The White House recently released a new Executive Order imposing sanctions on information technology companies that facilitate certain human rights abuses in Iran and Syria. Released on April 23, the Executive Order ("Blocking the Property and Suspending the Entry into the United States of Persons with Respect to Grave Human Rights Abuses by the Governments of Iran and Syria via Information Technology") explicitly applies to both individuals and entities.
In the order, President Barack Obama states that
"the commission of serious human rights abuses against the people of Iran and Syria by their governments, facilitated by computer and network disruption, monitoring, and tracking by those governments, and abetted by entities in Iran and Syria that are complicit in their governments’ malign use of technology for those purposes, threaten[s] the national security and foreign policy of the United States."
The order therefore imposes sanctions, including potential seizure of assets, on any individual or entity determined by the Secretary of the Treasury to have:
operated, or to have directed the operation of, information and communications technology that facilitates computer or network disruption, monitoring, or tracking that could assist in or enable serious human rights abuses by or on behalf of the Government of Iran or the Government of Syria.
sold, leased, or otherwise provided, directly or indirectly, goods, services, or technology to Iran or Syria likely to be used to facilitate computer or network disruption, monitoring, or tracking that could assist in or enable serious human rights abuses by or on behalf of the Government of Iran or the Government of Syria.
In recent months, U.S.-based companies have been named in the media as being involved in sales of technology to Iran and/or Syria, and reputational concerns and stakeholder advocacy have caused several companies to reevaluate their contracts. To date, however, no American companies have been named as sanctioned entities under the new Order, and it is unclear whether the Executive Order will be rigorously enforced. That said, all information technology companies are advised to evaluate the legal and reputational risks associated with the end-use of their products.
Companies should take specific note of two aspects of the new Order:
It covers indirect sales. Companies risk sanctions therefore if they sell certain technologies to third parties that subsequently use those technologies to facilitate human rights abuses in Iran or Syria.
It sanctions sales of goods, services and technologies that are “likely to be used” in a prohibited manner. This puts the burden on companies to evaluate their customers and the ways in which their products are likely to be used.
Companies are therefore advised to establish due diligence processes in order to assess the risks that their products will be used to facilitate the violation of human rights. If such risks as identified, companies should ensure that they have the policies and procedures necessary to avoid or mitigate potential adverse human rights impacts.
The Electronic Frontier Foundation, a nonprofit advocacy organization, recently released a report, Human Rights and Technology Sales: How Corporations Can Avoid Assisting Repressive Regimes, calling on companies to "know your customer." This requires establishing processes and procedures to identify and evaluate customers and potential sales.
As part of this due diligence, companies need to evaluate what legal protections exist in specific countries as well as the human rights records of customers and/or potential end-users. Companies should also seek to incorporate contractual provisions regarding the intended use of specific technologies. Ultimately, stakeholders and regulators will seek to hold companies accountable for the use of their technologies and it is therefore important for companies to evaluate their internal capacity to understand and manage the risks associated with certain sales.