Major changes to Confluence Cloud REST APIs are coming to improve user privacy

Throughout 2018 and 2019, Atlassian will undertake a number of changes to our products and APIs in order to improve user privacy in accordance with the European General Data Protection Regulation (GDPR)1. In addition to pursuing relevant certifications and data handling standards, we will be rolling out changes to Atlassian Cloud product APIs to consolidate how personal data about Atlassian product users is accessed by API consumers.

A summary of all relevant API changes has been posted in the Confluence Cloud Platform API docs:

1 Like

Are there any plans to change the parameters passed from the host Confluence Cloud instance to Connect add-ons?

For example, the url specified in atlassian-connect.json for a dynamicContentMacro receives a user_id value appended to it when called from the host.

My add-ons don’t use this value for anything, but it does get stored as part of the request URL in my web server logs.

I’m not sure if storing user_id in server logs (albeit for a limited time) has GDPR implications (it wouldn’t be difficult, for example, to determine a user’s real name based on their user_id value), or indeed whether changing to an accountId would mitigate those implications.

Aside from registration details (in the AddonSettings table in my database), my add-ons don’t store any customer data. As such, I have not been too concerned with GDPR compliance, but having user_id in my server logs does make me slightly uneasy.

@scottohara, please see this announcement for more details on changes to Connect. Major changes to Connect REST APIs are coming to improve user privacy

Thanks @akassab, the changes to Connect APIs outlined in the link are exactly what I was hoping/expecting to see.

Great job!