Startups and IT SMEs: Understanding Export Control Framework Related to Intangible Technology Transfer
If you are a gadget geek, you may be aware that last year when the Google Pixel 4 and Pixel 4XL phones were launched worldwide, these models were not launched in India. The reason behind restricting the sale of the Google phones (touted to detect users and their gestures through a powerful radar) was that the radar technology used in the phone was prohibited in civilian applications in India. This brings us to an interesting aspect, namely, the dual use nature of technology; ‘dual use’ refers to the ability of an item (including technology) to be used for both military and civilian purposes. Given concerns around arms proliferation (should dual-use items be used for military purposes), the export of such items is regulated under export control laws. For the export of such items from India, one typically requires an export licence from the government. On 6th May, NASSCOM and DSCI organised a webinar for cybersecurity companies and start-ups on Export Control Framework Related to Intangible Technology Transfer (ITT). The webinar was aimed at making cybersecurity companies and start-ups (which deal in dual-use items/software/technology) aware about their export compliance obligations.
Unlike privacy and consumer protection laws, export control laws remain fairly esoteric for the industry. In the first part of the webinar we covered some basic concepts in export controls. Export controls are triggered in the Information Technology (IT) industry because of the transfer of items which incorporate cryptographic functionality. An example is banking software developed for business customers which contains encryption feature for data confidentiality. It is important to note that export control laws govern not only actual physical export of an item but also ‘deemed exports’ (including ITT which is the predominant form of export in the IT industry). This means that the transfer of a dual-use item or any service related to the development, production or use of a dual-use item to a foreign national whether in India or abroad may require a prior export licence from the Directorate General of Foreign Trade (DGFT).
An important reference document to determine whether the export of a particular dual-use item is regulated is the Special Chemicals, Organisms, Materials, Equipment and Technologies (SCOMET) List. The SCOMET List enumerates dual-use items which are regulated in India as well as exceptions for basic scientific research and items which are easily available to the public or in the public domain. An exporter does not generally require a licence for dual-use items which are not regulated under SCOMET unless the exporter knows or has reason to believe that such item will be used for military end use (also known as ‘catch-all provision’).
We next dealt with the specific licensing requirements for SCOMET exports. The DGFT is the licensing and enforcement authority for SCOMET exports in India. As the objective behind export control laws is to prevent arms proliferation, the central feature of an export control regime is determining the authenticity of the end user of a dual-use item. This is done by governments across the world by requiring exporter of regulated dual-use items to furnish an end user certificate which gives all particulars about the end user and the end use alongwith an undertaking that such item will not be used for military purposes. There are further record-keeping obligations on an exporter. While the government monitors and enforces export control laws, it requires companies to be self-compliant by having internal compliance programs (ICP) in place and training employees to flag any suspicious foreign customer who is looking to buy dual-use items. The existence of an ICP often acts as a mitigating factor when determining culpability for inadvertent violations of export control obligations by a company.
The third session of the webinar focussed on the international position. Like India, various jurisdictions have enacted national export control laws. Currently, 42 countries including India are members of the Wassenaar Arrangement (WA) which is a multilateral export control regime. Under the WA, India has global commitments to ensure that exports of dual-use items do not result in arms proliferation. Further, WA member countries are required to adopt the WA List of Dual-Use Goods and Technologies in their national export control lists. An Experts Group (EG) comprising the WA members meets periodically to discuss changes to the WA regime, especially the WA control lists given the rapid changes in dual-use technology. While the primary objective behind the EG meeting is to ensure regional and international security and stability, this is also a good opportunity to ensure technological innovation through changes to export control laws. An example is the 2017 amendments to the WA List which relaxed export controls on computer intrusion technology; these amendments helped cybersecurity researchers who employ intrusion tools to patch up vulnerabilities in software products. NASSCOM and DSCI are in fact working on a non-paper on the WA to determine how best we can promote cybersecurity research and innovation in the country through the WA regime. With this, we concluded the webinar.
Please find enclosed a consolidated document which contains the slides used in the presentation, the responses to all the questions asked by the audience, and a short note outlining the issues which we are researching in the WA non-paper. We solicit your inputs on the WA non-paper latest by 7th June, 2020. Please email your feedback and responses to firstname.lastname@example.org. You may view the webinar recording at this link. Our previous representations to the government on export controls are available here.