by Judith Alison Lee, Adam M. Smith, Stephenie Gosnell Handler, Audi Syarief, and Samantha Sewall.

On September 23, 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) issued General License D-2 (“GL D-2”), expanding a prior authorization to further facilitate the free flow of information over the internet to, from, and among residents of Iran. GL D-2 authorizes the exportation to Iran of certain services, software, and hardware incident to the exchange of internet-based communications. GL D-2 supersedes and replaces an existing license, General License D-1 (“GL D-1”), that had been in place without update for over eight years. According to the Treasury Department, the updated license is designed to bring the scope of the license in line with modern technology and ultimately to expand internet access for Iranians, providing them with “more options of secure, outside platforms and services.” As noted below, even though GL D-2 certainly expands upon the types of software and services allowed to be exported, one of its principal effects will likely be the enhanced comfort parties may have in providing such technology to Iran. GL D-1 was often not fully leveraged by the exporting community that was concerned about the extent of coverage. GL D-2 is an evident attempt to right this balance, making sure that exporters remain aware of limitations while also providing more certainty to those who wish to leverage the exemption.

GL D-2 is the latest Biden Administration effort to support the Iranians protesting the death of Mahsa Amini, a 22-year-old woman who was arrested by Iran’s Morality Police for allegedly violating the country’s laws on female dress and who died in police custody on September 16. Iranian protest-related videos and messages on the internet and social media have captured local and global attention. The United Nations Secretary-General, among others, has called for an independent investigation into Amini’s death. The Iranian government, meanwhile, has violently responded to protests and cut off internet access for most of its nearly 80 million citizens. OFAC’s initial response on September 22 was to impose blocking sanctions on Iran’s Morality Police and on seven senior leaders of Iran’s security organizations that have overseen the suppression of peaceful protests. The next day, OFAC issued GL D-2 and published accompanying FAQ guidance. The State Department highlighted the development as a step toward ensuring that the “Iranian people are not kept isolated and in the dark.”

GL D-2 retains much of the core operative language from GL D-1, including certain limitations. For example, the expansion in authorized services does not apply to the Government of Iran, for which there is still no authorization for fee-based services, and the license does not authorize services to most Iranian Specially Designated Nationals (“SDNs”). At the same time, as described by the Treasury Department, GL D-2 has modernized and broadened the authorization originally granted in GL D-1 in a number of meaningful ways. We highlight below the most notable updates.

Authorized Communications No Longer Need to Be “Personal”

As mentioned, GL D-2 authorizes the exportation to Iran of certain services, software, and hardware incident to the exchange of “communications over the [i]nternet.” Notably absent throughout the license is the requirement, previously present in GL D-1, that required the internet-based communications be “personal.” This is a significant change, because what exactly qualified as a “personal communication” under GL D-1 has been a gray area that caused many compliance questions. Indeed, a Treasury Department official confirmed that the change was motivated by feedback from industry that the “personal” limitation was “a sticking point.” This update makes clear that technology companies need not assess the “personal” nature of communications, which may make such companies and others more comfortable relying on the license.

This is also not the first time OFAC has omitted or removed the “personal” requirement in a communications-related general license authorizing internet-based activities. This past July, for example, OFAC issued General License No. 25C under its Russia Harmful Foreign Activities Program (promulgated in response to Russia’s invasion of Ukraine). This General License also allows the exportation of communications-related services to Russia without requiring that such communications be “personal.” Another example is the 2015 amendment by OFAC of the Cuba sanctions regulations which also dropped the “personal” requirement from that program’s internet-communications license.

Casting a Wider Net Over Supporting Software

The new license has also further expanded the authorization of software. GL D-2 now allows the export of certain supporting software that is “incident to” or “enables” internet communications. Previously, GL D-1 only permitted software “necessary to enable” internet communications. By removing the requirement that software be “necessary” to support authorized services, GL D-2 expands the types of software covered by the exemption and provides an additional measure of confidence to exporters of internet-based communications software.

Additional Activities Are Now Expressly Covered

Compared to its predecessor license, the authorizing language in GL D-2 is broader and more explicit regarding the types of services that U.S. persons may offer to people in Iran. Previously, OFAC’s guidance listed only six examples of permitted activities: “instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging.” GL D-2 expands on that illustrative list, adding “social media platforms, collaboration platforms, video conferencing, e-gaming, e-learning platforms, automated translation, web maps, and user authentication services.” In our view, many of the newly added activities were likely already authorized under the prior GL D-1, but their addition to GL D-2 helps to confirm that they are indeed covered.

Entirely New Cloud-Based Authorization That Extends Beyond GL D-2

GL D-2 authorizes the provision of cloud-based services in support of both the activities enumerated in GL D-2 and “any other transaction authorized or exempt under the [Iranian Transactions and Sanctions Regulations (‘ITSR’)].” As a Treasury Department official explained, cloud-based services are key to aiding Iranians’ access to the internet because “today so many VPNs and other [sorts] of anti-surveillance tools are delivered via cloud.”

This cloud-based authorization is among the most significant expansions of GL D-1’s original authorization, because it applies to a variety of transactions, parties, and services beyond those listed in GL D-2. For instance, as described in FAQ 1087, the cloud-based services provision applies to “news outlets and media websites covered by the exemption for information or informational materials in section 560.210(c) of the ITSR.” Treasury also highlights that the cloud-based services provision applies to other transactions authorized under the ITSR, including:

• transactions “necessary and ordinarily incident to publishing authorized pursuant to [ITSR] section 560.538”;
• transactions “for the conduct of the official business of certain international organizations pursuant to [ITSR] section 560.539”;
• the “sale and exportation of agricultural commodities, medicine, medical devices, and certain software and services pursuant to [ITSR] section 560.530”; and
• transactions “authorized pursuant to any [other] general or specific licenses issued under the ITSR.”

Coverage of “No-Cost” Services and Software

Under the prior regime, GL D-1 authorized fee-based services and software, while the general license at ITSR section 560.540 contained a parallel authorization for services and software provided at no cost. GL D-2 explicitly covers both fee-based and no-cost activity, but no-cost services to the Government of Iran continue to be limited to those described in Section 560.540, which retains the “personal” communications requirement that has been dropped from GL D-2. This combination of restrictions means that it is permissible, for example, to provide the Government of Iran with a no-cost instant messaging service, but not with a fee-based collaboration platform supporting a commercial endeavor.

Clarification of Providers’ Due Diligence Obligations 

In conjunction with the expansion of permitted activities under GL D-2, the Treasury Department released guidance regarding cloud-based providers’ due diligence obligations under the new license. In FAQ 1088, OFAC explained that providers whose non-Iranian customers provide services or software to persons in Iran may rely on GL D-2 as long as the provider conducts due diligence based on information available to it in the “ordinary course of business.” This “ordinary course of business” formulation is not new, and OFAC has increasingly used this standard in describing its due diligence expectations. See, for example, FAQ 901 on complying with the Chinese Military Companies Sanctions under Executive Order 13959.

In FAQ 1088, OFAC provides several hypotheticals to further articulate its expectations: If a U.S.-based provider supports non-Iranian customers that supply access to activities authorized under GL D-2—such as providing access to Iranian news sites or VPNs—then the U.S.-based provider need not evaluate whether providing access to Iranian end users is related to communications. On the other hand, if a U.S.- based provider supports non-Iranian customers providing services or software not incident to communications under GL D-2—for instance, if the non-Iranian customer provides payroll-management software to Iran—then the U.S.-based provider must evaluate whether the service or software is a prohibited export.

Expansion of Specific Licensing Policy

GL D-2 also expands OFAC’s policy for reviewing applications for specific licenses for activities not authorized by the license. In FAQ 1089, the Treasury Department encourages specific license applications by those seeking to export items or “conduct other activities in support of internet freedom in Iran” that are not authorized by GL D-2.

In particular, GL D-2 expands OFAC’s specific licensing policy by encouraging applications for specific licenses for “activities to support internet freedom in Iran, including development and hosting of anti- surveillance software by Iranian developers.” A Treasury Department official described the agency’s specific licensing policy under GL D-2 as “forward-leaning” and “supportive,” noting that “OFAC will expedite [specific license applications]” by working with the State Department for foreign policy guidance.

Key License Features That Have Remained the Same

 While GL D-2 uses a number of mechanisms to increase internet access for Iranians, certain exceptions and other limitations have carried over from GL D-1:

• The updated license still provides (1) no coverage for most Iranian SDNs and (2) coverage of only no-cost services or software for the Iranian government (as opposed to those that are fee- based). These exclusions do not represent a change in OFAC’s licensing scheme, as GL D-1 contained the same prohibitions.
• The license’s Annex—which contains the various categories of additional authorized software and hardware—is unchanged. GL D-2 continues to permit the provision of anti-virus, anti- malware, and anti-tracking software, as well as VPN client software and anti-censorship tools under certain conditions.
• GL D-2’s software/hardware authorization is still largely limited to items either classified as EAR99 or mass-market (i.e., c or 5A992.c) under the Commerce Control List, or to items that would be so classified if in the United States.

* * *

GL D-2 is a welcome upgrade and enhancement to GL D-1, and should encourage the private sector to be more forward leaning with respect to tools and technologies incident to internet-based communications that are now listed or otherwise covered by the license. It remains to be seen whether corresponding changes will be made to communications-related licenses under other OFAC programs. We will continue to report on, and advise on, these nuances as well as any further developments in this evolving area of sanctions law.

This post was originally published as a client update on Gibson Dunn’s website. Judith Alison Lee, Adam M. Smith, and Stephenie Gosnell Handler are Partners and Audi Syarief and Samantha Sewall are Associates at Gibson, Dunn & Crutcher.

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.