Most Canadian export controls and controlled goods compliance programs are built with the assumption that relevant employees who have access to controlled goods and technical data will be working in an on-site work environment and use work computers and in-house servers where information is securely stored with access and release restrictions and where work-related activities are carefully reviewed and watched. The current COVID-19 situation where most employees are working remotely from home was not contemplated as the export controls and controlled goods compliance program was not contemplated as being a possibility. In fact, many compliance programs have a built in assumption that workers who have access to export controlled technical data will never be working from remote premises.
With many Canadian businesses allowing remote working and teleworking, compliance departments and managers should review the company’s compliance program and corporate policies and identify new risks associated with remote working and develop and implement solutions to ensure their employees do not export and have not inadvertently exported controlled goods, intangible, controlled data or information without first securing an export permit. It does not matter what is the size of your business – small and medium sized businesses who develop, manufacture and/or sell controlled goods need to consider is changes to their compliance programs and policies are necessary.
What are some of the things that could go wrong when employees are working remotely?
There are so many things that can go wrong that we could not possibly create a complete and exhaustive list. We have attempted to create a list for you to ask yourself whether your compliance program covers the 12 risks listed below and whether your program contains gaps that could result in unauthorized or prohibited activities:
1) Employees utilizing automatic cloud storage features on home computers and smart phones and exporting technical information to servers located outside Canada or located in Canada that does not have adequate security features (quite frankly, not even knowing where that information will be stored is a problem);
2) Employees not having adequate security on their home networks (and those home networks can be hacked);
3) Employees using computers at home that are shared with other persons in the household (that is, anyone in the household can access the information stored on the computer and anyone can send it to someone outside the household);
4) Employees not seeking proper permission before sending/sharing/exchanging controlled technical information with third parties outside Canada (e.g., the specifications for a controlled good and/or technical data is sent to a prospective buyer outside Canada);
5) Employees verbally giving information to another employee, an existing customer or a potential customer who is located outside Canada at the time the advice is given;
6) Employees removing at-work security features from technical data for controlled goods in order to be able to download documents and work from home (which could then result in the transfer of data to a third party);
7) Employees sending/sharing/exchanging information with each other (including persons without proper security clearances and people using shared home computers);
8) Employees downloading technical data on USB keys in order to work from home and the USB keys are not password protected and/or are lost;
9) Employees printing information at home and not using a shredder when disposing of paper copies;
10) Employees creating new documents and forgetting to add enhanced security features so that the documents are not accessed by persons who have not completed a personal security assessment for review by the designated officer; and
11) Employees taking a phone call from a designated/listed person outside Canada and engaging in a sanctioned activity.
It must be remembered that Canada’s export controls, economic sanctions and trade restrictions laws typically impose strict liability. As a result, it is necessary for companies to consider whether there are risks associated with remote working activities and adjust their compliance programs to account for those risks.
Areas of Concern
COVID-19 has caused many Canadian companies to quickly shift towards remote work arrangements. Because many employees are now working from home, the places from which controlled technology may be accessed, or to which controlled technology may be sent, has changed and there may be foreign persons taking advantage of the chaos that is associated with changed working arrangements.
There are three Canadian legal regimes that to be discussed in this post:
1) Export Controls;
2) Economic Sanctions; and
3) Controlled Goods.
Canada’s export control scheme imposes an export permit requirement with respect to certain listed goods and technology. The term “technology” is defined in the Export and Import Permits Act to mean “technical data, technical assistance and information necessary for the development, production or use of an article included in an Export Control List or a Brokering Control List” . The items on the Export Control List (“ECL”) are further described in A Guide to Canada’s Export Control List. The technology related to the items of the ECL can take on many intangible forms.
It is important to understand that Canada’s export controls rules apply to the export of actual physical goods (that would be shipped) and the electronic transfer or transmission of technical data and information, provision of technical or consulting services to a person outside Canada. There are many ways that an intangible item or service can be leave Canada and, therefore, technically be exported.
It is also important for Canadian companies to understand that certain dual-use items (goods that can serve both a civilian and military purpose) are on Canada’s ECL. There are also various items in Group 5 that are not military or defence-related or nuclear items. There are items in Group 5 that neither Canada, nor the United States wishes to get into the wrong hands.
The ECL identifies specific goods and technology that are controlled for export from Canada to other countries, regardless of their means of delivery (e.g., shipment of goods, electronic transfer or transmission of information, provision of technical or consulting services, etc.). Even the delivery of training with respect to an ECL item could be an activity requiring an export permit.
The Brokering Control List (“BCL”) identifies specific goods and technology that are controlled for the purposes of brokering, i.e. arranging or negotiating a transaction that would result in the movement of controlled items from one foreign country to another foreign country. As with ECL goods, all methods of delivery of BCL goods are captured.
An export permit may be required when an employee provides technical data to foreign persons whether by email, cloud uploading, or by giving advice or information over the telephone phone. The risks identified in 1 – 6 above give rise to export controls issues for a company and could result in a breach of Canada’s export controls laws.
Canada’s economic sanctions regimes prohibit dealings with certain listed persons and entities in certain sanctioned countries. Canada imposes economic sanctions in various forms and various degrees against the following Sanctioned Countries: Burma/Myanmar, Central African Republic; the Democratic Republic of Congo; Eritrea, Iran, Iraq, Lebanon, Libya, Mali, Nicaragua, North Korea, Russia, Somalia, South Sudan, Sudan, Syria, Ukraine, Venezuela, Yemen and Zimbabwe.
Most businesses implement screening programs to ensure that they do not engage in prohibited activities with listed persons in Sanctioned Countries. The specific sanctions are contained in country specific regulations that can be changed by the Governor-in-Council (e.g., Cabinet).
Careful screening is required to prevent dealings with designated persons in sanctioned countries. The risks identified in 1, 2, 4, 5 (potential customer), 6 and 11 above give rise to economic sanctions issues for a company and could result in a breach of Canada’s economic sanctions laws.
Canada’s Controlled Goods Program is administered by the Controlled Goods Directorate (“CGD”). The CGD is responsible for administering Canada’s domestic industrial security program relating to the possession and/or examination of Controlled Goods with Canada’s borders and the transfer (including disposal or disclosing of contents) of any Controlled Good to another person within Canada. The focus of the program is to safeguard Controlled Goods within Canada from unauthorized possession, examination or transfer.
Companies who develop, manufacture, sell, provide services in respect of, or deal in any way with Controlled Goods must be registered with the Controlled Goods Directorate.
Controlled Goods are goods on the Controlled Goods List, which is a schedule to the Defence Production Act. Controlled Goods are primarily goods, including components and technical data (including blueprints and technical specifications in paper or electronic format) that have military or national security significance. The Controlled Goods List includes (a) a good of U.S-origin that is a defense article as defined in section 120.6 of the International Traffic in Arms Regulations of the United States Code of Federal Regulations, and (b) a good, other than a good of United States origin, that is manufactured using technical data of United States origin, as defined in section 120.10 of the International Traffic in Arms Regulations of the United States Code of Federal Regulations, (if the technical data is a defense article).
Companies must have a written Security Plan in place before they register with the Controlled Goods Directorate. Security Plans must include the various steps that are being taken by the company to prevent the unauthorized unauthorized possession, examination or transfer of Controlled Goods. This is like a form of or component of a Compliance Program.
Prior to any examining, possessing, or transferring Controlled Goods in Canada, every individual/employee who will have access to Controlled Goods must be assessed by a designated officer against security risks and be registered or exempted from registration under Defence Production Act and Controlled Goods Regulations. Based on the personal information obtained from the employee, an evaluation is undertaken by the designated officer of the risk of transferring Controlled Goods by the employee to someone who is not registered or exempt. The designated officer must grant or deny access to the Controlled Goods or send the risk assessment to the CGD. The information is also reviewed on the basis of a security assessment to deny, suspend, amend or revoke existing registration or exemption of an employee or person.
Controlled Goods cannot be shared with persons inside the company who have not completed a risk assessment and been granted access. As a result, employees might not be able to share goods with each other.
Controlled Goods cannot be shared with persons outside the company who are not also registered with the CGD. Companies (and their employees) cannot send/transfer/store Controlled Goods with other companies without first determining whether the company is registered with the CGD and whether the person within the company has undergone a security risk assessment and been granted access to Controlled Goods. This means that outside service providers (such as cloud storage companies) must have a CGD registration before electronic information can be sent to them.
Strict controls and risk management are required to prevent unauthorized possession, examination or transfer of Controlled Goods. The risks identified in 1-10 above give rise to controlled goods issues for a company and could result in a breach of Canada’s controlled goods laws.
Disclosure for Non-Compliance
If you have identified breaches of Canada’s export controls laws as remote working arrangements were put in place, you should consider making a voluntary disclosure to the Export Controls Division.
If you think you may have a breach of the Controlled Goods Program rules, you are required to report that breach within 3 days. That being said, the Controlled Goods Directorate has indicated on its website that it has limited activities during the COVID-19 shutdown. Reports of breaches will be prioritized. The requirements for reporting a breach are set out in Controlled Goods Registrants must notify the Minister of actual and potential data breaches
If you require assistance updating your compliance program to incorporate remote work activities or if you need to make a disclosure of a potential violation, please contract Cyndee Todgham Cherniak at 416-307-4168 or at firstname.lastname@example.org.