
Slack just wiped out our data overnight - arjmandi
https://medium.com/@mohsen/slack-just-wiped-out-our-data-3aef1f6b978d
======
Crosseye_Jack
> If Slack has to comply with the export control law, they also need to comply
> with GDPR.

Slack is an American company, GDPR is a EU law and OP is Iranian. That’s not
how this works... Sure companies that operate within the EU have created tools
to export your data automatically (they still have contact points to request
the same data if you don’t have an account or were banned so can’t use the
automated tools) so they opened those tools up to everyone not just those
within the EU. But that doesn’t mean you are covered by the EU law and can
demand your data. Only thing I would suggest is to lookup the GDPR email for
slack and manually request the data. Though I wouldn’t expect anything.

US companies are forbidden from doing business with Iran, US company
discovered it was, closed down the account and refuses to continue that
business relationship by handing over data.

So sounds like standard policy to me. It would be like me getting banned off a
game because I broke TOS (because OP did break TOS, it’s pretty much
boilerplate and they have experienced this before so it’s not like they were
not aware) and getting pissed off that I can not access my chat history any
longer.

OP was on borrowed time from the beginning.

Does it suck? Sure it does. But what else you going to expect? For them to
explicitly break the law after they discovered they were already in violation
and took the steps needed to come under compliance because you didn’t read
ToS, or (with them admitting this isn’t the first time they have got dinged by
this law, probably the more likely) wilfully choose to ignore them.

~~~
cyphar
> Slack is an American company, GDPR is a EU law and OP is Iranian. That’s not
> how this works... Sure companies that operate within the EU have created
> tools to export your data automatically (they still have contact points to
> request the same data if you don’t have an account or were banned so can’t
> use the automated tools) so they opened those tools up to everyone not just
> those within the EU. But that doesn’t mean you are covered by the EU law and
> can demand your data. Only thing I would suggest is to lookup the GDPR email
> for slack and manually request the data. Though I wouldn’t expect anything.

Slightly unrelated but note that many "American companies" are explicitly
headquartered in the EU for tax reasons, and by structuring themselves in this
way they are explicitly putting themselves under EU jurisdiction. Examples
include Apple and Google (headquartered in Ireland) and Amazon (headquartered
in Luxembourg).

A quick search found that Slack is actually headquartered in America. But if
they are dealing with the EU market then they very likely need to have an EU
subsidiary (and looking again they have a Dublin office and so are likely
incorporated in Ireland). However, GDPR only applies to EU/EEA residents -- so
you can't just send a GDPR request if you are not resident within EU/EEA.

~~~
arjmandi
My point is not a legal one, it's a moral point. If they've complied with the
GDPR it means they even have processes and systems to give users their data
but didn't have the decency to respect their customer and at least close their
account in a much better way. The export law says you are banned to serve
Iranian companies (!), Fine, but it definitely doesn't force you to f* your
users in Iran!

------
demarq
Lots of people shaming companies this week, but all of them including this one
just don't sound justified at all.

I mean an Iranian company using American products and expecting EU
protection?! None of it makes any sense.

~~~
cyphar
> I mean an Iranian company using American products and expecting EU
> protection?! None of it makes any sense.

It should be noted that Slack has an office in Dublin so it very likely has an
Irish subsidiary (just like Apple, Google, and half of the tech industry so
they can avoid taxes) and thus is subject to EU requirements. The GDPR applies
to them, and since they have an EU company they (I believe) need to obey GDPR
requests from any source. [EDIT: This is incorrect.]

But I can understand why Slack would cancel their account, since violating
export sanctions is a really easy way to end up in gaol.

~~~
Crosseye_Jack
Nope.

It covers data for EU/EEA citizens and residents data held by companies “doing
business” with people in such areas. An off the top of my head example. An
Australian citizen who has never been to the EU can not use the GRPR against
Microsoft just because MS have a office in the EU.

Edit: My bad, I think the Australian would be under the Dublin office in the
slack case. But the GDPR rules are focused on data of EEA/EU
residents/citizens and not (always) data of people outside of the EEA/EU
collected by companies within the EEA/EU.

~~~
arjmandi
My point is not a legal one, it's a moral point. If they've complied with the
GDPR it means they even have processes and systems to give users their data
but didn't have the decency to respect their customer and at least close their
account in a much better way. The export law says you are banned to serve
Iranian companies (!), Fine, but it definitely doesn't force you to f* your
users in Iran!

------
arjmandi
Slack just gave us back our access. I've updated the post on the medium.
Thanks to you Slack!

------
heyjudy
I don't care whether the story is a wind-up or legit, there's a bigger
principle.

Want to maintain professionalism and integrity? Due process is important. You
can't just slam the door closed in peoples' faces arbitrarily and go radio
silent or word's going to get out that you're untrustworthy. Do right by
people; don't be a dick. Otherwise: problems.

~~~
suff
Professionalism? Iran sends money to suicide bombers and you're complaining
that our side lacks professionalism? UH, OK. How about not breaking the law?
Does that mean anything to you?

~~~
arjmandi
This is not about governments. It's just a simple customer care matter.
Different laws come and go, but a good company can always treat its customers
better.

~~~
suff
Iran executes homosexuals. What part of 'sanctions' do you not understand???
This is not a debate. It is U.S. law. Deal with it.

