On September 23, 2022, the US Department of the Treasury’s Office of Foreign Assets Controls (“OFAC”) issued Iran General License D-2 (“GL D-2“), which amends and replaces the former Iran General License D-1 (“GL D-1“), and published three related Frequently Asked Questions (“FAQs“). GL D-2 authorizes a more expansive set of internet communication-related activities, including cloud-based software and services, that are otherwise prohibited under the Iranian Transactions and Sanctions Regulations (“ITSR”). According to the accompanying press release, GL D-2 aims to support internet freedom in Iran by updating US sanctions guidance in light of changes in communications technology since the issuance of GL D-1 in 2014 and to respond to the Iranian government’s efforts to suppress internet access following recent anti-government movement in Iran.
More specifically, GL D-2 expands the scope of the prior authorization under GL D-1 to provide the Iranian people with more options for internet platforms and services. For example, GL D-2;
- now authorizes additional categories of fee-based or no-cost software/services, including social media platforms, collaboration platforms, video conferencing, e-gaming, e-learning platforms, automated translation, web maps, and user authentication services, as well as cloud-based services in support of such services. GL D-1 only listed instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging as authorized categories of software/services;
- removes the requirement that authorized communications be “personal” in nature, which, according to OFAC, is intended to ease the compliance burdens for companies seeking to verify the purpose of communications. (This change is in line with a similar general license in the Cuba program);
- changes the stipulation that software be “necessary” to services incident to the exchange of communications over the internet, requiring only that it be “incident to, or enable” such services; and
- expands the case-by-case licensing policy for activity not covered by GL D-2 to specifically include “other activities to support internet freedom in Iran, including development and hosting of anti-surveillance software by Iranian developers” in an effort to encourage Iranian developers to create homegrown anti-surveillance and anti-censorship apps.
Through the accompanying FAQs, OFAC notes that:
- Software exported under GL D-2 either: (1) must be designated as EAR99 under the Export Administration Regulations (“EAR”) or classified under Export Control Classification Number (“ECCN”) 5D992.c; or (2) if the software is not subject to the EAR, it must be the type of software that would be designated as EAR99 or classified under ECCN 5D992.c if it were subject to the EAR (see FAQ 1087).
- A cloud-based service or software provider whose non-Iranian customers provide services or software to persons in Iran via the provider’s cloud may rely upon the authorization under GL D-2 to provide access to Iran, provided that such provider performs due diligence based on information available in the ordinary course of business to confirm that the non-Iranian customer: (1) is not a person whose property and interests in property are blocked, except as authorized under GL D-2; and (2) provides software and services that fall within one of the categories described in FAQ 1087, or otherwise involve activity authorized or exempt under the ITSR (see FAQ 1088).
- Persons seeking to export software, services, or hardware to Iran in support of internet freedom can apply for a specific license from OFAC if the export is not otherwise authorized by GL D-2 (see FAQ 1089).
The categories of services, software, and hardware “incident to communications” authorized under this general license (i.e., those listed in the Annex) remain unchanged.
Also unchanged is the requirement that the provision of any covered software or services to the Government of Iran be limited to “no-cost” software and services.