Software as a Service (SaaS) technologies have disrupted and transformed the way many businesses deliver software enabled products and services to consumers and other businesses. SaaS businesses tend to have global aspirations, and in making these solutions available in overseas markets, Australian businesses should be aware of software export compliance rules and how SaaS products can be legally distributed outside of Australia.

What is SaaS / Cloud-Based Software?

SaaS and cloud-based technologies are a way of delivering applications over the internet as a service rather than installing and maintaining software locally. As a business model, this involves hosting an application which is available to consumers for use over the internet utilising a cloud delivery model. These businesses maintain servers, databases and software that allow the application to be accessed over the internet – usually by any device with a network connection. Users then access the software from an increasing array of web-enabled hardware devices.

SaaS businesses usually do not provide hosting services for the content, but typically team with large hosting providers such as Amazon Web Services or Microsoft Azure.

Notable examples of SaaS businesses abound, including some of the most dominant players in the modern economy, such as Google Workspace, Canva, Trello, Slack, Xero, Dropbox and MailChimp to name just a few.

What are the export compliance rules in Australia?

For companies looking to utilise the SaaS model, it is important to be aware of the Australian legal framework for exporting software to maintain compliance when conducting business:

• The Defence and Strategic Goods List (DSGL) specifies the goods, software or technology that is regulated when exported, supplied, brokered, or published.
• The DSGL is governed by the Defence Trade Controls Act 2012 (DTC Act), which requires a permit for exporting certain software listed in the DSGL.
• The Defence Trade Controls Amendment Act 2015 (Cth) contains offence provisions for supplying and publishing DSGL technology and for brokering DSGL goods and technology.

If a product is regulated, then the transferor needs to apply to the Australian Department of Defence for a license by providing information about the technology, in which jurisdictions it will be accessible and the impact the technology may have. The Department of Defence then considers, amongst other concerns, whether:

• the technology could be used in a way contrary to Australia’s international obligations;
• the technology has the capacity to compromise an Australian defence operation; or
• the export of the technology may damage a relationship between Australia and another country.

Currently, under Australian law, SaaS products and services do not require a permit where:

• The SaaS product is not physically shipped but made available over the internet, telephone lines, satellite, or other intangible means[1]; and
• The transferor did not believe or suspect that the transferee would or would likely use that controlled technology in connection with a military application – e.g., for a weapon of mass destruction – or dual military and civil purpose where no exemption applies.[2]

Accordingly, SaaS businesses require  fewer export control considerations than  traditional exports of software and Australia’s export control regime does not apply.

What are the export rules of other jurisdictions?

In considering the operation of the Australian framework, it is useful to note the approach of other key markets. Both the US and UK are similar to the Australian position:

• Under US rules, where the user of the services does not download executable software, but merely operates the software as a service “in the cloud” or on a server, there is deemed to be no export of software. As there is no export, there is no need for a licence. However, if software is modified, customised, or adapted for military use, it is subject to the US munitions export control program and requires a technical data license.
• Under UK rules, cloud-service providers giving users access to SaaS services do not require a licence where the user does not download executable software, but only makes use of software on a remote server. However, the UK also requires a permit for the export of SaaS when it can be used for military purposes, including dual-use software for both civil and military purposes.

Concluding remarks

As it stands, the Australian export rules will not regulate SaaS exports with no military application, enabling SaaS businesses to expand their market reach into overseas jurisdictions unencumbered by export restrictions.

However, businesses looking to utilise the SaaS model should always be aware that they may be subject to the laws of the country they are exporting to, as well as the conventional laws regulating the conducting of Australian businesses.

For further guidance on SaaS businesses and their operation and regulation in Australia and overseas, please contact us using the information below.

[1] ‘Types of Exports’ Australian Border Force (Webpage, 2022) <https://www.abf.gov.au/importing-exporting-and-manufacturing/exporting/how-to-export/types-of-export>.

[2] Defence Trade Controls Act 2012 (Cth) s 15(4D)(b).