What India's New Export Control Regime Means for its Software Industry

Companies that engage in the business of building intrusion software and certain surveillance systems need to be on guard.

In a seminal elevation of her nuclear non-proliferation status globally, India was admitted to the Wassenaar Arrangement in December 2017, one of the four multilateral non-proliferation and export control regimes that govern and regulate the international transfer of conventional arms and dual-use goods and technologies.

The arrangement was conceived in 1995 in the Dutch town of Wassenaar, on principles (among others) of contribution to regional and international security, transparency and greater accountability in such transfers, and using export control to ensure nuclear technologies do not fall into terrorist hands.

India’s stepping stone to entry into this elite regime was the significant revamp of the ‘Special Chemicals, Organisms, Materials, Equipment and Technologies’ (SCOMET) list that itemises goods, services and technologies used for civilian and military applications, under the Indian Trade Classification for Export and Import Items.

The Directorate General of Foreign Trade (DGFT) updated the SCOMET list by way of a notification in April last year, which came into effect from May 1, 2017.

Export of items in the SCOMET list is regulated either by way of prohibition or an appropriate authorisation. The new SCOMET list has nine categories, most of which require authorisation from DGFT. The exceptions include export of category 0 items (nuclear and related material, technology etc.) which requires authorisation from the Department of Atomic Energy, and category 6 (munitions) is governed by the Standard Operating Procedure issued by the Department of Defence Production.

Perhaps the most critical addition to the SCOMET list, however, is ‘category 8’ titled ‘Special Materials and Related Equipment, Material, Processing, Electronics, Computers, Telecommunications, Information Security, Sensors and Lasers, Navigation and Avionics, Marine, Aerospace and Propulsion’. It was this category that harmonised India’s export control list with the Wassenaar Arrangement and made the entry possible.

Surveillance and interception software

Expectedly, there is and will be considerable amount of confusion in the software and information technology industry (particularly with companies that export intrusion software and certain surveillance systems) on the impact that the new SCOMET list has on their software and hardware product lines, and service offerings to foreign entities.

Indian IT companies (both India-headquartered as well as Indian subsidiaries of foreign companies) sell and license out everything from mobile phone monitoring, internet monitoring, telecom operator interception systems, intrusion detection systems, data mining, data analytics software etc. The United States market accounts for more than 57% of India’s total export of software and related services, with the United Kingdom in the second spot at 18% . The Electronics and Computer Software Export Promotion Council pegs India’s software and services exports at $121 billion in 2016-17. A staggering 83% of that total production is exported, with the remaining consumed domestically.

Several IT companies in India are either headquartered in the US or have subsidiaries in US and UK. For example, the US-headquartered Verint Systems, which is a market leader in surveillance technologies, or Polaris Wireless that provides high-accuracy wireless location solutions. Both these companies have entities in India. Such companies routinely engage in intra-company transfers of intangible technology (through non-physical means such as internet) and assignment of intellectual property. Intra-company means a transaction between two or more subsidiaries within the same corporate group. The reasons for this could be many, from monetising their offerings worldwide to decentralising information management.

With the addition of ‘category 8’ in the SCOMET list, such a transfer or assignment from an Indian entity to its own US or UK subsidiary too can qualify as export. It becomes crucial for such companies to not only assess the new SCOMET list but also understand the standard of protection afforded in the recipient country.

In fact, one of the criteria for DGFT to grant authorisation is export control measures of the recipient country. If anything, and rest assured, US and UK being members of all the four major export control regimes should serve to expedite the authorisation procedure for companies with operations there.

The DGFT, on its part, doesn’t believe that the IT industry is impacted much, going by the FAQs section on its website. One of the reasons is, software and technology in the public domain are excluded from the regulations. “Public domain” is defined as “domain that has no restrictions upon dissemination of information within or from it”. Any intellectual property rights over that information does not disqualify it from being in public domain. Some of the new items in Category 8 are software performing local area network functions, software for detection systems identifying biological agents, radioactive materials etc., multifunctional robots, mobile telecommunication interception equipment etc.

Additionally, DGFT’s handbook of procedures that was amended along with the SCOMET list in April last year, brings non-SCOMET items as well within the SCOMET ambit. If the DGFT notifies an exporter in writing or if such exporter believes that a non-SCOMET item has a potential risk of use on or diversion to weapons of mass destruction or in their missile system or military end-use (including by terrorists and non-state actors), the same process and authorisation mandated for SCOMET items would apply.

There are penal provisions in the Foreign Trade (Development and Regulation) Act, 1992 and its amendment of 2010 (FTDR Act), and the Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005 (WMD Act), for violation of export laws, including civil or criminal prosecution or both. Apart from suspension or cancellation of the importer exporter code under the FTDR Act, the WMD Act stipulates fines ranging from Rs. 3 lakhs to Rs. 20 lakhs for unauthorised export. Each repeated offence carries punishments of imprisonment between six months to five years along with a fine.

The WMD Act also defines when an offence is committed by a company. Every person, who oversaw and was responsible to the company for the conduct of its business as well as the company itself, can be liable and punished. If such person can prove that the offence was committed without his knowledge, he/she can be off the hook. But proof of connivance or consent of any director, manager, secretary or other officer of the company is a ground for punishment.

There can be no degree of over-emphasis on the need for companies to thoroughly assess the new SCOMET list and its applicability on their business, considering the multiple exceptions, definitions, cross-references and qualifiers. The newly added General Technology Note and General Software Note give only a partial direction in deciphering the categories. Strict adherence to export laws should be made an integral part of regulatory/statutory compliance frameworks and business codes of multinational companies.

The DGFT, along with industry bodies, has been conducting outreach and open-house programmes for the IT industry specifically. The need of the hour is procedural expediency. The procedure should include within its timeline, to-and-fro communication between companies/traders and DGFT office (or the concerned authorising body) on preliminary queries and doubts the former may have. Per the amended handbook of procedures, an inter-ministerial working group (IMWG) in the DGFT will consider export applications and “endeavour” to furnish their written comments to DGFT within 30 days of the latter forwarding the applications (earlier, this was 45 days). If the IMWG cannot arrive at a decision, the application will be placed before the DGFT “for appropriate decision”.

The 30-day period, by itself, does not assure much, considering the track record of delays by the DGFT in processing applications. Secondly, there is no clarity whether the 30-day period includes the time taken by DGFT to decide an application after the IMWG has referred it to them.

Last year in May, Malaysia’s Ministry of International Trade and Industry launched a mobile app that companies and traders can use to search for any item on the Malaysia national dual-use control list, using a key word or category name. Note that Malaysia is not part of any of the four, elite multilateral export control regimes. The DGFT could well take a leaf out of this, as the first step in simplifying the process. The only DGFT app currently available is quite pointless – a repository of documents that is already on its website.

Sairam Sanath Kumar is an IT lawyer, currently based in Gurgaon. Views expressed are personal and not of any company he may represent.

Join The Discussion