Sanctioning the Cloud: SAP Settlement Illustrates Increasing Trade Sanctions on the Global Flow of Data
The US government is increasingly prioritizing trade enforcement of the tech industry’s global data services. This is reflected in SAP SE’s global resolution with DOJ, Commerce and Treasury of allegations that the company provided software to users in Iran in violation of export and sanctions regulations.
SAP, a multinational software company based in Germany, entered into a non-prosecution agreement (NPA) with DOJ and two administrative agreements with the Bureau of Industry and Security (BIS) and the Office of Foreign Assets Control (OFAC) on April 29, 2021, after making voluntarily disclosures to all three agencies, acknowledging years of violations of the Export Administration Regulations (EAR) and the Iranian Transactions and Sanctions Regulations (ITSR).
SAP’s apparent EAR and ITSR violations came about in two ways. First, SAP and third-party resellers allowed users in Iran to access software by downloading it directly from SAP servers in the United States or through SAP’s US-headquartered content delivery provider. Second, SAP provided cloud-based software subscription services that were accessed remotely by Iranian users through SAP’s cloud businesses in the United States.
The US government’s NPA with SAP is part of a larger pattern. In the past 18 months, the US government has begun to focus on the tech industry’s sanctions compliance and has brought enforcement actions against companies of all sizes—including Apple and Amazon—for providing services to sanctioned parties. For instance, in early 2020, OFAC took action against SITA, a Swiss telecommunications company, settling apparent violations involving the provision of messaging services that were routed through hardware located in the United States. In December 2020, OFAC announced a settlement agreement with BitGo as a result of BitGo’s similar failure to filter out users with IP address in sanctioned countries and territories. The global resolution with SAP represents a continuation of the growing interest on the part of regulators to assert jurisdiction over the activities of tech companies—even where the main jurisdictional hook is the presence of information on US servers.
The SAP action highlights the great importance of risk-based sanctions compliance programs for global companies providing software products online, including cloud-based services. Just as the US government expects banks to monitor global money flows and to prevent prohibited transactions, these recent cases demonstrate that companies are similarly expected to monitor and ensure compliance throughout the global flow of data. For more details about the SAP global resolution and this growing trend in sanctions enforcement in the tech industry, please review our recent Advisory or contact its authors.
© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.