Announcement: Reminder on removal of user names

In October 2018 we announced that user names (and user keys for webhooks) were deprecated, in line with the removal of user names across all our products. See https://developer.atlassian.com/cloud/jira/platform/deprecation-notice-user-privacy-api-migration-guide/ for more information.

While that deprecation period is now over, as of today user names (and user keys) are still returned in webhooks. For usages that do not use Atlassian Connect, user names are still supported in Jira Cloud REST APIs. (User names stopped working for Connect around April 2019).

Starting next week (Monday December 16) we will begin the process of removing user name support completely from Jira Cloud webhooks and Jira Cloud REST APIs (in line with the privacy migration guide linked above).

3 Likes

currently i am using jira-rest-java-client-core v5.0.4 as my client…
who maintain this artifact?
‘UserJsonParser’ will be update with the new structure for 5.x.x version?

1 Like

Can someone explain to me how a username is considered PII for GDPR, but a Display Name (which is a more common, identifiable name) is not?

Hi. Jira Rest Java Client (JRJC) is only for Jira Server (and only Jira Server 5.x). See the “Compatibility” section on https://ecosystem.atlassian.net/wiki/spaces/JRJC/overview

You may wish to investigating generating client code based on our published Swagger spec for the API. Note that you can reach out to our support team and they can temporarily white list your site from the changes to allow you some extra time if you need it.

1 Like

@dhollinger In Jira, other Personal Data (PD) that we return in APIs obeys the privacy preferences of the individual user. This includes display name, email and avatar.

I’d like to understand one point:
the users we have in our Jira instance are our employees. We manage the contractual relationship with them and take care of all agreements directly with them on how we’re gonna use their corporate data.

Why is Atlassian imposing changes like this if the data are mine? I understand you have a single account for all Atlassian poducts, but this account is owned our my domain admin and only exists for the employee (while working for us). Everything they produce using our account is under our responsibility, for bad or for good.

Hi @BrenoLima. I am not a lawyer, but my understanding is that Atlassian has responsibility for personal data that we process and store. (For GDPR we are the “Data Processor”. I think that is the term. A similar concept exists in other jurisdictions.)

Thus we are required to facilitate and respect privacy preferences for end users. Because a person’s user name is personal data, we would be unable to respect the person’s privacy preferences if we continued to return user names in our public REST APIs.

Hi @bkelley, you’re right, there are the Data Processor and Data Controller.
This decision of showing or not our employee’s data is under our accountability as data controllers, Atlassian responsibility is to process data on behalf of my company, according to your contract you have with us, not directly with our employees.

Sorry for being so incisive, but hope you understand that Atlassian is making decisions regarding our data and our employee information without our consent as the legally accountable by our employee’s data. This is a critical topic, so I’d like to kindly request you to help me as a customer with over 3k users being impacted by this, to address this topic within Atlassian legal team, is that possible?

There is some misunderstanding here, maybe mine, but that would need to be clarified.

Thank you in advance.

1 Like

You will find it less frustrating if you consider that atlassian is operating under the ADPR, or the atlassian data protection regulation. They have their own (and unfortunately very wrong) interpretation of GDPR. However, until there is any jurisprudence, any fool with a keyboard can create their own truth.

1 Like

Hi @BrenoLima. My suggestion would be that you create a support request, so that this can be tracked in an appropriate manner.

1 Like