[Crosseye_Jack]

> If Slack has to comply with the export control law, they also need to comply with GDPR.

Slack is an American company, GDPR is a EU law and OP is Iranian. That’s not how this works... Sure companies that operate within the EU have created tools to export your data automatically (they still have contact points to request the same data if you don’t have an account or were banned so can’t use the automated tools) so they opened those tools up to everyone not just those within the EU. But that doesn’t mean you are covered by the EU law and can demand your data. Only thing I would suggest is to lookup the GDPR email for slack and manually request the data. Though I wouldn’t expect anything.

US companies are forbidden from doing business with Iran, US company discovered it was, closed down the account and refuses to continue that business relationship by handing over data.

So sounds like standard policy to me. It would be like me getting banned off a game because I broke TOS (because OP did break TOS, it’s pretty much boilerplate and they have experienced this before so it’s not like they were not aware) and getting pissed off that I can not access my chat history any longer.

OP was on borrowed time from the beginning.

Does it suck? Sure it does. But what else you going to expect? For them to explicitly break the law after they discovered they were already in violation and took the steps needed to come under compliance because you didn’t read ToS, or (with them admitting this isn’t the first time they have got dinged by this law, probably the more likely) wilfully choose to ignore them.

[cyphar]

> Slack is an American company, GDPR is a EU law and OP is Iranian. That’s not how this works... Sure companies that operate within the EU have created tools to export your data automatically (they still have contact points to request the same data if you don’t have an account or were banned so can’t use the automated tools) so they opened those tools up to everyone not just those within the EU. But that doesn’t mean you are covered by the EU law and can demand your data. Only thing I would suggest is to lookup the GDPR email for slack and manually request the data. Though I wouldn’t expect anything.

Slightly unrelated but note that many "American companies" are explicitly headquartered in the EU for tax reasons, and by structuring themselves in this way they are explicitly putting themselves under EU jurisdiction. Examples include Apple and Google (headquartered in Ireland) and Amazon (headquartered in Luxembourg).

A quick search found that Slack is actually headquartered in America. But if they are dealing with the EU market then they very likely need to have an EU subsidiary (and looking again they have a Dublin office and so are likely incorporated in Ireland). However, GDPR only applies to EU/EEA residents -- so you can't just send a GDPR request if you are not resident within EU/EEA.

[Crosseye_Jack]

> Slightly unrelated but note that many "American companies" are explicitly headquartered in the EU for tax reasons, and by structuring themselves in this way they are explicitly putting themselves under EU jurisdiction.

None of this matters to the GDPR. The GDPR targets companies “doing business” with EEA/EU residents no matter where the company is actually located. Even if you are a solely US company, if you are accepting orders from EU/EEA residents you have to be able to process GRPR requests. Think of it as a cost of doing business in that area. If you don’t want to do that, the. You are free to no longer process any EU/EEA residents data (some websites, the LA Times is one example iirc just completely lock EU IP’s because of this).

When it gets “merky” is defining that “doing business”.

Sure accepting payments and offering a service is clearly covered. But what if you ad supported. Are you doing business because you are exchanging access to your site for ad impressions which you get paid for? Who is processing that data? You or if the ad network one of your business partners who you have offloaded a task too? (Which is why domes of people/companies/ad men were shouting that the end was nigh before it came into force.)

But yeah as I said to you in another comment. Even if they were allowed to do business in Iran, the GDPR wouldn’t come into play here as they are not in the EU.

If they had any team members in the EU, they could try that route.

[arjmandi]

My point is not a legal one, it's a moral point. If they've complied with the GDPR it means they even have processes and systems to give users their data but didn't have the decency to respect their customer and at least close their account in a much better way. The export law says you are banned to serve Iranian companies (!), Fine, but it definitely doesn't force you to f* your users in Iran!

[emerongi]

Any EU citizen is protected by GDPR if the company is doing business in EU. Doesn't matter where the HQ is.

[cyphar]

Any EU/EEA resident, but that wasn't my point.

One of the biggest things people bring up against the GDPR is "how will the EU punish companies outside of their jurisdiction". The answer is that most "American" companies actually use EU tax breaks and thus can most definitely be punished by the EU.

Also, the user was based in Iran. He doesn't have relevant rights under the GDPR.

[milani]

> by handing over data.

Except that they did not hand over the data. They just closed the account.

Plus, there is no mention of complying with US sanctions in ToS.

Overall, they could easily send a notice to take action (export data) before closing the accounts. It was their fault to allow companies build their trust in slack and it was their mistake not to follow the rules in the first place.

[Crosseye_Jack]

I mean they are not handing over data as that could be seen as still allowing access to the service and being in violation of the sanctions.

> Plus, there is no mention of complying with US sanctions in ToS.

https://slack.com/acceptable-use-policy

Under the “Do” section > comply with all applicable laws and governmental regulations, including, but not limited to, all intellectual property, data, privacy, and _export control laws_, and regulations promulgated by any government agencies, including, but not limited to, the U.S. Securities and Exchange Commission, and any rules of any national and other securities exchanges;

I’m on mobile atm, but I’m sure if I looked into the full legal copy of their terms I would find more.

[aaomidi]

And what about other users who aren't breaking the law? Like me, who has been living in the US since 2011?

These bans with no appeal processes are absolutely stupid. See my submissions for more context, but its helluva lot more people than a single incident. They seem to be banning anyone who sounds Iranian.

[Crosseye_Jack]

Op’s Post talks about how they are inside Iran. So in this case I still say it’s a valid account termination.

If you are not accessing the service from Iran and you get dinged, contact support, supply supporting evidence and they will restore the account.

This isn’t Slack picking on Iranians, this is “if slack don’t do this, they can get into a whole help of trouble”. I’m sure some people are going to get dinged by mistake but I honestly doubt they are banning people because of how their name sounds.

[aaomidi]

I've never even used Slack in Iran and my name sounds Iranian. Wonder how they decided I'm using it from Iran then.

[Crosseye_Jack]

Was your user account closed or the workplace account closed?

If it was the workplace account that was closed the. It could be because you had users connecting to it from inside Iran and not yourself personally.

It if you got booted from a workplace because they though you were in Iran I would say contact them and ask they why they believe so, that you are not in Iran and your ip addresses that access to the service back you up.

Think of the pubic shitshow it would cause if a major yech company were banning U.S. citizens/residents because of their race/nationality. Simply because of the optics and legal repercussions behind such an epic fuck up if it ever came to light I doubt slack have staff going though account names looking for Iranian sounding names to ban off the platform and are using other metrics to determine where the user account or workplace account is actually based.

[Crosseye_Jack]

Replying again because I can not edit my orig post.

It seem that they have been banning based off IP address. They allow appeals via email.

Copy of a Tweet from Slack. > Hi. Our systems may have detected an account on our platform with an IP address originating from a designated embargoed country. Please send a note to feedback@slack.com so we can investigate further.

[arjmandi]

My point is not a legal one, it's moral point. If they're complied with the GDPR it means they even have processes and systems to give users their data; but didn't had the decency to respect their customer and atleast close their account in a much better way. The export law says you are banned to serve Iranian companies (!), Fine, but it definitely doesn't force you to f* your users in Iran!

[devoply]

> Fine, but it definitely doesn't force you to f* your users in Iran!

Actually yes it does and Uncle Sam will come f* you up if you think otherwise.

[tuxxy]

No question that this is against current US expert laws, but do you have any examples of a US tech company getting in trouble from export laws?

[Crosseye_Jack]

Nothing off the top of my head for "recent" cases from big tech companies (I'm sure there are smaller companies), but in 2015 Paypal got hit by the Office of Foreign Assets Control.

As for export laws, in 2017 there was 31 individuals and businesses convicted resulting in $287,102,532 in criminal fines, $166,234,123 in forfeitures & 576 months of imprisonment And 52 administrative cases resulting $692,296,500 in administrative penalties.

https://www.bis.doc.gov/index.php/enforcement/oee/penalties