When is it safe to enable GDPR API migration in production?

The Migration guide for Connect Apps to improve user privacy includes this statement:

It is advised not enable the Connect GDPR API migration for existing Marketplace-listed production versions. We will continue to add API changes under the API migration opt-in, so apps may break. Check this page to find out when it is safe to enable the API migration for your customers.

If I understand that statement correctly, the migration period (sometimes referred to as deprecation period) has begun, and will conclude on 29 Mar 2019; but it will not be safe to enable the GDPR API migration opt-in mechanism in production until some future, as-yet-unannounced moment. Is my understanding correct?

Can you provide any hints about the timing of the beginning of the safe-to-enable-gdpr-migration-opt-in-flag period?


Hi David,

Indeed our migration guide contains this warning to indicate that deprecation of Connect some APIs is complex and not entirely complete. Your understanding of the statement is correct as the deprecation period has already begun and will conclude on 29 of March 2019. After that date all the Connect APIs will return data in a new format - that is free of Personal Data (PD).

The reason why the warning is added is to encourage vendors to migrate their apps gradually and with extra testing. It is possible that for some apps there will be no changes other then opting into new APIs. While other apps might require complicated data migrations. It all depends on the degree of customisation of a particular app and APIs used by that app.

To be clear - GDPR specific changes are available in production and we advice everyone to start migration while being mindful that there is a potential for your user impact. So normal safe development practice is what we encourage. Please test your migration is working before switching production trafic.

In case you are developing a new Connect App it is recommended that you opin from the start thus avoiding the need to do data migration later on.
So to answer your question - it is safe to enable GDPR in production if you have tested that it doesn’t break your particular app.

Hope that helps,


@david.pinn, just to add to Ivan’s reply, you can see the full scope of our opt-in mechanism with the JQL query project = AC AND text ~ “when opted in by apps”.

Three issues are yet to be completed:

  • AC-2425 Remove support for OAuth 2 JWTs with user keys as the sub claim when opted in by apps
  • AC-2433 Remove user_id and user_key query parameters from webhooks when opted in by apps
  • AC-2474 Fail descriptor validation for use of deprecated user context parameters in issue field templates when opted in by apps

If you are certain that your app does not rely on any of these features, you may proceed to enable the Connect GDPR opt-in in the production version of your app. If you do use any of these features, please watch the issues for updates.

1 Like