(a) Activities that are not exports, reexports, or transfers. The following activities are not exports, reexports, or transfers:
(1) Launching a spacecraft, launch vehicle, payload, or other item into space.
(2) Transmitting or otherwise transferring “technology” or “software” to a person in the United States who is not a foreign person from another person in the United States.
(3) Transmitting or otherwise making a transfer (in-country) within the same foreign country of “technology” or “software” between or among only persons who are not “foreign persons,” so long as the transmission or transfer does not result in a release to a foreign person or to a person prohibited from receiving the “technology” or “software.”
(4) Shipping, moving, or transferring items between or among the United States, the District of Columbia, the Commonwealth of Puerto Rico, or the Commonwealth of the Northern Mariana Islands or any territory, dependency, or possession of the United States as listed in Schedule C, Classification Codes and Descriptions for U.S. Export Statistics, issued by the Bureau of the Census.
(5) Sending, taking, or storing “technology” or “software” that is:
(i) Unclassified;
(ii) Secured using 'end-to-end encryption;'
(iii) Secured using cryptographic modules (hardware or “software”) compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by “software” implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, or other equally or more effective cryptographic means; and
(iv) Not intentionally stored in a country listed in Country Group D:5 (see supplement no. 1 to part 740 of the EAR) or in the Russian Federation.
Data in-transit via the Internet is not deemed to be stored.
(b) Definitions. For purposes of this section, End-to-end encryption means (i) the provision of cryptographic protection of data such that the data is not in unencrypted form between an originator (or the originator's in-country security boundary) and an intended recipient (or the recipient's in-country security boundary), and (ii) the means of decryption are not provided to any third party. The originator and the recipient may be the same person.
(c) Ability to access “technology” or “software” in encrypted form. The ability to access “technology” or “software” in encrypted form that satisfies the criteria set forth in paragraph (a)(5) of this section does not constitute the release or export of such “technology” or “software.”
[81 FR 35604, June 3, 2016, as amended at 82 FR 61156, Dec. 27, 2017]