Tax & Accounting Blog

Cloud and Compliance

Blog, Global Trade, ONESOURCE November 20, 2015

I would never pretend to know more than the average IT person; in fact, my knowledge is quite below average.  As a beginner in the process of ‘cloud’ – here is my attempt to impart some wisdom. The word cloud is used as a metaphor for the Internet. Cloud computing is the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer.  Cloud computing is defined as a type of computing that relies on sharing computing resources rather than having local servers.

So – how does this work?  What my research into this area revealed is that when using cloud services, the user is uploading data to available servers to the cloud provider’s server. Often, the exact location of the server is unknown, and in most cases, the location is not even a consideration to the user.

The compliance risk is not in the upload.  The compliance risk is the redirect of data to the various servers in different countries. In fact, the ultimate location of the particular server used to hold the user’s data may be unknown to both the user and the cloud provider.  The type of data that is uploaded and the location of the server where that data is stored can potentially trigger export compliance issues for the user.

Exports in the cloud

Okay – now that we have gotten this out of the way, so when do cloud users and providers become exporters according to the U.S. export control laws? How do you know who the exporter is and if the definition of an export is met?  Let’s take a look at a likely flow and see if we can ascertain if this is an export:

  • Your U.S. entity puts technical data on a cloud server in the U.S.
  • The data is transmitted via a router in Europe,
  • And ultimately stored in Asia.

In this case, “technical data” is intended to be stored on the cloud.  Whether the user has knowledge that the technical data is physically stored on a server(s) located in a foreign country(ies) or not, the activities in this scenario meets the definition of an export under ITAR § 120.17. This regulation states that any access to this data by a foreign person would constitute an unauthorized “export”.  Essentially every time that controlled technology is transmitted outside the U.S. it is being “exported” from the U.S.

Ultimately, maintaining export controlled data in the cloud is challenging and under the current regulations it would seem by the definition of cloud storage that the providers cannot assure users that their data will be kept in the United States, or exported according to the current definitions.

U.S. Department of State proposed changes related to Cloud Storage

In June 2015 the U.S. Department of State proposed to amend the International Traffic in Arms Regulations (ITAR) to update the definitions of “defense article,” “defense services,” “technical data,” “public domain,” “export,” and “reexport or retransfer” in order to clarify the scope of activities and information that are covered within these definitions and harmonize the definitions with the Export Administration Regulations (EAR), to the extent appropriate[1].

The suggested rule proposes to decontrol certain transfers of encrypted technology, technical data, and software and ultimately address the concerns the government has on technology that is used for electronically transmitting and storing data; including cloud technology.

The Department also proposes to add a new provision excluding from ITAR licensing requirements the transmission and storage of encrypted “technical data” and software.  In summary, the intent of these changes is to clarify that when unclassified technical data transits through a foreign country’s internet, that a license is not required if the technical data is encrypted prior to leaving the senders control and remains in an encrypted state until the technical data is retrieved by the sender or received by the intended recipient.

Under the proposed rules, export controlled data originating in the United States may be stored in one or more countries outside of the United States without licensing, provided the data is properly encrypted and not stored in countries subject to U.S. arms embargoes or in Russia[2]. In essence, with the prohibition of Russia and the embargoed countries the provisions do not necessarily authorize unconstrained storage on the cloud.  What this implies is that there is a large reduction in the restrictions of export controlled software and data that is stored on the cloud.

Cloud in 2020

Forrester Research predicts that the global market for cloud computing services will have increased from $40.7 billion dollars in 2011 to approximately $241 billion dollars by 2020[3]

The cloud is not only expected to grow, but to become even more common in how companies conduct business for storing their data.

Consequently, businesses in general need to be attentive in their use of cloud and make sure that their internal processes for cloud storage are consistent with the U.S. export regulations.



Cloud computing presents unique export controls challenges. The cloud is universal and it is often not possible to know the actual trajectory or physical destination of a company’s data stored on, or moving through the cloud.  The regulatory reality for cloud users and providers, however, is that the U.S. export control laws, as currently written, do not clearly provide guidance. This makes it critical for the user’s compliance department to familiarize themselves with the many complex issues at play.

Cloud providers and users should identify areas that might be under the jurisdiction of export control and implement internal compliance procedures that include safety measures.  This would include a thorough review of where the cloud providers’ servers are located and a communication mechanism if servers are added to other geographic locations.  It is possible through this review, using cloud services for controlled technical data might be considered too risky.  In this case, companies may opt to not transfer this data or implement strict controls with the cloud provider.

The responsibility for export compliance in the cloud ultimately resides with the user.  If opting for the cloud, then a careful review of all contracts and agreements with the cloud provider should be evaluated, ensuring specifically formulated export controls and compliance measures are identified.  It would behoove the user to also identify what technical data is considered an export and subject to the EAR.

Learn more about ONESOURCE Global Trade