In a recent advisory opinion related to an exemption under the International Traffic In Arms Regulations (ITAR), the State Department confirmed that a company could use a data security method called "tokenization" to protect export-controlled technical data stored in the cloud on servers located outside the United States, provided the company satisfied the conditions of the exemption and took "sufficient means" to prevent foreign persons from accessing such technical data. Although the advisory opinion is quite narrow in scope, it is the first publicly-available formal position from the State Department on the ITAR implications of cloud computing.
The requesting company has posted a redacted version of the advisory opinion here, and the State Department has posted its clarification of the opinion – emphasizing the narrow scope of the opinion and taking issue with the company’s initial press release characterizing the opinion – here. Given the agency’s public objection to the company's original interpretation of the advisory opinion, exporters that use cloud-based services will need to continue to be very cautious about the storage of ITAR data on cloud-based servers and should consider seeking guidance from the State Department on these issues.
Read our Export Controls Alert on the advisory opinion here.