Yesterday the Directorate of Defense Trade Controls (“DDTC”) and FLIR entered into a consent agreement under which FLIR consented to a civil penalty of $30 million, half of which was suspended on the condition that this amount was and would be applied to previous and future compliance costs. The fine was based on a number of export violations in various categories that FLIR voluntarily disclosed. These violations included instances where disclosed violations continued after their disclosure and where promised remedial actions to cure disclosed violations were not taken.
One part of the Charging Letter is interesting because it appears to be effectively a reversion to the old DDTC standard, clearly articulated in the 2004 General Motors Charging Letter, that access to ITAR-controlled information by a foreign national is a deemed export violation even if the controlled information was never in fact seen by the foreign national. As you may recall, back in 2016 DDTC retreated from that position, saying this in the Federal Register Notice in which “export” was redefined by DDTC:
Several commenters requested that the Department remove the portion of (a)(6) that addressed the provision of physical access to technical data. The Department has removed paragraph (a)(6). However, as described above for paragraph (a)(7), while the act of providing physical access does not constitute an “export,” any release of technical data to a foreign person is an “export,” “reexport,” or “retransfer” and will require authorization from the Department. If a foreign person views or accesses technical data as a result of
being provided physical access, then an “export” requiring authorization will have occurred and the person who provided the foreign person with physical access to the technical data is an exporter responsible for ITAR compliance.
Now look at this part of the Charging Letter:
Approximately 1,350 foreign-person employees had access to all ITAR-controlled technical data (over 1,400 files) located on Respondent’s servers in 22 non-U.S. facilities … While access does not mean that the employees viewed the information, Respondent lacked the IT records which could confirm which employees actually accessed ITAR-controlled files. … It is the Department’s position that Respondent transferred technical data to foreign-person employees that was necessary for their job performance on its servers without authorization.
What DDTC is saying here, in effect, is that if you don’t have logs showing every access to the controlled technical data — and who will have that? — then DDTC is just going to assume that the controlled technical data was transferred to everyone who had access to it. So we’re back where we started and access, not disclosure, is the violation. Sigh.