In accordance with the International Traffic in Arms Regulations (22 CFR 120-130 – herein, “ITAR”) technical data may not be exported to any Non-US Person, including to any location outside of the United States, without a specific authorization by the U.S. State Department. Managing the physical location of any servers used for email or data storage is critical to maintaining trade compliance and preventing a violation of the U.S. export regulations.
For reference purposes, the ITAR includes the following applicable definitions:
22 CFR §120.17 Export.
(a) Export means:
(1) Sending or taking a defense article out of the United States in any manner, except by mere travel outside of the United States by a person whose personal knowledge includes technical data; or

(4) Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad; or

22 CFR §120.10 Technical data.
(a) Technical data means, for purposes of this subchapter:
(1) Information, other than software as defined in §120.10(a)(4), which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation.

§120.15 U.S. person.
U.S. person means a person (as defined in §120.14 of this part) who is a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20) or who is a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any corporation, business association, partnership, society, trust, or any other entity, organization or group that is incorporated to do business in the United States.

22 CFR §120.16 Foreign person.
Foreign person means any natural person who is not a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20) or who is not a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any foreign corporation, business association, partnership, trust, society or any other entity or group that is not incorporated or organized to do business in the United States, as well as international organizations, foreign governments and any agency or subdivision of foreign governments (e.g., diplomatic missions).

The interpretation of U.S. State Department policy is that if a Foreign Person has the ability to access export controlled technical data, it is considered a potential export thus requiring an export license. Whether or not a foreign person actually accesses the technical data or not is not relevant to this interpretation. Presently, this even includes data that may be encrypted. When multinational companies consider centralizing and managing email or data servers that includes data from its US facilities, they must ascertain if those locations may receive and/or electronically store ITAR-controlled technical data. If so, then U.S. export regulations that must be considered.

Under the current regulations, ITAR technical data that is emailed from a US Person to a Foreign Person is considered to be an export. This includes technical data that may be routed via an email exchange server to a location outside of the United States, regardless if the intended and ultimate recipient is a US Person located within the territory of the United States. Similarly, any technical data that may be stored on a server or other electronic storage device is transferred or backed up outside of the United States, is considered to be exported. As stated above, this is regardless of whether the data is encrypted or otherwise accessed by the Non-US Person.

Presently, the only way to legally allow for this activity to occur outside of the U.S. is to license the foreign parties that may have access to the data. Such a license would need to broad enough to cover all of the types of technical data that is or may be present on a server or email and all of the nationalities of the foreign party must be included in the authorization. This includes all dual and third country nationalities of the facility’s employees who may obtain physical or virtual access as well as those of any sub-contractors. Experience has shown that obtaining such a license would be difficult and the internal control plan required by the Non-US location(s) would be onerous.

In the future, the U.S. US export licensing requirements may change to allow for some “cloud storage” under very specific requirements. Until that time, maintaining a U.S. based email exchange server and file servers for ITAR-controlled technical data is the industry standard.