> If Slack has to comply with the export control law, they also need to comply with GDPR.
Slack is an American company, GDPR is a EU law and OP is Iranian. That’s not how this works... Sure companies that operate within the EU have created tools to export your data automatically (they still have contact points to request the same data if you don’t have an account or were banned so can’t use the automated tools) so they opened those tools up to everyone not just those within the EU. But that doesn’t mean you are covered by the EU law and can demand your data. Only thing I would suggest is to lookup the GDPR email for slack and manually request the data. Though I wouldn’t expect anything.
US companies are forbidden from doing business with Iran, US company discovered it was, closed down the account and refuses to continue that business relationship by handing over data.
So sounds like standard policy to me. It would be like me getting banned off a game because I broke TOS (because OP did break TOS, it’s pretty much boilerplate and they have experienced this before so it’s not like they were not aware) and getting pissed off that I can not access my chat history any longer.
OP was on borrowed time from the beginning.
Does it suck? Sure it does. But what else you going to expect? For them to explicitly break the law after they discovered they were already in violation and took the steps needed to come under compliance because you didn’t read ToS, or (with them admitting this isn’t the first time they have got dinged by this law, probably the more likely) wilfully choose to ignore them.
> Slack is an American company, GDPR is a EU law and OP is Iranian. That’s not how this works... Sure companies that operate within the EU have created tools to export your data automatically (they still have contact points to request the same data if you don’t have an account or were banned so can’t use the automated tools) so they opened those tools up to everyone not just those within the EU. But that doesn’t mean you are covered by the EU law and can demand your data. Only thing I would suggest is to lookup the GDPR email for slack and manually request the data. Though I wouldn’t expect anything.
Slightly unrelated but note that many "American companies" are explicitly headquartered in the EU for tax reasons, and by structuring themselves in this way they are explicitly putting themselves under EU jurisdiction. Examples include Apple and Google (headquartered in Ireland) and Amazon (headquartered in Luxembourg).
A quick search found that Slack is actually headquartered in America. But if they are dealing with the EU market then they very likely need to have an EU subsidiary (and looking again they have a Dublin office and so are likely incorporated in Ireland). However, GDPR only applies to EU/EEA residents -- so you can't just send a GDPR request if you are not resident within EU/EEA.
> Slightly unrelated but note that many "American companies" are explicitly headquartered in the EU for tax reasons, and by structuring themselves in this way they are explicitly putting themselves under EU jurisdiction.
None of this matters to the GDPR. The GDPR targets companies “doing business” with EEA/EU residents no matter where the company is actually located. Even if you are a solely US company, if you are accepting orders from EU/EEA residents you have to be able to process GRPR requests. Think of it as a cost of doing business in that area. If you don’t want to do that, the. You are free to no longer process any EU/EEA residents data (some websites, the LA Times is one example iirc just completely lock EU IP’s because of this).
When it gets “merky” is defining that “doing business”.
Sure accepting payments and offering a service is clearly covered. But what if you ad supported. Are you doing business because you are exchanging access to your site for ad impressions which you get paid for? Who is processing that data? You or if the ad network one of your business partners who you have offloaded a task too? (Which is why domes of people/companies/ad men were shouting that the end was nigh before it came into force.)
But yeah as I said to you in another comment. Even if they were allowed to do business in Iran, the GDPR wouldn’t come into play here as they are not in the EU.
If they had any team members in the EU, they could try that route.
My point is not a legal one, it's a moral point. If they've complied with the GDPR it means they even have processes and systems to give users their data but didn't have the decency to respect their customer and at least close their account in a much better way. The export law says you are banned to serve Iranian companies (!), Fine, but it definitely doesn't force you to f* your users in Iran!
One of the biggest things people bring up against the GDPR is "how will the EU punish companies outside of their jurisdiction". The answer is that most "American" companies actually use EU tax breaks and thus can most definitely be punished by the EU.
Also, the user was based in Iran. He doesn't have relevant rights under the GDPR.
Except that they did not hand over the data. They just closed the account.
Plus, there is no mention of complying with US sanctions in ToS.
Overall, they could easily send a notice to take action (export data) before closing the accounts. It was their fault to allow companies build their trust in slack and it was their mistake not to follow the rules in the first place.
Under the “Do” section
> comply with all applicable laws and governmental regulations, including, but not limited to, all intellectual property, data, privacy, and _export control laws_, and regulations promulgated by any government agencies, including, but not limited to, the U.S. Securities and Exchange Commission, and any rules of any national and other securities exchanges;
I’m on mobile atm, but I’m sure if I looked into the full legal copy of their terms I would find more.
And what about other users who aren't breaking the law? Like me, who has been living in the US since 2011?
These bans with no appeal processes are absolutely stupid. See my submissions for more context, but its helluva lot more people than a single incident. They seem to be banning anyone who sounds Iranian.
Op’s Post talks about how they are inside Iran. So in this case I still say it’s a valid account termination.
If you are not accessing the service from Iran and you get dinged, contact support, supply supporting evidence and they will restore the account.
This isn’t Slack picking on Iranians, this is “if slack don’t do this, they can get into a whole help of trouble”. I’m sure some people are going to get dinged by mistake but I honestly doubt they are banning people because of how their name sounds.
Was your user account closed or the workplace account closed?
If it was the workplace account that was closed the. It could be because you had users connecting to it from inside Iran and not yourself personally.
It if you got booted from a workplace because they though you were in Iran I would say contact them and ask they why they believe so, that you are not in Iran and your ip addresses that access to the service back you up.
Think of the pubic shitshow it would cause if a major yech company were banning U.S. citizens/residents because of their race/nationality. Simply because of the optics and legal repercussions behind such an epic fuck up if it ever came to light I doubt slack have staff going though account names looking for Iranian sounding names to ban off the platform and are using other metrics to determine where the user account or workplace account is actually based.
Replying again because I can not edit my orig post.
It seem that they have been banning based off IP address. They allow appeals via email.
Copy of a Tweet from Slack.
> Hi. Our systems may have detected an account on our platform with an IP address originating from a designated embargoed country. Please send a note to feedback@slack.com so we can investigate further.
My point is not a legal one, it's moral point. If they're complied with the GDPR it means they even have processes and systems to give users their data; but didn't had the decency to respect their customer and atleast close their account in a much better way. The export law says you are banned to serve Iranian companies (!), Fine, but it definitely doesn't force you to f* your users in Iran!
Nothing off the top of my head for "recent" cases from big tech companies (I'm sure there are smaller companies), but in 2015 Paypal got hit by the Office of Foreign Assets Control.
As for export laws, in 2017 there was 31 individuals and businesses convicted resulting in $287,102,532 in criminal fines, $166,234,123 in forfeitures & 576 months of imprisonment And 52 administrative cases resulting $692,296,500 in administrative penalties.
My point is not a legal one, it's a moral point. If they've complied with the GDPR it means they even have processes and systems to give users their data but didn't have the decency to respect their customer and at least close their account in a much better way. The export law says you are banned to serve Iranian companies (!), Fine, but it definitely doesn't force you to f* your users in Iran!
This is not a fight over being an Iranian or an American or any other country. It does not have anything to do with politics. I'm just a service user, I used free and paid services and I have the right to download "my data" before closing my account.
> I mean an Iranian company using American products and expecting EU protection?! None of it makes any sense.
It should be noted that Slack has an office in Dublin so it very likely has an Irish subsidiary (just like Apple, Google, and half of the tech industry so they can avoid taxes) and thus is subject to EU requirements. The GDPR applies to them, and since they have an EU company they (I believe) need to obey GDPR requests from any source. [EDIT: This is incorrect.]
But I can understand why Slack would cancel their account, since violating export sanctions is a really easy way to end up in gaol.
It covers data for EU/EEA citizens and residents data held by companies “doing business” with people in such areas. An off the top of my head example. An Australian citizen who has never been to the EU can not use the GRPR against Microsoft just because MS have a office in the EU.
Edit: My bad, I think the Australian would be under the Dublin office in the slack case. But the GDPR rules are focused on data of EEA/EU residents/citizens and not (always) data of people outside of the EEA/EU collected by companies within the EEA/EU.
My point is not a legal one, it's a moral point. If they've complied with the GDPR it means they even have processes and systems to give users their data but didn't have the decency to respect their customer and at least close their account in a much better way. The export law says you are banned to serve Iranian companies (!), Fine, but it definitely doesn't force you to f* your users in Iran!
I don't care whether the story is a wind-up or legit, there's a bigger principle.
Want to maintain professionalism and integrity? Due process is important. You can't just slam the door closed in peoples' faces arbitrarily and go radio silent or word's going to get out that you're untrustworthy. Do right by people; don't be a dick. Otherwise: problems.
Professionalism? Iran sends money to suicide bombers and you're complaining that our side lacks professionalism? UH, OK. How about not breaking the law? Does that mean anything to you?
This is not about governments. It's just a simple customer care matter. Different laws come and go, but a good company can always treat its customers better.
Slack is an American company, GDPR is a EU law and OP is Iranian. That’s not how this works... Sure companies that operate within the EU have created tools to export your data automatically (they still have contact points to request the same data if you don’t have an account or were banned so can’t use the automated tools) so they opened those tools up to everyone not just those within the EU. But that doesn’t mean you are covered by the EU law and can demand your data. Only thing I would suggest is to lookup the GDPR email for slack and manually request the data. Though I wouldn’t expect anything.
US companies are forbidden from doing business with Iran, US company discovered it was, closed down the account and refuses to continue that business relationship by handing over data.
So sounds like standard policy to me. It would be like me getting banned off a game because I broke TOS (because OP did break TOS, it’s pretty much boilerplate and they have experienced this before so it’s not like they were not aware) and getting pissed off that I can not access my chat history any longer.
OP was on borrowed time from the beginning.
Does it suck? Sure it does. But what else you going to expect? For them to explicitly break the law after they discovered they were already in violation and took the steps needed to come under compliance because you didn’t read ToS, or (with them admitting this isn’t the first time they have got dinged by this law, probably the more likely) wilfully choose to ignore them.