such an operating system would be controlled under ECCN 4D01A and is eligible for export under GTDR.

ECCN 4D03A controls operating system software exported in source code form for multi-data-stream processing (e.g., parallel processing) computers. When an operating system for multi-data-stream processing computers is exported in object code, it is not controlled by ECCN 4D03A and would be eligible for export under GTDU unless it is controlled by ECCN 4D01A. Thus, the ECCN for an operating system for a supercomputer that utilizes multi-data-stream processing depends on whether it is exported in source or object code form. In object code, it would be controlled under ECCN 4D01A. In source code, the supercomputer operating system would be controlled under ECCN 4D03A.

In determining the ECCN for an operating system, exporters must also determine whether it performs any telecommunications functions (e.g., dynamic adaptive routing) that are controlled under a 5Dxxx ECCN such as 5D03A. Finally, the exporter must also determine whether the operating system performs any data encryption functions that would cause it to be controlled under the ITAR or ECCN 5D13A.

Operating systems controlled by ECCNs 4D01A or 4D03A are eligible for export under General License GTDR. Operating systems controlled by ECCNs 5D03A or 5Dl3A are eligible for export under GTDR and GLX. Software not controlled by ECCNs 4D01A, 4D03A, 5D03A, or 5D13A, is usually classified under bucket category ECCN 4D96G and is eligible for export under GTDU.

Other Software

Over the past several years, the U.S. government has relaxed the licensing requirements for certain types of software. Many types of software formerly requiring a written assurance or a validated license are now eligible for export under GTDU.

IC CAD Software

The export licensing requirements for software for the computer aided design of integrated circuits have been significantly relaxed. ECCN 3D03A controls computer aided design software for integrated circuits only if it provides any of the following: (1) design or circuit verification rules, or (2) simulation of the physically laid out circuit, or (3) lithographic processing simulators for design.

Software controlled by ECCN 3D03A is eligible for export under GTDR to free world countries, excluding Iran and Syria, and requires a validated license for all other countries (except Canada for which no license is required). IC CAD software not controlled by ECCN 3D03A is usually classified under ECCN 3D96G and is eligible for export under GTDU.

Printed Circuit Board CAD Software

Software for the computer aided design of printed circuit boards is now usually classified under ECCN 3D96G and is eligible for export under GTDU.

Other CAD Software

The CCL contains many entries that control software specially designed for the computer aided design of equipment that is specifically controlled in the CCL. Generally speaking, each category in the CCL has one or more software ECCNs that control software specially designed for the computer aided design of equipment and other items controlled under the same category. In most cases, such software is eligible for export under GTDR.

For example, ECCN 6D01A controls software specially designed for the computer aided design of optics controlled under ECCN 6A04A, lasers controlled under ECCN 6A05A, radar controlled under ECCN 6A08A, and measurement systems controlled under ECCN 6B08A. The term "specially designed" limits the scope of the control on CAD software imposed by an ECCN such as 6D01A. For example, ECCN 6D01A would not control general purpose optics CAD software that could be used to design optics both controlled and decontrolled under 6A04A. The intent is to control software which has specific characteristics or functions that provide a unique capability to design optics controlled under 6A04A.

Other Software That Formerly Required A Written Assurance Or Validated License

Many of the types of software that formerly required a written assurance or a validated license have been decontrolled to GTDU status. ECCN 4D03A, however, continues to require a written assurance or, for countries not eligible under GTDR, a validated export license for these types of software:

1. Operating system software, software development tools, and compilers specially designed for multidata stream processing equipment, in source code;
2. Expert systems or software for expert systems inference engines providing both:

2.1  Time dependent rules; and
2.2  Primitives to handle the time characteristics of the rules and the facts.

Certain types of software have been decontrolled to the GTDU level for most countries but continue to require a validated license for Iran, Syria and the embargoed countries. These types of software include:

1. Program proof and validation software; and
    
2. Software for the automatic generation of source code from external sensors.

LAN, WAN & Telecommunications Software

Over the past several years there have been important relaxations in the controls on LAN/WAN software. The primary ECCNs for controlled telecommunications software are ECCNs 5D01A, 5D02A, and 5D03A. Generally speaking, ECCN 5D03A is the most of important because it covers a larger portion of software that is actually exported. 5D03A controls software that performs advanced routing functions such as datagram, fast select, dynamic adaptive routing and software for extremely high speed data transmission. The export controls on LAN, WAN, and telecommunications software are rarely a problem because software controlled by ECCNs 4D01A, 4D02A, 5D03A, is eligible for export under GTDR and GLX. Such software requires a validated license only for Iran, Syria and the embargoed countries.

Data encryption is another important consideration for both LAN and WAN software. A wide range of LAN and WAN software provide encryption capability either to ensure the security of data resident on a network or to ensure the security of data transmitted over a network. Encryption capabilities may subject the software to stricter export licensing requirements under either the EAR or ITAR. An analysis of the export licensing requirements for software with encryption capability is described below.

Storage Media

The media on which software or a multimedia product is exported is also subject to export licensing requirements separate from the requirements for the software. Thus, for example, when exporting software on a floppy disk, an exporter may use General License G-DEST for all destinations except the embargoed destinations, for the export of the floppy disk, and GTDA, GTDU, GTDR, GLX, NSG or a validated license for the software.

Generally speaking, all standard, commercial media (e.g., floppy diskette, magnetic tape, and CD-ROM) which contain software are eligible for export under G-DEST to all countries except the embargoed destinations.

Most ROMs are also eligible for export under G-DEST to all countries except the embargoed destinations. EEPROMs with either of these characteristics, however, are classified under ECCN 3A01A:

1. 1. Exceeding 16 Mbit per package for flash memory types; or
2. 2. Exceeding either of the following limits for all other EEPROM types:

2.1  4 Mbit per package; or
2.2  1 Mbit per package and having a maximum access time of less than 80 ns.

Such EEPROMs are eligible for export to most free world countries under General License GFW (EAR Section 771.23) and require a validated license for non-GFW eligible countries. EEPROMs not classified under ECCN 3A01A, generally are eligible for export under G-DEST to all countries except the embargoed destinations.

Resales/Reexports

Both resales and reexport controls are crucial in planning international software distribution strategy. The new regulations impact favorably on international distribution by expanding the availability of the permissive reexport exception to obtaining specific written U.S. authorization. Where BXA relaxed the export licensing requirements for software, the reexport licensing requirements were also relaxed. Thus, for example, the relaxation of licensing requirements for exports of mass-marketed software and IC CAD software applies equally to reexports.

Reexports of U.S. software are subject to nearly the same requirements as exports. The EAR defines "reexport" as the shipment of a product from one foreign destination to another. "Resale" covers the shipment of a product from one party to another in the same foreign country. "Shipment" includes the electronic transmission of software. The overseas distributor may resell (license) software in its own country without U.S. authorization unless the software was exported from the United States under a validated license that expressly prohibited resale or the resale involved a denied party or a prohibited proliferation activity.

The controls on exports, generally, apply equally to reexports. For example, an overseas distributor of U.S. software eligible for export under GTDR must obtain a written assurance from its customers prior to reexporting the software. To reexport such software to the former Soviet Union, East Bloc, the PRC and any other destinations not eligible under GTDR, the reexporter must obtain prior written U.S. reexport authorization. An overseas distributor of software eligible for export under GTDU may freely reexport such software to all GTDU eligible destinations.

The EAR also authorizes a wide range of permissive reexports of U.S. origin software from former COCOM member countries and certain other countries to the former Soviet Union, the PRC, Eastern Europe, Laos, Vietnam and Cambodia. All software controlled in an ECCN identified by the code letter "A" suffix (excluding software subject to crime controls described in Section 776.14 of the EAR) is eligible for this permissive reexport provision. This new provision authorizes reexports from Australia, Belgium, Canada, Denmark, France, Germany, Greece, Italy, Japan, Luxembourg, the Netherlands, Norway, Portugal, Turkey, and the United Kingdom, provided the reexport is made in accordance with the conditions of an export authorization from the government of the applicable country.

Restrictions On Iran And Syria

Over the past several years, BXA has tightened its controls on exports of software to Iran and Syria. The General Software Note is not available. General License GTDR may not be used for exports of technology and software to Iran and Syria. In addition, there are many ECCNs which authorize exports under GTDU to all countries except Iran, Syria and the embargoed destinations. The GTDU paragraph in such ECCNs normally reads "GTDU: Yes, except Iran and Syria."

South Africa

BXA has eliminated the requirement for a validated license for all software (except GTDA eligible software) destined for the apartheid enforcing entities and military and police in South Africa. The requirement for the additional GTDR written assurance against retransfer of U.S. software to these entities has also been eliminated.

Contractual Requirements

The only specific EAR requirements for contractual provisions for software agreements are the written assurances for GTDR. These are required as a condition of being eligible for the general license. The EAR requires that the GTDR written assurance obligation survive the termination or expiration of the software agreement in order to ensure compliance with the direct product element of the assurance.

For transactions which do not involve GTDR, contractual provisions in international software agreements range from the very terse to the extremely wordy. At the terse end is a provision that indicates that both parties will comply with all applicable laws including, but not limited to, U.S. export controls. At the wordy extreme, there can be literally pages of export control provisions. The legal reason for having additional language in an agreement is to help demonstrate that the exporter's duty of care is being met, particularly since end use is important in the licensing determination. Such language is not required but it may support your legal position.

With mass market software there is either no agreement of any type or a shrinkwrap license of some type. Also, more software will be delivered by Internet or other network in which no formally signed agreement is possible.

Generally speaking, when a U.S. domestic party is delivering software to another U.S. domestic party, there is no need for an export control provision in the agreement, even when it is known that the U.S. recipient will be exporting the software. The exception is that the software may not be delivered domestically if the supplier knows or has reason to know it will be illegally exported.

Many foreign recipients of U.S. technical data and software are concerned about overbroad and imprecise contractual export restrictions proposed by U.S. exporters, particularly the GTDR written assurance that applies to the reexport of the software itself and the direct product of the software. U.S. exporters frequently require recipients to sign the GTDR written assurance rather than doing the analysis necessary to determine whether the software is eligible under GTDU instead of GTDR. The primary country concern of recipients is the PRC, which is a prohibited destination under GTDR but eligible under GTDU.

Suggested Language For GTDU Agreements

For agreements involving software exported under GTDU, the following contractual provision may be used:

"[Both parties] acknowledge and agree that all documentation and other technical information and software delivered hereunder ("Technical Data") are subject to export controls imposed by the U.S. Export Administration Act of 1979, as amended (the "Act"), and the regulations promulgated thereunder. [Recipient] agrees not to export or reexport, directly or indirectly, any Technical Data without complying with the Act and the regulations thereunder. [Recipient] certifies that neither the Technical Data nor its direct product is intended to be (a) shipped or exported to certain parts of Bosnia-Hercegovina, certain parts of Croatia, Cuba, Iraq, Libya, North Korea, Yugoslavia, (Serbia and Montenegro) or to any other embargoed country to which the U.S. has prohibited shipment, or (b) used for any purposes prohibited by the Act or regulations, including without limitation nuclear proliferation or chemical/biological weapons or missiles."

Suggested Language For GTDR Agreements

The following provision may be used for agreements involving software exported under GTDR:

"[Both parties] acknowledge and agree that all documentation and other technical information and software delivered hereunder ("Technical Data") are subject to export controls imposed by the U.S. Export Administration Act of 1979, as amended (the "Act"), and the regulations promulgated thereunder. [Recipient] agrees not to export or reexport, directly or indirectly, any Technical Data without complying with the Act and the regulations thereunder. [Recipient] certifies that neither the Technical Data nor its direct product: (a) will be used for any purposes prohibited by the Act or regulations, including without limitation nuclear proliferation or chemical/ biological weapons or missiles; and (b) will be shipped or exported either directly or indirectly to Albania, Armenia, Azerbaijan, Belarus, certain parts of Bosnia-Hercegovina*, Bulgaria, Cambodia, certain parts of Croatia*, Cuba, Estonia, Georgia, Iraq*, Iran*, Kazakhstan, Kyrgyszstan, Laos, Latvia, Libya, Lithuania, Moldova, Mongolia, the People's Republic of China, North Korea, Romania, Russia, Syria*, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, Vietnam, Yugoslavia* (Serbia and Montenegro) or to any other country to which the U.S. has prohibited shipment."

The asterisked (*) countries are not technically required under GTDR but arise from other requirements such as OFAC. They are included in the list to be certain the country restrictions are effectively communicated to the recipient.

Conclusion

The EAR imposes a complex set of licensing requirements for software exports based on the performance capabilities of the software, its destination and other transaction specific facts. Many software packages may be exported virtually world-wide under GTDU. The relatively strict export licensing requirements for software with encryption capability, however, imposes a significant burden on the growing range of commercial soft-ware that contains security features. This is unlikely to change in the near future.

At the same, the new focus on prohibited end-uses and lists of prohibited customers have added a new layer of complexity to compliance. Knowing your products has always been a key element of compliance with U.S. export licensing requirements. Knowing your customer now must be an equally important element of compliance procedures.

EXHIBIT A

THE GENERAL SOFTWARE NOTE

Supplement No. 2 to EAR 799.1

General Software Note: General License GTDR, without written assurance, is available for release of software that is generally available to the public by being:

a. Sold from stock at retail selling points without restriction by means of:

1. Over the counter transactions;
2. Mail order transactions, or
3. Telephone call transactions: and

b. Designed for installation by the user without further substantial support by the supplier.

General License GTDA is available for software that is publicly available.
The General Software Note does not apply to exports of "software" controlled by other agencies of the U.S. Government (see Section 770.10 of this subchapter).

The phrase "without restriction" clarifies that software is not "generally available to the public" if it is to be sold only with bundled hardware generally available to the public. Software that is both bundled with hardware and "generally available to the public" does qualify for General License GTDR without a written assurance.