Cloud Hosting

14 May 2021

Arnold & Porter

To print this article, all you need is to be registered or login on Mondaq.com.

The US government is increasingly prioritizing trade enforcementof the tech industry's global data services. This is reflectedin SAP SE's global resolution with DOJ, Commerce and Treasuryof allegations that the company provided software to users in Iranin violation of export and sanctions regulations.

SAP, a multinational software company based in Germany, enteredinto anon-prosecution agreement(NPA) with DOJand two administrative agreements with theBureau of Industry and Security(BIS) andtheOffice of Foreign Assets Control(OFAC) onApril 29, 2021, after making voluntarily disclosures to all threeagencies, acknowledging years of violations of the ExportAdministration Regulations (EAR) and the Iranian Transactions andSanctions Regulations (ITSR).

SAP's apparent EAR and ITSR violations came about in twoways. First, SAP and third-party resellers allowed users in Iran toaccess software by downloading it directly from SAP servers in theUnited States or through SAP's US-headquartered contentdelivery provider. Second, SAP provided cloud-based softwaresubscription services that were accessed remotely by Iranian usersthrough SAP's cloud businesses in the United States.

The US government's NPA with SAP is part of a largerpattern. In the past 18 months, the US government has begun tofocus on the tech industry's sanctions compliance and hasbrought enforcement actions against companies of allsizesincludingAppleandAmazonfor providing services tosanctioned parties. For instance, in early 2020, OFAC took actionagainstSITA, a Swiss telecommunications company,settling apparent violations involving the provision of messagingservices that were routed through hardware located in the UnitedStates. In December 2020, OFAC announced a settlement agreementwithBitGoas a result of BitGo's similarfailure to filter out users with IP address in sanctioned countriesand territories. The global resolution with SAP represents acontinuation of the growing interest on the part of regulators toassert jurisdiction over the activities of techcompanieseven where the main jurisdictional hook is thepresence of information on US servers.

The SAP action highlights the great importance of risk-basedsanctions compliance programs for global companies providingsoftware products online, including cloud-based services. Just asthe US government expects banks to monitor global money flows andto prevent prohibited transactions, these recent cases demonstratethat companies are similarly expected to monitor and ensurecompliance throughout the global flow of data.

The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.

POPULAR ARTICLES ON: International Law from United States

Link:
Sanctioning The Cloud: SAP Settlement Illustrates Increasing Trade Sanctions On The Global Flow Of Data - International Law - United States - Mondaq...