Export Controls: mass market exclusion within the cryptography note Category 5 part 2 note 3
Please further clarify the mass market exclusion within the cryptography note Category 5 part 2 note 3
(This question was asked at one of our recent webinars on Export Controls. You can listen to this webinar on our recent webinars page at http://opentoexport.com/info/webinars/)
Note 3 to Category 5 Part 2 is also known as the Cryptography Note. There are also other notes at the beginning of Category 5 Part 2 that try to exempt goods that have encryption in them but encryption is not the main function of the equipment. The interpretation of this Note in the UK has tended to be that it covers goods that can be purchased from outlets such as PC World. But you need to ensure that all of the other conditions in the Note, including a.3., are met before Note 3 can be used. And please note that a ‘user’ can be different from an installer/maintainer. This release only applies to goods that are available to almost any end user and would include items such as broadband modems for home use.
In the last 18 months, the USA has changed it’s interpretation of this Note and now exempts from control a wide range of components and products with encryption that the UK still maintains under control. Tech UK is working to try to get a level playing field on the interpretation of the Note and is in discussions with the Export Control Organisation. It is hoped that when these discussions have concluded, there will be a clearer statement on what goods are subject to this Note.
Thank you for your response.
With the CN exemptions in mind, the .gov website (https://www.gov.uk/guidance/export-of-cryptographic-items) states the records which must be kept for exporting products which have been decontrolled by the CN notes.
Like any other business we would certainly be keeping all possible/required records of how we rated our goods etc. But I can see how it may be difficult for businesses purchasing 3rd party items and keeping the records stated. They have noted keeping records ‘that you can reasonably be expected to obtain’ but how are these records audited, checked and validated?