United States Expands Sanctions Authorization of Internet-Based Activities in Wake of Protests in Iran – Gibson Dunn

admin on October 4, 2022 Leave a Comment

October 3, 2022

Click for PDF

On September 23, 2022, the U.S. Treasury Departments Office of Foreign Assets Control (OFAC) issued General License D-2 (GL D-2), expanding a prior authorization to further facilitate the free flow of information over the internet to, from, and among residents of Iran. GL D-2 authorizes the exportation to Iran of certain services, software, and hardware incident to the exchange of internet-based communications. GL D-2 supersedes and replaces an existing license, General License D-1 (GL D-1), that had been in place without update for over eight years. According to the Treasury Department, the updated license is designed to bring the scope of the license in line with modern technology and ultimately to expand internet access for Iranians, providing them with more options of secure, outside platforms and services. As noted below, even though GL D-2 certainly expands upon the types of software and services allowed to be exported, one of its principal effects will likely be the enhanced comfort parties may have in providing such technology to Iran. GL D-1 was often not fully leveraged by the exporting community that was concerned about the extent of coverage. GL D-2 is an evident attempt to right this balance, making sure that exporters remain aware of limitations while also providing more certainty to those who wish to leverage the exemption.

GL D-2 is the latest Biden Administration effort to support the Iranians protesting the death of Mahsa Amini, a 22-year-old woman who was arrested by Irans Morality Police for allegedly violating the countrys laws on female dress and who died in police custody on September16. Iranian protest-related videos and messages on the internet and social media have captured local and global attention. The United Nations Secretary-General, among others, has called for an independent investigation into Aminis death. The Iranian government, meanwhile, has violently responded to protests and cut off internet access for most of its nearly 80million citizens. OFACs initial response on September22 was to impose blocking sanctions on Irans Morality Police and on seven senior leaders of Irans security organizations that have overseen the suppression of peaceful protests. The next day, OFAC issued GL D-2 and published accompanying FAQ guidance. The State Department highlighted the development as a step toward ensuring that the Iranian people are not kept isolated and in the dark.

GL D-2 retains much of the core operative language from GL D-1, including certain limitations. For example, the expansion in authorized services does not apply to the Government of Iran, for which there is still no authorization for fee-based services, and the license does not authorize services to most Iranian Specially Designated Nationals (SDNs). At the same time, as described by the Treasury Department, GL D-2 has modernized and broadened the authorization originally granted in GL D-1 in a number of meaningful ways. We highlight below the most notable updates.

Authorized Communications No Longer Need to Be Personal

As mentioned, GL D-2 authorizes the exportation to Iran of certain services, software, and hardware incident to the exchange of communications over the [i]nternet. Notably absent throughout the license is the requirement, previously present in GL D-1, that required the internet-based communications be personal. This is a significant change, because what exactly qualified as a personal communication under GL D-1 has been a gray area that caused many compliance questions. Indeed, a Treasury Department official confirmed that the change was motivated by feedback from industry that the personal limitation was a sticking point. This update makes clear that technology companies need not assess the personal nature of communications, which may make such companies and others more comfortable relying on the license.

This is also not the first time OFAC has omitted or removed the personal requirement in a communications-related general license authorizing internet-based activities. This past July, for example, OFAC issued General License No. 25C under its Russia Harmful Foreign Activities Program (promulgated in response to Russias invasion of Ukraine). This General License also allows the exportation of communications-related services to Russia without requiring that such communications be personal. Another example is the 2015 amendment by OFAC of the Cuba sanctions regulations which also dropped the personal requirement from that programs internet-communications license.

Casting a Wider Net Over Supporting Software

The new license has also further expanded the authorization of software. GL D-2 now allows the export of certain supporting software that is incident to or enables internet communications. Previously, GL D-1 only permitted software necessary to enable internet communications. By removing the requirement that software be necessary to support authorized services, GL D-2 expands the types of software covered by the exemption and provides an additional measure of confidence to exporters of internet-based communications software.

Additional Activities Are Now Expressly Covered

Compared to its predecessor license, the authorizing language in GL D-2 is broader and more explicit regarding the types of services that U.S. persons may offer to people in Iran. Previously, OFACs guidance listed only six examples of permitted activities: instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging. GL D-2 expands on that illustrative list, adding social media platforms, collaboration platforms, video conferencing, e-gaming, e-learning platforms, automated translation, web maps, and user authentication services. In our view, many of the newly added activities were likely already authorized under the prior GL D-1, but their addition to GL D-2 helps to confirm that they are indeed covered.

Entirely New Cloud-Based Authorization That Extends Beyond GL D-2

GL D-2 authorizes the provision of cloud-based services in support of both the activities enumerated in GL D-2 and any other transaction authorized or exempt under the [Iranian Transactions and Sanctions Regulations (ITSR)]. As a Treasury Department official explained, cloud-based services are key to aiding Iranians access to the internet because today so many VPNs and other [sorts] of anti-surveillance tools are delivered via cloud.

This cloud-based authorization is among the most significant expansions of GL D-1s original authorization, because it applies to a variety of transactions, parties, and services beyond those listed in GL D-2. For instance, as described in FAQ 1087, the cloud-based services provision applies to news outlets and media websites covered by the exemption for information or informational materials in section 560.210(c) of the ITSR. Treasury also highlights that the cloud-based services provision applies to other transactions authorized under the ITSR, including:

Coverage of No-Cost Services and Software

Under the prior regime, GL D-1 authorized fee-based services and software, while the general license at ITSR section 560.540 contained a parallel authorization for services and software provided at no cost. GL D-2 explicitly covers both fee-based and no-cost activity, but no-cost services to the Government of Iran continue to be limited to those described in Section 560.540, which retains the personal communications requirement that has been dropped from GL D-2. This combination of restrictions means that it is permissible, for example, to provide the Government of Iran with a no-cost instant messaging service, but not with a fee-based collaboration platform supporting a commercial endeavor.

Clarification of Providers Due Diligence Obligations

In conjunction with the expansion of permitted activities under GL D-2, the Treasury Department released guidance regarding cloud-based providers due diligence obligations under the new license. In FAQ 1088, OFAC explained that providers whose non-Iranian customers provide services or software to persons in Iran may rely on GL D-2 as long as the provider conducts due diligence based on information available to it in the ordinary course of business. This ordinary course of business formulation is not new, and OFAC has increasingly used this standard in describing its due diligence expectations. See, for example, FAQ 901 on complying with the Chinese Military Companies Sanctions under Executive Order13959.

In FAQ 1088, OFAC provides several hypotheticals to further articulate its expectations: If a U.S.-based provider supports non-Iranian customers that supply access to activities authorized under GL D-2such as providing access to Iranian news sites or VPNsthen the U.S.-based provider need not evaluate whether providing access to Iranian end users is related to communications. On the other hand, if a U.S.-based provider supports non-Iranian customers providing services or software not incident to communications under GL D-2for instance, if the non-Iranian customer provides payroll-management software to Iranthen the U.S.-based provider must evaluate whether the service or software is a prohibited export.

Expansion of Specific Licensing Policy

GL D-2 also expands OFACs policy for reviewing applications for specific licenses for activities not authorized by the license. In FAQ 1089, the Treasury Department encourages specific license applications by those seeking to export items or conduct other activities in support of internet freedom in Iran that are not authorized by GL D-2.

In particular, GL D-2 expands OFACs specific licensing policy by encouraging applications for specific licenses for activities to support internet freedom in Iran, including development and hosting of anti-surveillance software by Iranian developers. A Treasury Department official described the agencys specific licensing policy under GL D-2 as forward-leaning and supportive, noting that OFAC will expedite [specific license applications] by working with the State Department for foreign policy guidance.

Key License Features That Have Remained the Same

While GL D-2 uses a number of mechanisms to increase internet access for Iranians, certain exceptions and other limitations have carried over from GL D-1:

* * *

GL D-2 is a welcome upgrade and enhancement to GL D-1, and should encourage the private sector to be more forward leaning with respect to tools and technologies incident to internet-based communications that are now listed or otherwise covered by the license. It remains to be seen whether corresponding changes will be made to communications-related licenses under other OFAC programs. We will continue to report on, and advise on, these nuances as well as any further developments in this evolving area of sanctions law.

The following Gibson Dunn lawyers prepared this client alert: Audi Syarief, Samantha Sewall, Lanie Corrigan*, Judith Alison Lee, Adam M. Smith, and Stephenie Gosnell Handler.

Gibson Dunns lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following members and leaders of the firms International Trade practice group:

United StatesJudith Alison Lee Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, jalee@gibsondunn.com)Ronald Kirk Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, rkirk@gibsondunn.com)Courtney M. Brown Washington, D.C. (+1 202-955-8685, cmbrown@gibsondunn.com)David P. Burns Washington, D.C. (+1 202-887-3786, dburns@gibsondunn.com)Stephenie Gosnell Handler Washington, D.C. (+1 202-955-8510, shandler@gibsondunn.com)Nicola T. Hanna Los Angeles (+1 213-229-7269, nhanna@gibsondunn.com)Marcellus A. McRae Los Angeles (+1 213-229-7675, mmcrae@gibsondunn.com)Adam M. Smith Washington, D.C. (+1 202-887-3547, asmith@gibsondunn.com)Christopher T. Timura Washington, D.C. (+1 202-887-3690, ctimura@gibsondunn.com)Annie Motto Washington, D.C. (+1 212-351-3803, amotto@gibsondunn.com)Chris R. Mullen Washington, D.C. (+1 202-955-8250, cmullen@gibsondunn.com)Samantha Sewall Washington, D.C. (+1 202-887-3509, ssewall@gibsondunn.com)Audi K. Syarief Washington, D.C. (+1 202-955-8266, asyarief@gibsondunn.com)Scott R. Toussaint Washington, D.C. (+1 202-887-3588, stoussaint@gibsondunn.com)Shuo (Josh) Zhang Washington, D.C. (+1 202-955-8270, szhang@gibsondunn.com)

AsiaKelly Austin Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)David A. Wolber Hong Kong (+852 2214 3764, dwolber@gibsondunn.com)Fang Xue Beijing (+86 10 6502 8687, fxue@gibsondunn.com)Qi Yue Beijing (+86 10 6502 8534, qyue@gibsondunn.com)

EuropeAttila Borsos Brussels (+32 2 554 72 10, aborsos@gibsondunn.com)Nicolas Autet Paris (+33 1 56 43 13 00, nautet@gibsondunn.com)Susy Bullock London (+44 (0) 20 7071 4283, sbullock@gibsondunn.com)Patrick Doris London (+44 (0) 207 071 4276, pdoris@gibsondunn.com)Sacha Harber-Kelly London (+44 (0) 20 7071 4205, sharber-kelly@gibsondunn.com)Penny Madden London (+44 (0) 20 7071 4226, pmadden@gibsondunn.com)Benno Schwarz Munich (+49 89 189 33 110, bschwarz@gibsondunn.com)Michael Walther Munich (+49 89 189 33 180, mwalther@gibsondunn.com)

* Lanie Corrigan is a recent law graduate practicing in the firms Washington, D.C. office and not yet admitted to practice law.

2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Read this article:
United States Expands Sanctions Authorization of Internet-Based Activities in Wake of Protests in Iran - Gibson Dunn

Related Posts
Posted in Cloud Hosting

Comments are closed.