19-0530 Thursday “Daily Bugle”

19-0530 Thursday “Daily Bugle”

Thursday, 30 May 2019

The Daily Bugle is a free daily newsletter from Full Circle Compliance, containing changes to export/import regulations (ATF, DOE/NRC, Customs, NISPOM, EAR, FACR/OFAC, FAR/DFARS, FTR/AES, HTSUS, and ITAR), plus news and events. Subscribe here. Contact us for advertising 

inquiries and rates

[No items of interest noted today.]
  1. Items Scheduled for Publication in Future Federal Register Editions 
  2. Commerce/BIS: (No new postings.)
  3. State/DDTC: (No new postings.)
  1. PRWeb: “Vectrus, Inc. et. al Terminated Firefighters for ‘Arms Trafficking’ Now Acknowledges That Arms Trafficking Never Occurred” 
  2. Reuters: “Relief from U.S. Sanctions Will Not Come Easily for Some Venezuelans” 
  3. ST&R Trade Report: “Nonproliferation Measures Imposed for Shipments to Iran, North Korea, and Syria”  
  1. D. W. Baruch, J. T. Boese & J. M. Wollenberg: “Cybersecurity Compliance: Is It the Next FCA Battleground?”
  2. H. Bucher: “ITAR and EAR Compliance and Modern Product Development” (Part II of III) 
  3. K. J. Wolf, T.J. McCarthy & C. Chamberlain: ” Reminder: Commerce Department Prohibitions Pertaining to Huawei Can Apply to Transactions by Non-U.S. Companies” 
  4. O. Gonzalez: “June 10 and 17 Deadlines for Challenging Tranche 4 of Section 301 Tariffs on Chinese Imports” 
  5. S. Tsakanakis, E. Abrams & Simon Hirsbrunner: “New EU Framework to Target Malicious Cyber-Attacks from Outside the Union” 
  1. FCC Presents “Designing an ICP for Export Controls & Sanctions”, 1 Oct in Bruchem, the Netherlands 
  1. Bartlett’s Unfamiliar Quotations 
  2. Are Your Copies of Regulations Up to Date? Latest Amendments: DHS/Customs (5 Apr 2019), DOC/EAR (23 May 2019), DOC/FTR (24 Apr 2018), DOD/NISPOM (18 May 2016), DOE/AFAEC (23 Feb 2015), DOE/EINEM (20 Nov 2018), DOJ/ATF (14 Mar 2018), DOS/ITAR (19 Apr 2018), DOT/FACR/OFAC (29 Apr 2018), HTSUS (21 May 2019) 
  3. Weekly Highlights of the Daily Bugle Top Stories 


* * * * * * * * * * * * * * * * * * * *


OGS_a11. Items Scheduled for Publication in Future Federal Register Editions
(Source: Federal Register)

[No items of interest today]

* * * * * * * * * * * * * * * * * * * * 

* * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * * 


PRWeb: “Vectrus, Inc. et. al Terminated Firefighters for “Arms Trafficking” & Now Acknowledges That Said Trafficking Never Occurred”
(Source: PRWeb, 30 May 2019.)
Vectrus, Inc. (“Vectrus”), a Department of Defense services contractor, recently had a whistleblower (Count 1), wrongful termination (Count 2), and intentional infliction of emotional distress (Count 3) complaint filed against it by two firefighters who worked at Morón Air Base (“Morón AB”), located in Sevilla, Spain. See civil case number 1:18-cv-02648 Burton et al v. Vectrus, Inc. et al, District of Colorado.
The complaint also names Vectrus Systems Corporation, a wholly owned subsidiary of Vectrus and, as an individual, Rebecca Wardell (Count 3 only), who was a signatory to termination letters which indicated that each employee violated Vectrus’ “International Traffic in Arms and Security Policies.” Both employees were employed as experienced firefighters at Morón AB. The Complaint further alleges that Vectrus allowed “a culture of abusive Human Resources practices to develop and continue, including a pattern of wrongful termination.”
Vectrus now acknowledges that Plaintiffs did not engage in “Arms Trafficking.” Doc. 50 pp. 4-5 as previously alleged. Erika Morris, Vectrus’ Director of Human Resources, inserted the “Arms Trafficking” language without reading the interviews upon which Plaintiffs’ terminations (“Terminations”) were based. She was the “final approver” of said Terminations, despite the fact that she did not read the Interviews. This conduct confirms Vectrus’ “culture of abusive Human Resources practices” that was alleged in the Complaint.

* * * * * * * * * * * * * * * * * * * * 

Reuters: “Relief from U.S. Sanctions Will Not Come Easily for Some Venezuelans”
(Source: Reuters, 30 May 2019.) [Excerpts.]
Immediately after he turned against Venezuelan President Nicolas Maduro, the United States lifted economic sanctions against Manuel Cristopher, a general who served as the leftist leader’s spy chief.
But other former Venezuelan officials will find it more difficult to get off a U.S. sanctions list unless they follow Cristopher’s lead and take bold, tangible action against Maduro, say people in and close to the Trump administration. …
Using economic sanctions to turn high-ranking military officers and other top officials against Maduro is key to the U.S. attempt to remove the socialist president, whose country is suffering an economic collapse and a political crisis.
But the Trump administration wants to see “concrete and meaningful actions” before lifting sanctions on other former Maduro aides. …

* * * * * * * * * * * * * * * * * * * * 

ST&R Trade Report: “Nonproliferation Measures Imposed for Shipments to Iran, North Korea, and Syria”
The State Department has determined that 22 foreign entities in China, Iran, Russia, and Syria have engaged in activities that warrant the imposition of penalties for the transfer to or acquisition from Iran, Syria, or North Korea of goods, services, or technology controlled under multilateral control lists or otherwise having the potential to make a material contribution to the development of weapons of mass destruction or cruise or ballistic missile systems.
As a result, effective May 14 and for two years thereafter, the following measures have been imposed against these entities and any successors, sub-units, or subsidiaries thereof.
– no U.S. government department or agency may procure or enter into any contract for the procurement of any goods, technology, or services from these entities
– no U.S. government department or agency may provide any assistance to these entities and they are not eligible to participate in any U.S. government assistance program
– no U.S. government sales to these entities of any item on the U.S. Munitions List are permitted and all sales to these entities of any defense articles, defense services, or design and construction services under the Arms Export Control Act are terminated
– no new individual licenses will be granted for the transfer to these entities of items the export of which is controlled under the Export Administration Act of 1979 or the Export Administration Regulations, and any existing such licenses are suspended

* * * * * * * * * * * * * * * * * * * * 


. D. W. Baruch, J. T. Boese & J. M. Wollenberg: “Cybersecurity Compliance: Is It the Next FCA Battleground?”
Fried Frank, 28 May 2019.)
Authors: Douglas W. Baruch; Esq., douglas.baruch@friedfrank.com, + 1.202 639 705; John T. Boese; Esq.,
john.boese@friedfrank.com, +1 202 639 7220; and Jennifer M. Wollenberg, Esq., jennifer.wollenberg@friedfrank.com, +1 202 639 7278. All of Fried, Frank, Harris, Shriver & Jacobson LLP.
Companies across the country confront cybersecurity challenges on a daily basis. Chief information officers worry about their systems being hacked. Executives worry about technology theft. Human resources managers worry about privacy breaches. But beyond these routine concerns, many companies doing business with the government – particularly those in the aerospace, defense, healthcare, and information technology sectors – also have to add cybersecurity compliance to their worry lists. In recent years, federal agencies are imposing specific cybersecurity obligations on their contractors. For instance, the Department of Defense has been issuing and amending cybersecurity regulations pertaining to unclassified information used by “nonfederal systems and organizations.” See 48 C.F.R. § 252.204-7012 (2013); 48 C.F.R. § 252.204-7012 (Aug. 2015); 48 C.F.R. § 252.204-7012 (Dec. 2015); 48 C.F.R. § 252.204-7012 (Oct. 2016). And the Department of Health and Human Services began incentivizing the gradual transition to electronic health records, with attendant security features, in 2009 with the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). As a result, not only are agencies awarding contracts for cyberspace support, [FN/1] but agencies are adopting cybersecurity regulations aimed at controlling the information developed and exchanged under a wide variety of government programs and contracts, including unclassified information used by government contractors. See U.S. Dep’t of Commerce, NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (2015). It should come as no surprise, therefore, that cybersecurity compliance itself is fertile ground for False Claims Act enforcement, especially by qui tam relators. Three fairly recent FCA cases likely are harbingers of more FCA cybersecurity litigation to come.
Qui Tam Cases Addressing Cybersecurity Allegations
An “early” case focusing on cybersecurity allegations was United States ex rel. McGrath v. Microsemi Corp., 140 F. Supp. 3d 885 (D. Ariz. 2015). In McGrath, the relator alleged that some of his former employer’s technologies designed for defense applications regulated by the Arms Export Control Act and the federal International Traffic in Arms Regulation had not been “protected from disclosure or export to foreign persons” as required. That theory did not fare well. The district court dismissed the complaint, rejecting the relator’s “worthless services” and implied false certification theories. First, the court held that the worthless services claim failed because (a) the relator did not allege a reasonable predicate for contending that any data had actually been disclosed to a foreign national, and (b) even assuming some compromise, the claim – if any – would be for diminished value as opposed to worthless services. Second, the court rejected the implied false certification claim based on failure to allege that the violations were material and lack of scienter. In a one page opinion, the Ninth Circuit affirmed, holding that the “complaint failed to plead facts plausibly alleging that compliance with [the cybersecurity regulations] was material to the government’s decision to pay.” 690 F. App’x 551, 552 (9th Cir.), cert. denied, 138 S. Ct. 407 (2017).
Similar cybersecurity issues in the context of medical records were addressed in United States ex rel. Sheldon v. Kettering Health Network, 816 F.3d 399 (6th Cir. 2016). In Sheldon, the relator, a patient, alleged that the healthcare network defendant falsely certified that it had conducted security risk analyses as part of a risk management process, as evidenced by notifications she received of unauthorized access to her records. The Sixth Circuit affirmed dismissal of the FCA allegations under Rule 9(b) because, in addition to failing to plead specific false claims for payment, the relator’s allegations of individual security breaches did not necessarily negate compliance with the regulations, and notification of the breaches instead indicated the existence of policies and procedures. [FN/2]
More recently, a relator’s cybersecurity compliance allegations survived an initial challenge. In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 WBS AC, slip op. (E.D. Cal. May 8, 2019), the district court denied the defendants’ motion to dismiss the qui tam complaint alleging that the defendants failed to meet the minimum cybersecurity requirements for sensitive but unclassified information under Defense Department and NASA contracts. Slip op. at 3 (citing 48 C.F.R. § 252.204-7012; 48 C.F.R. § 1852.204-76). The relator sought to impose FCA liability based on theories of promissory fraud (i.e., fraud in the inducement) and false certification, claiming that the defendants secured multiple federal contracts by misrepresenting the company’s compliance with these cybersecurity regulations. In rejecting dismissal, the court held that the allegations were sufficient to establish materiality. In particular, the court pointed to the complaint’s allegations (assumed to be true for purposes of the motion to dismiss) that the defendants only partially disclosed their noncompliance with the regulations to a government official. On a motion to dismiss standard, the court was not persuaded by defense arguments that the government’s post-contract execution conduct – including payments to the defendant and other industry activity – defeated the requisite showing of materiality. Defendants, of course, will be able to press these issues and develop a full factual record in discovery, but the fact remains that the court is allowing this cybersecurity compliance case to move forward.
Looking Ahead
Cybersecurity noncompliance as a basis for FCA liability could be especially troublesome for contractors, particularly if the promissory fraud theory takes root. Under this theory, all invoices generated following a contractor’s knowing misrepresentation of compliance with cybersecurity requirements would be tainted by the “fraud” and relators surely will argue that damages equate to all amounts paid on those invoices. Defendants, in turn, will seek to establish that relators still must establish damages based on the diminished value of the services provided (i.e., the value of the goods or services with cybersecurity compliance and the value of those same goods or services considering the particular alleged noncompliance). See, e.g., United States v. Science Applications Int’l Corp., 626 F.3d 1257 (D.C. Cir. 2010); United States ex rel. Wall v. Circle C Constr., LLC, 813 F.3d 616 (6th Cir. 2016); see also FraudMail Alert No. 10-12-06; FraudMail Alert No. 16-02-10. Defendants, nevertheless, will be defending these cases under threat that a substantial portion of their contract payments may be in jeopardy.
As a result, great emphasis must be placed on scrutinizing the sufficiency of the materiality allegations in any FCA complaint, and early cases will be important in framing the specific materiality analysis as cybersecurity noncompliance cases become more common. Materiality is particularly relevant in such a relatively new area of regulation, and one in which the government has little enforcement experience and history. For example, the FAR cybersecurity regulations at issue in McGrath and Markus were promulgated in 2013 through 2016, with a grace period until December 2017 to comply, making them relatively untested to date. Moreover, the regulations themselves are somewhat ambiguous. For example, among the definitions in the FAR’s current regulation is this broad definition of “adequate
Adequate security means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.
48 CFR § 252.204-7012(a). The terms included in this definition – e.g., “protective measures,” “commensurate with,” and “consequences and probability of” – lack precision and are ripe for challenge by FCA defendants.

The bottom line is that cybersecurity compliance is an emerging area of FCA activity, and government contractors must be attuned to the liability threat that comes with it.

* * * * * * * * * * * * * * * * * * * * 

H. Bucher: “ITAR and EAR Compliance and Modern Product Development” (Part II of III)
(Source: A
rena Solutions, May 2019.) [Excerpts.]
* Author: Heatherly Bucher, Director of Product Marketing, +1 866 937 1438, sales@arenasolutions.com.
In Part I of this series, we outlined the difficulties you, as a high tech electronics manufacturer, can face when participating in the defense market. Your products may be subject to International Traffic in Arms Regulations (ITAR) and/or Export Administration Regulations (EAR), dictating tight control over all regulated technical data. Meeting these regulations while enabling your teams with the flexibility and transparency needed to make great products on-time is a challenge, but not impossible.
Our Part I blog explored ITAR and EAR requirements as they relate to controlled technical data access. We also reviewed the options for managing this product data as you execute product lifecycle management (PLM) activities. PLM tools and solutions range from word processing and spreadsheet applications and file servers to on-site systems and modern Cloud platforms. Regardless of your choice, as a registered manufacturer, you must have an understanding of regulatory requirements, identify responsible parties for each layer of your PLM tools, and enact appropriate controls. We concluded that a secure government-grade Cloud PLM provides a better shared responsibility model as well as an enabling platform for doing the work of product development both now and in the future. Understanding what government-grade Cloud PLM offers will help you learn more about what you need from all your tools to meet regulations.
Regulations are requirements – treat them as such
Regulations are serious, and often we react with caution to reduce risk of non-compliance. However, caution can also cost your business new customers, product innovations, and market advantages. A balance needs to be struck between meeting compliance and giving teams the advantages of current technologies and the best systems. How can you know when you have done this? When evaluating PLM options, remember that regulations as requirements. And to select the best solution, you must understand your requirements. Fortunately, for those of us in the business of creating products, requirements management is something we understand and apply here.
Requirements articulation should include:
– A statement of the need to be met, as specific as possible.
– Determination of an acceptable solution.
– Weighting of requirements as not all are equal in urgency and risk.
Regulations are onerous to read and often contain cross-references to other regulations and standards. And, some regulations are not, in fact, applicable for particular situations or companies. In short, due diligence is needed to move beyond assumptions and make the best decisions for your company.
De-mystifying ITAR and EAR regulations
Before going further, we need to be clear. ITAR and EAR regulations are complex. It is your responsibility to confer with your compliance officers and legal counsel to determine: if you need to register with ITAR, EAR, or both; what in your product data is under export control; and your requirements above and beyond specific regulations. …
Here is the simplest regulatory articulation:
The regulations stipulate that any technical data under export control must not be exported outside the U.S. or accessible to any non-U.S. citizen at any point during design or production unless covered under an export license.
Jump over to our Part I blog and read more if you need a refresher.
For any solution you consider, you must determine how the requirement is being met and the responsibility owner for that requirement. This is critical as solutions vary in approach and extent of meeting requirements.
Today, we will consider export controlled technical data in digital format (not the printed materials sitting on that desk, but digital bills of materials, product record meta data, and associated documentation).
Don’t Assume
One dangerous assumption made in the past is that if you store, access, and collaborate on your technical product data on-site (within your LAN/WAN/VPN), you are compliant with most ITAR and EAR regulations because everything is “local.” This is not true. Regulations require demonstration of compliance regardless of where the solution resides.
The laundry list of security elements you must consider is lengthy. Everything from handling technical data from printed drawings sitting on an engineer’s desk, to digital files on an internal file server, to uploaded data in an on-site system or a Cloud application must be evaluated. An export of controlled technical data can still occur while within the U.S. when the data is transmitted or shared in any form or format (including oral, written, physical observation, paper, email, phone, fax, application access, etc.) with foreign nationals.

Any compliance assumptions you make are by nature risky and almost always costly. Go back and read the above paragraphs again, please.

[Part III of this article will run tomorrow.]
back to top

* * * * * * * * * * * * * * * * * * * * 

K. J. Wolf, T.J. McCarthy & C. Chamberlain: ” Reminder: Commerce Department Prohibitions Pertaining to Huawei Can Apply to Transactions by Non-U.S. Companies”

Akin Gump Strauss Hauer & Feld LLP
, 29 May 2019.)
* Authors: Kevin J. Wolf, Esq., kwolf@akingump.com, +1 202-887-4051; Thomas J. McCarthy, Esq., tmccarthy@akingump.com, +1 202-887-4047; and Chris Chamberlain, cchamberlain@akingump.com, +1 202-887-4308, all of Akin Gump Strauss Hauer & Feld LLP.
Key Points
   – Since the addition of Huawei and many of its affiliates to the Entity List, there has been significant media coverage over which types of transactions involving the listed entities are, and are not, prohibited without a Commerce license. Some commentators and companies seem to be under the mistaken impression that non-U.S. companies cannot be affected by the listing merely because they are not U.S. companies or because they are working with non-U.S.-origin commodities, software, or technology. Such conclusions are not necessarily correct.
– U.S. export controls and Entity List prohibitions focus on the origin and jurisdictional status of the commodities, software, or technology that would be transferred to the listed entity, regardless of the nationality or ownership status of the company providing them. For example, if a wholly non-U.S. carrier, app developer, or electronics manufacturer transfers to Huawei a commodity, software, or technology of any sort that is U.S.-origin or that is non-U.S.-origin and it contains more than a de minimis amount of U.S.-origin controlled content, then the commodity, software, or technology is still subject to U.S. controls and the Entity List prohibitions.
– Violations of the Entity List prohibitions by a non-U.S. company can lead to civil or criminal penalties, or other sanctions that would affect its ability to receive U.S.-origin items. Thus, non-U.S. companies engaging in transactions involving Huawei should not assume that they are not affected by the Entity List prohibitions merely because they are outside the United States or because the products involved were manufactured outside the United States.
The Entity List and Key Definitions
The Entity List prohibitions, which are administered by the Commerce Department’s Bureau of Industry and Security (BIS), prohibit the unlicensed export of all commodities, software, and technology that are subject to the Export Administration Regulations (EAR), even low-level “EAR99” items that are not identified on any U.S. export control lists. For example, a U.S.-origin toothbrush and nonpublic U.S.-origin drawings for how to manufacture it are EAR99 items “subject to the EAR.”
Contrary to many press reports and other comments, only a limited number of transactions involving the listed Huawei companies have been authorized by a Temporary General License, which is primarily intended to minimize the impact of the listing on Huawei’s existing customers (but not its suppliers or development partners).
The EAR defines “item” as any commodity, software, or technology. A “commodity” is any article (such as a part or a component), material, or supply except technology and software. “Technology” is defined as “information necessary for the development, production, use, operation, installation, maintenance, repair, overhaul, or refurbishing” of a commodity, software, or other technologies, regardless of origin. “Software” is defined as a “collection of one or more programs or microprograms fixed in any tangible medium of expression.” Several of these words are further defined in the regulations, but the key point for non-U.S. companies to remember is that these terms are broad and do not depend upon whether the technology or software is sensitive or otherwise on an export control list.
Software and Technology “Subject to the EAR”
Software and technology are “subject to the EAR” if they are:
– In the United States, such as on a server located in the United States;
– U.S.-origin, such as by being developed, drawn, produced, or compiled in the United States;
– Foreign-origin and commingled with or drawn from more than a de minimis amount of controlled U.S.-origin technology; or
– The direct product of sensitive U.S.-origin technology or software, a complete plant built using such technology or software, or a major component of a plant built using such technology or software.
Thus, for example, nonpublic U.S.-origin technology necessary to produce a toothbrush may not be provided to Huawei by a company outside the United States without a BIS license.
De Minimis
Calculations Involving Software and Technology
U.S.-origin technology does not lose its U.S.-origin status when it is redrawn, used, consulted, or otherwise commingled abroad in any respect with other technology of any other origin. Therefore, any subsequent or similar technology prepared outside the United States that is drawn from or uses any U.S.-origin technology is subject to the EAR in the same manner as the original U.S.-origin technology, including license requirements, unless the commingled technology is not subject to the EAR by reason of the de minimis exclusions described in the regulations.
The EAR also state that a party must file a one-time report with BIS prior to relying on a determination that foreign-origin technology does not contain more than a de minimis amount of controlled U.S.-origin content. The report must describe the bases for the conclusion, including a description of the calculations and the values, assumptions, and methodologies that went into making the de minimis determination.
Similarly, U.S.-origin software that is incorporated into or commingled with foreign-origin software does not lose its U.S.-origin status. It is subject to the EAR in the same manner as the original U.S.-origin software, including license requirements, unless the commingled software is not subject to the EAR by reason of the de minimis exclusions described in the regulations. One-time reports are not required for software, but reexporters must maintain records of their calculations to document qualification for the exclusion.
There are some exclusions and special requirements for de minimis calculations involving U.S.-origin encryption items. For example, U.S.-origin encryption technology classified under ECCN 5E002 is ineligible for de minimis treatment, so non-U.S.- produced encryption technology that incorporates any amount of such U.S.-origin encryption technology are subject to the EAR, regardless of the amount of U.S.-origin content. Further, certain types of encryption software must have satisfied mandatory classification or reporting procedures to qualify for the de minimis exclusion.
Foreign Direct Products
Items that are produced from U.S.-origin technology and software can be subject to the EAR, even if they are produced outside the United States. This rule applies if the U.S.-origin technology or software, and the direct product of such technology or software, are controlled for “national security” reasons and the product is destined to specific countries of concern, such as China. For example, if U.S.-origin 5D002 encryption source code is used to compile 5D002 object code outside the United States, the foreign-made object code would be subject to the EAR when exported to China.

The point of this alert is not to provide a treatise describing or legal advice about all the possible ways commodities or nonpublic technology and software outside the United States would and would not be subject to the EAR. That is a fact-specific subject to be discussed with company or outside export control compliance managers or counsel. Rather, the purpose of this alert is to remind all readers outside the United States that commodities, software, and technology are not per se excluded from the scope of the Entity List prohibitions merely because the company is foreign or the technology is not sensitive. The prohibitions are blind to the nationality of the exporter, reexporter, or transferor of the commodity, software, or technology being transferred to the listed entity. That is, they apply equally to U.S. and non-U.S. persons. 

* * * * * * * * * * * * * * * * * * * * 

. O. Gonzalez:  “June 10 and 17 Deadlines for Challenging Tranche 4 of Section 301 Tariffs on Chinese Imports”

(Source: Author)

Author: Oscar Gonzalez, Esq., Gonzalez, Rolon, Valdespino, & Rodriguez, LLC, 
, (800) 256-2013.

On May 17, 2019, the Trump Administration issued its fourth list (or tranche) under Section 301 of imported products from China to have a 25% tariff. Tranche 4 is the largest tariff increase list under Section 301 against China and will affect $300 billion of goods imported annually. Just two days earlier, the Trump Administration increased the tariff rate from 10% to 25% for Tranche 3 items. Tranche 4 completes the 25% tariff increase on all Chinese imports except for the tariff classifications exempted as described below. Importers must pay the rate increase in addition to any antidumping duties owed.

However, you may be able to convince our government to remove certain tariff classifications from the Tranche 4 tariffs if you act quickly. The US Trade Representative is asking for the public to comment on Tranche 4 and, through the filing of public comments and the submission of testimony in support at a hearing in Washington, D.C., is offering the public the opportunity to try to convince a special committee, called the Section 301 Committee, that certain tariff provisions should be exempted from the increased rate. Do not confuse this public comment opportunity with tariff exclusions. Tariffs exclusions are offered only after the public comment period has closed and after a tariff list or tranche is permanent. Tranche 4 in its present state is only tentative and will be amended and finalized shortly after the public comment period closes. Public comments, if successful, are more effective than tariff exclusions. Tariff exclusions last for only one year and the USTR has not said whether renewals or extensions will be permitted. In contrast, the public comment procedure provides the opportunity to exempt a specific tariff classification before Tranche 4 is finalized. 

If the public comment works, importers do not pay the 25% duty under that tariff classification and do not have to worry about a tariff exclusion.  

We strongly advise that anyone who is impacted by Tranche 4 file a public comment. You do not have to be an importer to file a public comment or to testify at the public hearing. Any interested party may submit and appear. Again, if your public comment and testimony succeed and your tariff classification is not part of the final Tranche 4, there is no need to thereafter request a tariff exclusion (once the procedure is rolled out). If your public comment and testimony do not succeed, you still may be able to file a tariff exclusion request. 

You must act quickly, however. June 10 is the deadline to file a request with the USTR to testify at a June 17 hearing in Washington, D.C.  June 17 is the deadline to file your public comment. We also encourage those wishing to prepare a public comment and testimony to enlist the help of legal professionals who possess the right touch and experience. While there are no guarantees, every single company that our law firm previously helped with the public comment/hearing process saw positive results.

As mentioned above, the tariff rate for Tranche 3 items increased from 10% to 25%. A tariff exclusion procedure for Tranche 3 is expected to be announced soon. We also suggest that you start preparing your Tranche 3 exclusion request immediately. From the example of Tranche 1 and 2, the window for filing tariff exclusion requests under Tranches 3 and 4 is likely to be small and announced with little notice. Often companies find it difficult to get all the information and arguments together in time. You do not want to rush your tariff exclusion request. You do not want your request rejected because it was poorly argued or because you did not follow the correct procedures. 

How do you start preparing your tariff exclusion request for Tranche 3 (or 4, for that matter) if no exclusion procedure has yet to be issued? Two ways: First, use the previous exclusion procedure as your template. While there is no guarantee, the tariff exclusion procedures for Tranches 3 and 4 are likely to be similar, albeit are predicted to require a great deal of more information, as earlier tranches. Second, hire an experienced international trade law firm to assist you.  . . .

* * * * * * * * * * * * * * * * * * * * 

. S. Tsakanakis, E. Abrams & Simon Hirsbrunner: “New EU Framework to Target Malicious Cyber-Attacks from Outside the Union”
* Authors: Stefan Tsakanakis, Esq., stsakanakis@steptoe.com, +32 2 626 0517; Evan Abrams, Esq., +1 202 429 3052; and Simon Hirsbrunner, Esq., shirsbrunner@steptoe.com, +32 2 626 0543. All of Steptoe & Johnson LLP.
On 17 May 2019, the Council of the EU established a framework against external cyber-attacks which constitute an external threat to the EU or its Member States. The new rules, which reportedly follow a diplomatic push by the UK and the Netherlands, provide for a strong legal instrument to deter and respond to cyber-attacks against the EU or its Member States. The new framework enables the EU for the first time to impose sanctions against persons, entities and bodies because of cyber-attacks. While no names have been added to the sanctions list yet, the new mechanism is expected to allow the EU to move quickly in the future. However, the new framework does not help companies that are under attack. Victims of cyber-attacks are on their own when it comes to fighting off a cyber-attack.
Sanctions under the new framework are country neutral. In other words, they do not target specific third countries but specific malicious actors. Member States are free to make their own determinations with respect to the attribution of responsibility for cyber-attacks to third countries but such determinations have no impact on the EU sanctions.
The new rules cover cyber-attacks that have either been carried out or attempted, have a significant impact and
– originate or are carried out from outside the EU;
– use infrastructure outside the EU;
– are carried out by persons, entities or bodies established or operating outside the EU; or
– are carried out with the support of persons, entities or bodies operating outside the EU.
The framework allows the EU to deter and respond to cyber-attacks that constitute an external threat to Member States or the EU. Cyber-attacks may be considered a threat to Member States if they affect information systems relating to critical infrastructure, services necessary for the maintenance of essential social and/or economic activities, critical State functions, the storage or processing of classified information, or government emergency response teams. Cyber-attacks constituting a threat to the EU include those carried out against its institutions, bodies, offices and agencies, its delegations to third countries or to international organizations, its common security and defense policy (CSDP) operations and missions and its special representatives. Perhaps one of the most striking features of the new framework concerns cyber-attacks directed against third countries or international organizations. Under certain circumstances, the EU may intervene in support of such countries or organizations and apply sanctions in response to such cyber-attacks.
The new regime allows the EU for the first time to impose sanctions on persons, entities or bodies that are responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Persons, entities or bodies associated with them may also be sanctioned.
Restrictive measures include travel bans. Member States shall take the measures necessary to prevent the entry into or transit through their territories of sanctioned persons. Furthermore, the new rules provide for an asset freeze on funds and economic resources of sanctioned persons, entities or bodies. Persons or organizations falling under EU jurisdiction are forbidden from making funds or economic resources available to or for the benefit of those listed.
It is important to note that the decision-making process leaves room for discretion in the sanctioning of cyber-attackers. The Council establishes and amends the sanctions lists only by a unanimous decision of EU Member States upon a proposal from any Member State or from the High Representative for Foreign Affairs and Security Policy. Thus, the outcome of the decision-making process will be pre-conditioned by the ability of the Member States to align their geopolitical interests. Persons, entities or bodies from third countries perceived as strategic allies may be less likely to be sanctioned than those from isolated rogue states.
The EU hopes to utilize the new framework as a benchmark for similar anti-cyber-attack measures by other jurisdictions worldwide. In order to maximize the impact of the restrictive measures, the EU will encourage third countries to adopt similar sanctions.
Similar regimes already exist in a number of jurisdictions, including in the United States where an executive order issued in 2015 (and amended in 2016) authorizes the imposition of blocking sanctions (i.e. asset freezing) against persons engaged in certain cyber-attacks. This includes certain activity aimed at harming, or having the effect of harming, US national security, foreign policy goals, or the US economy or financial system, as well as specific acts related to the stealing of “trade secrets.”
While the above US order covers certain cyber-attacks related to “interfering with or undermining election processes or institutions,” given the heightened concern in the United States regarding foreign election interference, the Trump Administration has recently issued an additional executive order authorizing blocking sanctions for a wide-variety of election interference-related conduct, including certain cyber-based activities.

While worded differently, both the EU and US regimes are quite broad in nature and therefore are likely to cover most of the same conduct in their respective jurisdictions.

* * * * * * * * * * * * * * * * * * * * 


TE_a012. FCC Presents “Designing an ICP for Export Controls & Sanctions”, 1 Oct in Bruchem, the Netherlands

* What: Designing an Internal Compliance Program (ICP) for Export Controls & Sanctions
* Date: Tuesday, 1 Oct 2019
* Location: Full Circle Compliance, Landgoed Groenhoven, Dorpsstraat 6, Bruchem, The Netherlands
* Times:
  – Registration and welcome: 9.00 am – 9.30 am
  – Training course hours: 9.30 am – 4.30 pm
* Level: Intermediate
* Target Audience:  the course provides valuable insights for both compliance professionals, employees and (senior / middle) management working in any industry subject to U.S. and/or EU (member state) export control laws and sanctions regulations.
* Instructors: Drs. Ghislaine C.Y. Gillessen RA and Marco M. Crombach MSc.

* Information & Registration: click here or contact us at events@fullcirclecompliance.eu or 31 (0)23 – 844 – 9046. 

* * * * * * * * * * * * * * * * * * * *


Mikhail Bakunin (Mikhail Alexandrovich Bakunin; 30 May 1814 – 1 Jul 1876; was a Russian revolutionary anarchist and founder of collectivist anarchism. He is considered among the most influential figures of anarchism and one of the principal founders of the social anarchist tradition. Bakunin’s enormous prestige as an activist made him one of the most famous ideologues in Europe, gaining substantial influence among radicals throughout Russia and Europe.)
 – “By striving to do the impossible, man has always achieved what is possible. Those who have cautiously done no more than they believed possible have never taken a single step forward.”

* * * * * * * * * * * * * * * * * * * *

. Are Your Copies of Regulations Up to Date?
(Source: Editor)


DHS CUSTOMS REGULATIONS: 19 CFR, Ch. 1, Pts. 0-199.  Implemented by Dep’t of Homeland Security, U.S. Customs & Border Protection.

  – Last Amendment: 5 Apr 2019:
84 FR 13499-13513: Civil Monetary Penalty Adjustments for Inflation

DOC EXPORT ADMINISTRATION REGULATIONS (EAR): 15 CFR Subtit. B, Ch. VII, Pts. 730-774. Implemented by Dep’t of Commerce, Bureau of Industry & Security.
  – Last Amendment: 24 May 2019: 84 FR 24018-24021: Implementation of Certain New Controls on Emerging Technologies Agreed at Wassenaar Arrangement 2018 Plenary  
* DOC FOREIGN TRADE REGULATIONS (FTR): 15 CFR Part 30.  Implemented by Dep’t of Commerce, U.S. Census Bureau.
  – Last Amendment: 24 Apr 2018: 83 FR 17749-17751: Foreign Trade Regulations (FTR): Clarification on the Collection and Confidentiality of Kimberley Process Certificates
  – HTS codes that are not valid for AES are available here.
  – The latest edition (1 Jan 2019) of Bartlett’s Annotated FTR (“BAFTR”), by James E. Bartlett III, is available for downloading in Word format. The BAFTR contains all FTR amendments, FTR Letters and Notices, a large Index, and approximately 250 footnotes containing case annotations, practice tips, Census/AES guidance, and explanations of the numerous errors contained in the official text. Subscribers receive revised copies in Microsoft Word every time the FTR is amended. The BAFTR is available by annual subscription from the Full Circle Compliance website.  BITAR subscribers are entitled to a 25% discount on subscriptions to the BAFTR. Government employees (including military) and employees of universities are eligible for a 50% discount on both publications at www.FullCircleCompiance.eu.   


  – Last Amendment: 18 May 2016: Change 2: Implement an insider threat program; reporting requirements for Cleared Defense Contractors; alignment with Federal standards for classified information systems; incorporated and cancelled Supp. 1 to the NISPOM (Summary here.)
DOE ASSISTANCE TO FOREIGN ATOMIC ENERGY ACTIVITIES: 10 CFR Part 810; Implemented by Dep’t of Energy, National Nuclear Security Administration, under Atomic Energy Act of 1954.
  – Last Amendment: 23 Feb 2015: 80 FR 9359, comprehensive updating of regulations, updates the activities and technologies subject to specific authorization and DOE reporting requirements. This rule also identifies destinations with respect to which most assistance would be generally authorized and destinations that would require a specific authorization by the Secretary of Energy.
DOE EXPORT AND IMPORT OF NUCLEAR EQUIPMENT AND MATERIAL; 10 CFR Part 110; Implemented by Dep’t of Energy, U.S. Nuclear Regulatory Commission, under Atomic Energy Act of 1954.
  – Last Amendment: 20 Nov 2018, 10 CFR 110.6, Re-transfers.

* DOJ ATF ARMS IMPORT REGULATIONS: 27 CFR Part 447-Importation of Arms, Ammunition, and Implements of War.  Implemented by Dep’t of Justice, Bureau of Alcohol, Tobacco, Firearms & Explosives.
  – Last Amendment: 14 Mar 2019: 84 FR 9239-9240: Bump-Stock-Type Devices 


DOS INTERNATIONAL TRAFFIC IN ARMS REGULATIONS (ITAR): 22 C.F.R. Ch. I, Subch. M, Pts. 120-130. Implemented by Dep’t of State, Directorate of Defense Trade Controls.
  – Last Amendment: 19 Apr 2019: 84 FR 16398-16402: International Traffic in Arms Regulations: Transfers Made by or for a Department or Agency of the U.S. Government   
  – The only available fully updated copy (latest edition: 19 Apr 2019) of the ITAR with all amendments is contained in Bartlett’s Annotated ITAR (“BITAR”), by James E. Bartlett III. The BITAR contains all ITAR amendments to date, plus a large Index, over 800 footnotes containing amendment histories, case annotations, practice tips, DDTC guidance, and explanations of errors in the official ITAR text. Subscribers receive updated copies of the BITAR in Word by email, usually revised within 24 hours after every ITAR amendment. The BITAR is available by annual subscription from the Full Circle Compliance website. BAFTR subscribers receive a $25 discount on subscriptions to the BITAR, please contact us to receive your discount code.
* DOT FOREIGN ASSETS CONTROL REGULATIONS (OFAC FACR): 31 CFR, Parts 500-599, Embargoes, Sanctions, Executive Orders. 

Implemented by Dep’t of Treasury, Office of Foreign Assets Control.

  – Last Amendment: 29 Apr 2019: 84 FR 17950-17958: Foreign Interference in U.S. Elections Sanctions Regulations [amendment of 31 CFR Part 579 to implement EO 13848] 
* USITC HARMONIZED TARIFF SCHEDULE OF THE UNITED STATES (HTS, HTSA or HTSUSA), 1 Jan 2019: 19 USC 1202 Annex. Implemented by U.S. International Trade Commission. (“HTS” and “HTSA” are often seen as abbreviations for the Harmonized Tariff Schedule of the United States Annotated, shortened versions of “HTSUSA”.)

Last Amendment: 21 May 2019: Harmonized System Update (HSU) 1908

  – HTS codes for AES are available here.

  – HTS codes that are not valid for AES are available here.

* * * * * * * * * * * * * * * * * * * *

Weekly Highlights of the Daily Bugle Top Stories

(Source: Editor) 

Review last week’s top Ex/Im stories in “Weekly Highlights of the Daily Bugle Top Stories” published  

* * * * * * * * * * * * * * * * * * * *


* The Ex/Im Daily Update is a publication of FCC Advisory B.V., compiled by: Editor, James E. Bartlett III; and Assistant Editors, Alexander Witt and Sven Goor. The Ex/Im Daily Update is emailed every business day to approximately 7,500 readers of changes to defense and high-tech trade laws and regulations. We check the following sources daily: Federal Register, Congressional Record, Commerce/AES, Commerce/BIS, DHS/CBP, DOE/NRC, DOJ/ATF, DoD/DSS, DoD/DTSA, FAR/DFARS, State/DDTC, Treasury/OFAC, White House, and similar websites of Australia, Canada, U.K., and other countries and international organizations.  Due to space limitations, we do not post Arms Sales notifications, Denied Party listings, or Customs AD/CVD items.

* RIGHTS & RESTRICTIONS: This email contains no proprietary, classified, or export-controlled information. All items are obtained from public sources or are published with permission of private contributors, and may be freely circulated without further permission, provided attribution is given to “The Export/Import Daily Bugle of (date)”. Any further use of contributors’ material, however, must comply with applicable copyright laws.  If you would to submit material for inclusion in the The Export/Import Daily Update (“Daily Bugle”), please find instructions here.

* CAVEAT: The contents of this newsletter cannot be relied upon as legal or expert advice.  Consult your own legal counsel or compliance specialists before taking actions based upon news items or opinions from this or other unofficial sources.  If any U.S. federal tax issue is discussed in this communication, it was not intended or written by the author or sender for tax or legal advice, and cannot be used for the purpose of avoiding penalties under the Internal Revenue Code or promoting, marketing, or recommending to another party any transaction or tax-related matter.

* SUBSCRIPTIONS: Subscriptions are free.  Subscribe by completing the request form on the Full Circle Compliance website

* BACK ISSUES: An archive of Daily Bugle publications from 2005 to present is available HERE.

* TO UNSUBSCRIBE: Use the Safe Unsubscribe link below.

Scroll to Top