The violation may have been the lack of appropriate reporting. [1] mentions that "unsanctioned boycotts" must be reported.
Later in the comments she mentioned that the contract in question was screened and found to not actually be considered a relevant event for anti-boycotting laws. So whatever her initial concerns were, they were allayed by an actual review of the relevant request.
Reading through the conversation as a whole, it appears that the customer/contract in question didn't explicitly request Gitlab to take the course of action they decided on. Gitlab proactively decided that the action just happened to be a crude but effective way to comply in a timely fashion with the data restrictions the customer wanted, since their infrastructure itself currently doesn't have granular enough security controls around data access to comply with what the customer request was.
Later in the comments she mentioned that the contract in question was screened and found to not actually be considered a relevant event for anti-boycotting laws. So whatever her initial concerns were, they were allayed by an actual review of the relevant request.
Reading through the conversation as a whole, it appears that the customer/contract in question didn't explicitly request Gitlab to take the course of action they decided on. Gitlab proactively decided that the action just happened to be a crude but effective way to comply in a timely fashion with the data restrictions the customer wanted, since their infrastructure itself currently doesn't have granular enough security controls around data access to comply with what the customer request was.
[1] https://www.bis.doc.gov/index.php/enforcement/oac#whatmustbe...