Do the new GDPR changes effect external Jira REST client users?

Our Jira instance is hosted in the cloud.

I am calling the Jira REST API to query information and potentially update information from a client program created that is running on a local machine.

If I’m understanding the documentation about the GDPR User changes for the cloud APIs, they are strictly for Apps that are being developed to be installed in the cloud as a Jira application.

Am I understanding this correctly?


@bhayes the GDPR changes cover all aspects of the Atlassian products. The changes are related to the Jira API, and are not specific to apps. The reason this group is specifically targeted in the communications is probably because the bulk of Atlassian customers depend on one or more apps that are available on the Atlassian Marketplace and as such any breaking changes that are not mitigated by these vendors will have a large impact on the shared customer base.

However, the Apps that are developed by vendors use the same API’s that you are probably using, hence these changes will also effect your program.

If you are an admin for a company, your will probably still be able to get most of the information that you are seeking as your company will get more control over the data for employees compared to access to individual users.

If you need to access PII of individual users that are outside of the domain of your company, you might want to consider implementing 3LO, which will allow you to get their explicit consent.

1 Like

Hi Remie,

Thank you for the response.

What’s confused me is I’ve done some reading on the conversion process and how to specify you’re attempting to use the GDPR in your App when you put it into the cloud system, but I haven’t found any way for me as an outside client to specify that.

I’m currently making calls directly to the /rest/api/2/issue methods in our cloud instance. From reading I don’t think we’ll be affected as the only user information we’re using is email which we use to look up users in another system. It would be nice to be able to test and see it really happening though.


The user object email field is considered PII, so the API will only return this information to you if you have permission from the end-user which is determined by the privacy settings.

You might want to look at Guidelines for requesting access to email address.


I appreciate that. That helps.

Do you know, is there any way when making REST requests from an outside client to specify that you want a GDPR response? I haven’t found any way to do that if you’re not developing an application for the Jira marketplace.


I you want to force the API to include the GDPR changes, you might want to read Weekly GDPR API status development update - March 7th

Additional note on opt’ing into the new API behaviors

The flag described above controls Atlassian Connect behaviors. When opt’d in gdpr:true only the APIs related to Atlassian Connect will change this includes: Inbound Auth, Outbound Auth, App iFrames, App Lifecycle, Webhooks, and JavaScript API. To change the behaviors of Jira and Confluence REST APIs you will need to pass additional header/query parameters on every REST call. The header for Jira APIs is x-atlassian-force-account-id’:true. This header is also required to transform change logs from username to accountID. The query parameter for Confluence is privacyMode=true.

1 Like