GDPR - Restrict APIs from returning personal data like display name, locale, email and timezone

Currently, we’ve set apiMigration in our atlassian JSON as followed and also setting x-atlassian-force-account-id header in REST API request,

"apiMigrations": {
   "gdpr": true

With respect to above change we get user in following format,

    "self": "",
    "accountId": "31738123jkjkdiasdasd",
    "emailAddress": "",
    "avatarUrls": {
      "16x16": "",
      "24x24": "",
      "32x32": "",
      "48x48": ""
    "displayName": "Aakash [QMETRY]",
    "active": true,
    "timeZone": "Asia/Kolkata",
    "locale": "en_US"

This response is proper and as per our expectation. Now, it’s possible for user to restrict apps from accessing their displayName, timeZone or locale as stated in following link,

I’ve done changes in my profile as depicted in following screenshot.

However, even after doing such change the REST API do return all the details, worth to note that I’m trying to access user details from different user’s account. So, either I am missing anything here or the REST API is ignoring the privacy settings for now. It would be really appreciated if anyone can help to do privacy changes so that REST APIs stops returning the user personal data.


Hi aakash!

We’re facing the same issue. Have you found out why it is so?


1 Like

@t990922 I raised a ticket to JIRA regarding this and I got to know that the feature is not yet fully developed and once it’s ready app developers would be informed. So, as of now we can assume JIRA’s response as per the documentation and make changes in app accordingly. Hope this answers your question. Thanks.

Hi, Aakash !
Could you provide the number of raised ticket ?

Best regards,