In his article, Ulan Batenov, MinTax LLP Senior Lawyer, considered one of the important issues concerning measures of non-tariff regulation applied when importing cryptographic information protection facilities, in particular – registration of notifications about characteristics of goods (products) containing encryption (cryptographic) facilities. The parties involved in foreign economic activities, in the process of carrying out their activities, more and more often encounter measures of non-tariff regulation applied in the territory of the Eurasian Economic Union (“EAEU”).

In particular, the participants of foreign economic activities (“FEA”) supplying (performing export-import transactions) office equipment, communications means and other items used for storage and transmission of information, face the need to register notifications about the characteristics of goods (products) containing cryptographic facilities.

The obligation to present a notification to the customs authorities arises when the cargo is placed under customs procedures. This is the requirement of the ‘Regulations concerning the import of encryption (cryptographic) facilities to/from the customs territory of EAEU’ which is the Appendix #9 to the Resolution #30 of the Board of the Eurasian Economic Commission dated 21 April 2015 (hereinafter – “CIPF Import/Export Regulations”).

In accordance with the Law of the Republic of Kazakhstan “On Permits and Notifications” # 202-V ZRK dated 16 May 2014, a notification about the characteristics of goods (products) containing encryption (cryptographic) facilities is deemed to be a second-category permit.

Although all the normative legal acts regulating the applicable measures of non-tariff regulation are in the public domain, not many people beforehand study the issues related to placement under customs procedures. Normally, it is the customs officers who inform about the need to register notifications about characteristics of goods (products) containing encryption (cryptographic) facilities during the period when the cargo has arrived and is being placed under customs procedures.

In practice, the parties involved in FEA use notifications that have already been registered by someone, since CIPF Import/Export Regulations do not require that notification be registered exactly by the person who is placing the goods under customs procedures. There are cases when Kazakhstan residents use notifications registered in the Russian Federation, Belarus and other states (EAEU members).

But there is always a risk that the registered notification is not in place to allow trouble-free customs clearance of your cargo containing encryption (cryptographic) facilities. This is just the case we are going to consider.

So, the occasion has come when a notification needs to be registered. What shall we begin with?

Step 1

It is recommended to check whether the imported item is in the List of goods which are subject to a licensed procedure for import to the customs territory of EAEU and (or) export from the customs territory of EAEU (hereinafter – the List), which is the Appendix 2 to the Resolution #3 of the Board of the Eurasian Economic Commission dated 21 April 2015.

Encryption (cryptographic) facilities are specified in clause 2.19. of the List.

However, the fact that the imported item is specified in clause 2.19. of the List still does not mean that notification must be registered.

Thus, pursuant to paragraph 3 of CIPF Import/Export Regulations, goods included in section 2.19 of the uniform List have the encryption (cryptographic) functions, if they implement or comprise the following facilities (systems and complexes):

a) encryption facilities (hardware, software and hardware-software facilities, systems and complexes implementing cryptographic information transformation algorithms and designed to protect information from unauthorized access when it is transmitted through communication channels and (or) while processing and storing it);

b) tools for prevention of false data entry (hardware, software and hardware-software facilities, systems and complexes implementing cryptographic information transformation algorithms and designed to protect against the imposition of false information);

c) electronic digital signature (electronic signature) tools defined in accordance with the legislation of the member states of the Union (hereinafter – member states);

d) hardware, software and hardware-software facilities, systems and complexes implementing algorithms for cryptographic information transformation with the implementation of a part of such transformation by manual operations or using automated facilities based on such operations;

e) hardware, software and hardware-software facilities, systems and complexes implementing algorithms for cryptographic information transformation and designed for manufacturing key documents (regardless of the type of the carrier of key information);

f) hardware, software and hardware-software facilities, systems and complexes designed or modified for implementing cryptanalytical functions;

g) hardware, software and hardware-software facilities, systems and complexes implementing algorithms for cryptographic information transformation, developed or modified to apply cryptographic methods for generating the expanding code for expanding spectrum systems, including hopping code tuning for systems with hopping frequency tuning;

h) hardware, software and hardware-software facilities, systems and complexes implementing algorithms for cryptographic information transformation, developed or modified for the application of cryptographic methods of channel formation or secure codes for time-modulated ultra-wideband systems.

Step 2

If you believe that the imported equipment does not require registration of the notification, although it is specified in the List, since it, in your opinion, does not implement or contain facilities specified in clause 3 of CIPF Import/Export Regulations, it is necessary to conduct a technical study as to referring the goods to cryptographic information protection facilities and special technical tools intended for conducting investigative measures in the national security agencies.

The procedure for carrying out technical research is stipulated by the Public Service Standard “Carrying out a technical survey with regard to referring the goods to cryptographic information protection facilities and special technical means intended for carrying out investigative measures”, which is Annex 6 to the Order #30 of the Chairman of the National Security Commission dated April 28, 2015.

When submitting the documents for obtaining the public service, one must attach special importance to one document, in particular – a set of technical documents relating to the item being studied.

Normally, technical documents supplied by the manufacturer are oriented to an average user, and may not contain the necessary data for the purposes of conducting technical research by the authorized body. In this case, it is necessary to submit an additional self-made document with a technical description, specifying all necessary data, including but not limited to: purpose, protocols used, algorithms, encryption possibility, data transfer procedure, etc. Otherwise, the authorized body may require to present samples of the goods, due to difficulties in issuing an opinion.

The period for providing the public service comprises 5 (five) working days.

Step 3

If the national security authorities have issued an opinion that the imported equipment is referred to cryptographic information protection facilities, we recommend that registration of the notification should be initiated.

The procedure for registration of the notification is stipulated by the Public Service Standard “Registration of notifications about the characteristics of goods (products) containing encryption (cryptographic) facilities”, which is Annex 7 to the Order #30 of the Chairman of the National Security Commission dated 28 April 2015 (hereinafter referred to as the “Standard”).

In particular, the Standard determines that the service provider is the National Security Commission of the Republic of Kazakhstan, the period of service provision is 10 (ten) working days, there is a possibility to submit a notification through a web portal [url]http://elicense.kz[/url] portal in the form of an electronic document and that the public service is provided free of charge.

Paragraph 9 of the Standard specifies the list of documents necessary for obtaining the government service, describing two cases, in particular:

• to a service provider on paper carrier:
• cover letter in free format;
• notification;
• electronic copy of the notification on a media (CD disk, flash- memory) in *.xls format. The structure of the notification file presented to the service provider is described in the Regulations;
• legalized document (apostil, consular legalization), authorizing the service recipient to act on behalf of the manufacturer. If this document is prepared in a foreign language, a translation to the official or Russian language certified under the procedure established by the legislation of the Republic of Kazakhstan should be attached to the original or a notarized copy of this document.
• to the portal:
• inquiry in electronic form certified by the EDS of the service recipient;
• electronic notification;
• electronic document of the notification in *.xls format. The structure of the notification file presented to the service provider is described in the Regulations;
• electronic copy of the legalized document (apostil, consular legalization), authorizing the service recipient to act on behalf of the manufacturer. If this document is prepared in a foreign language, an electronic copy of the translation to the official or Russian language certified under the procedure established by the legislation of the Republic of Kazakhstan should be provided as well.

The notification form is stipulated in Annex 3 to CIPF Import/Export Regulations.

The structure of the notification electronic document in * .xls format is set out in Annex 1 to the Regulations regarding the notification of the characteristics of encryption (cryptographic) facilities and the goods containing them, approved by the Resolution of the Board of the Eurasian Economic Commission dated 21 April 2015 No. 30 “Concerning measures of non-tariff regulation”.

At the same time, it should be noted that if the notification is prepared by the manufacturing organization of the country that is not a member state of the Customs Union, the notification is subject to legalization.

As mentioned above, the registered notification is a second-category permission, which gives the right to import CIPF into the territory of the Customs Union.

Thus, in accordance with paragraph 5 of the CIPF Import/Export Regulations, import and (or) export of encryption (cryptographic) facilities shall be carried out if there is information on whether a relevant notification is included in a single register of notifications (hereinafter – notification information) or in the presence of a license issued in accordance with the Instructions for processing applications for the issuance of a license for exporting and /or importing certain types of goods and for the issuance of such a license, approved by the Resolution #199 of the Board of the Eurasian Economic Commission dated 6 November 2014 (hereinafter – the License) or the opinion (permit) under the form approved by the Resolution #45 of the Board of the Eurasian Economic Commission dated 16 May 2012 (hereinafter – the opinion (permit)).

In the absence of notification or other documents specified in the foregoing clause of the CIPF Import/Export Regulations, the parties may be subject to penalties imposed by the government authorities.

In particular, pursuant to part one of Article 463 of the Code of the Republic of Kazakhstan “On Administrative Offences” #235-V ZRK dated 5 July 2014, engaging in entrepreneurial or other activities, as well as the implementation of actions (operations) without registration, permission, as well as failure to notify in cases where registration, authorization, notification are mandatory, if these actions do not contain the signs of a criminal offence -entail a fine on individuals at a rate of fifteen, on officials, small business entities – at a rate of twenty-five, on subjects of medium-sized business – at a rate of forty, on subjects of large business – at a rate of one hundred and fifty monthly reference indicators, with confiscation of items and (or) tools used in committing administrative offences, or without it, and engaging in entrepreneurial or other activities without a license additionally entails the confiscation of income (dividends), money, securities obtained as a result of an administrative offence.

Furthermore, pursuant to part one of Article 214 of the Criminal Code of the Republic of Kazakhstan #226-V ZRK dated 3 July 2014, carrying out entrepreneurial or banking activity (banking operations) or collecting activity without registration, as well as without a compulsory license for that activity or with violation of legislation of the Republic of Kazakhstan on permissions and notifications, as well as engaging in prohibited types of entrepreneurial activity, if these actions have inflicted heavy damage on a citizen, organization or the state or are linked with deriving of income at a large scale or production, storage, transfer or sale of excisable goods in significant amounts,- shall be punished by the fine in the amount of up to two thousand monthly calculation indices or correctional works in the same amount, or restriction of liberty for the term of up to two years, or imprisonment for the same term with confiscation of property or without it.

In this regard, if there is a need to perform registration of a notification, we recommend that it should be performed before the goods are placed under customs procedures.