Based on my reading there are two laws in question:
* Tax Reform Act: This seems to only penalize supporting an existing boycott by another country of a third country [1]. As there is no government boycott of Russia and China (at least not in countries these clients are from I'm guessing) this shouldn't apply.
* Export Administration Act: This also specifically says it related to boycotts conducted by a country against another country the US is friendly with [2].
I'm open to someone pointing out my misreading of these laws but it seems that they only apply to government mandated boycotts. So, to me, clients are free to require restrictions if there are no government boycotts in place.
The violation may have been the lack of appropriate reporting. [1] mentions that "unsanctioned boycotts" must be reported.
Later in the comments she mentioned that the contract in question was screened and found to not actually be considered a relevant event for anti-boycotting laws. So whatever her initial concerns were, they were allayed by an actual review of the relevant request.
Reading through the conversation as a whole, it appears that the customer/contract in question didn't explicitly request Gitlab to take the course of action they decided on. Gitlab proactively decided that the action just happened to be a crude but effective way to comply in a timely fashion with the data restrictions the customer wanted, since their infrastructure itself currently doesn't have granular enough security controls around data access to comply with what the customer request was.
marcinzm|6 years ago
* Tax Reform Act: This seems to only penalize supporting an existing boycott by another country of a third country [1]. As there is no government boycott of Russia and China (at least not in countries these clients are from I'm guessing) this shouldn't apply.
* Export Administration Act: This also specifically says it related to boycotts conducted by a country against another country the US is friendly with [2].
I'm open to someone pointing out my misreading of these laws but it seems that they only apply to government mandated boycotts. So, to me, clients are free to require restrictions if there are no government boycotts in place.
[1]: https://www.irs.gov/pub/irs-soi/03-04boycott.pdf
[2]: https://www.govinfo.gov/content/pkg/CFR-2019-title15-vol2/xm...
cosmie|6 years ago
Later in the comments she mentioned that the contract in question was screened and found to not actually be considered a relevant event for anti-boycotting laws. So whatever her initial concerns were, they were allayed by an actual review of the relevant request.
Reading through the conversation as a whole, it appears that the customer/contract in question didn't explicitly request Gitlab to take the course of action they decided on. Gitlab proactively decided that the action just happened to be a crude but effective way to comply in a timely fashion with the data restrictions the customer wanted, since their infrastructure itself currently doesn't have granular enough security controls around data access to comply with what the customer request was.
[1] https://www.bis.doc.gov/index.php/enforcement/oac#whatmustbe...