Slack is an American company, GDPR is a EU law and OP is Iranian. That’s not how this works... Sure companies that operate within the EU have created tools to export your data automatically (they still have contact points to request the same data if you don’t have an account or were banned so can’t use the automated tools) so they opened those tools up to everyone not just those within the EU. But that doesn’t mean you are covered by the EU law and can demand your data. Only thing I would suggest is to lookup the GDPR email for slack and manually request the data. Though I wouldn’t expect anything.
US companies are forbidden from doing business with Iran, US company discovered it was, closed down the account and refuses to continue that business relationship by handing over data.
So sounds like standard policy to me. It would be like me getting banned off a game because I broke TOS (because OP did break TOS, it’s pretty much boilerplate and they have experienced this before so it’s not like they were not aware) and getting pissed off that I can not access my chat history any longer.
OP was on borrowed time from the beginning.
Does it suck? Sure it does. But what else you going to expect? For them to explicitly break the law after they discovered they were already in violation and took the steps needed to come under compliance because you didn’t read ToS, or (with them admitting this isn’t the first time they have got dinged by this law, probably the more likely) wilfully choose to ignore them.
Slightly unrelated but note that many "American companies" are explicitly headquartered in the EU for tax reasons, and by structuring themselves in this way they are explicitly putting themselves under EU jurisdiction. Examples include Apple and Google (headquartered in Ireland) and Amazon (headquartered in Luxembourg).
A quick search found that Slack is actually headquartered in America. But if they are dealing with the EU market then they very likely need to have an EU subsidiary (and looking again they have a Dublin office and so are likely incorporated in Ireland). However, GDPR only applies to EU/EEA residents -- so you can't just send a GDPR request if you are not resident within EU/EEA.
None of this matters to the GDPR. The GDPR targets companies “doing business” with EEA/EU residents no matter where the company is actually located. Even if you are a solely US company, if you are accepting orders from EU/EEA residents you have to be able to process GRPR requests. Think of it as a cost of doing business in that area. If you don’t want to do that, the. You are free to no longer process any EU/EEA residents data (some websites, the LA Times is one example iirc just completely lock EU IP’s because of this).
When it gets “merky” is defining that “doing business”.
Sure accepting payments and offering a service is clearly covered. But what if you ad supported. Are you doing business because you are exchanging access to your site for ad impressions which you get paid for? Who is processing that data? You or if the ad network one of your business partners who you have offloaded a task too? (Which is why domes of people/companies/ad men were shouting that the end was nigh before it came into force.)
But yeah as I said to you in another comment. Even if they were allowed to do business in Iran, the GDPR wouldn’t come into play here as they are not in the EU.
If they had any team members in the EU, they could try that route.
Except that they did not hand over the data. They just closed the account.
Plus, there is no mention of complying with US sanctions in ToS.
Overall, they could easily send a notice to take action (export data) before closing the accounts. It was their fault to allow companies build their trust in slack and it was their mistake not to follow the rules in the first place.
> Plus, there is no mention of complying with US sanctions in ToS.
https://slack.com/acceptable-use-policy
Under the “Do” section > comply with all applicable laws and governmental regulations, including, but not limited to, all intellectual property, data, privacy, and _export control laws_, and regulations promulgated by any government agencies, including, but not limited to, the U.S. Securities and Exchange Commission, and any rules of any national and other securities exchanges;
I’m on mobile atm, but I’m sure if I looked into the full legal copy of their terms I would find more.
These bans with no appeal processes are absolutely stupid. See my submissions for more context, but its helluva lot more people than a single incident. They seem to be banning anyone who sounds Iranian.
If you are not accessing the service from Iran and you get dinged, contact support, supply supporting evidence and they will restore the account.
This isn’t Slack picking on Iranians, this is “if slack don’t do this, they can get into a whole help of trouble”. I’m sure some people are going to get dinged by mistake but I honestly doubt they are banning people because of how their name sounds.
Actually yes it does and Uncle Sam will come f* you up if you think otherwise.
I mean an Iranian company using American products and expecting EU protection?! None of it makes any sense.
It should be noted that Slack has an office in Dublin so it very likely has an Irish subsidiary (just like Apple, Google, and half of the tech industry so they can avoid taxes) and thus is subject to EU requirements. The GDPR applies to them, and since they have an EU company they (I believe) need to obey GDPR requests from any source. [EDIT: This is incorrect.]
But I can understand why Slack would cancel their account, since violating export sanctions is a really easy way to end up in gaol.
It covers data for EU/EEA citizens and residents data held by companies “doing business” with people in such areas. An off the top of my head example. An Australian citizen who has never been to the EU can not use the GRPR against Microsoft just because MS have a office in the EU.
Edit: My bad, I think the Australian would be under the Dublin office in the slack case. But the GDPR rules are focused on data of EEA/EU residents/citizens and not (always) data of people outside of the EEA/EU collected by companies within the EEA/EU.
Want to maintain professionalism and integrity? Due process is important. You can't just slam the door closed in peoples' faces arbitrarily and go radio silent or word's going to get out that you're untrustworthy. Do right by people; don't be a dick. Otherwise: problems.
