Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Privacy shield; Atlassian pushing users towards cloud; GDPR compliancy EU customers?

Rolf Fokkens
Rolf Fokkens October 17, 2020

Since mid July Privacy Shield is void (https://www.privacyshield.gov/article?id=EU-U-S-Privacy-Shield-Program-Update) while Atlassian is pushing all customers towards Cloud. This raises some serious GDPR concerns: as an EU company we are not allowed to process personal data in the US.

There have been some hints in the past that Atlassian was considering to serve EU costomers from datacenters in Ireland (https://community.atlassian.com/t5/Jira-questions/GDPR-European-quot-General-Data-Protection-Regulation-quot/qaq-p/638038) but the current status is not clear to me.

Comment
Watch
Like # people like this
1931 views

8 comments

Comment

Log in or Sign up to comment
Kevin Gardthausen
Kevin Gardthausen October 17, 2020

Time to move away from Jira within the next few years. Not gonna follow into the "cloud".

Like Thomas Dörfler likes this
Reply
Jack Brickey
Jack Brickey
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 18, 2020

I will move this to discussions since there really isn’t a question here.

One consideration is Data Center.

Like
Reply
Thomas Dörfler
Thomas Dörfler October 19, 2020

As a small company located in Germany, we have selected Jira as our collaboration tool and invested substantially to integrate it into our internal workflows. From the start we have chosen to run our own local server, to avoid privacy problems.

Atlassian forcing us to move to a international cloud system at a time they obviously have not understood (or do not care?) that privacy shield is dysfunctional and obsolete really makes me think how much they care about international IT laws and the safety of their customers data.

I hope that as many European user companies as possible will stand up and request a correction of this decision.

Like # people like this
Reply
Stephan Munz
Stephan Munz October 19, 2020

We are located in Germany as well and will not move our data to a cloud system operated by foreign legal entities.

Like # people like this
Stephan Munz
Stephan Munz October 19, 2020

> Since mid July Privacy Shield is void (https://www.privacyshield.gov/article?id=EU-U-S-Privacy-Shield-Program-Update)
> while Atlassian is pushing all customers towards Cloud.

Atlassian seems to ignore this fact:

https://www.atlassian.com/trust/privacy/gdpr
"We support appropriate international data transfer mechanisms by maintaining our Privacy Shield certifications,"

Beside of that there are more serious issues:

* Atlassian will store all data to whatever geographical region they want. Customers cannot restrict those regions.

* Atlassian is located in Great Britain and Australia. Both are / will become third party countries according to the GDPR.

* The CJEU court voided the privacy shield framework becaue the US does not provide a sufficient level of data protection (mainly because of US surveillance law).

* Atlassian is storing all data in the AWS which is operated by Amazon - a US based company.


More issues:

* Selecting a data center region within europe is not solving the issue as long as companies from third party countries do have access to the data that is stored. Just the ability to access data implies data processing as well. So in case of Atlassian there is at least the US, Australia and Great Britain. All of them are famous for their excessive intelligence laws - which was the reasons why privacy shield (and the predecessor "Safe Harbour") was voided.

* The SCC or BCR cannot be used when the data processor resided in a country without an appropriate level of data protection. Though many big companies are ignoring this fact. It is the duty of the data protection authorities to stop unlawful data transfers.


So when Atlassian is telling us to move to the cloud for compliance reasons and trying to make privacy shield to appear as a valid legal basis for data processing at the very same time it is not strengthen our confidence in Atlassian understanding european data protection laws.

Like # people like this
Reply
Jasper Siero
Jasper Siero October 20, 2020

Our company is also in Europe, so if this is continued we will have to evaluate what we are going to do with it. I hope Atlassian comes up with a solution for this.

Like # people like this
Reply
Deleted user October 26, 2020

Even if they come up with a solution for the GDPR-related issues, pricing will be another thing. How about connections from your local DC back and forth to the Atlassian Cloud (wherever it is located). How would you trigger a build from Bitbucket (in the cloud) on your local Jenkins servers? Does everybody get a free Bamboo-license with their Bitbucket License with unlimited cloud builds?

Like
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 26, 2020

Assuming that long-term, you would prefer Cloud over Data Center, there are some on-premise build options for Bitbucket Cloud:

Like
Deleted user October 27, 2020

I don't think that many shops have their on-site Jenkins-server accessible by the internet. But that's beside the point.

The point being is that connectivity from the cloud to the inner parts of your DC or build environment is almost never easy because of firewall rules and such. And the fact that the origin of such requests is a cloud isn't it making it any easier.

Sure, if EVERYTHING is residing in cloud services, than it doesn't matter. But not everyone is running everything in the cloud, but hosts stuff still on normal servers in their own data-center or their own office for that matter.

Like
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 23, 2020

Hi all,

As @Jack Brickey pointed out, Data Center allows you full control of where the application and its data are hosted - on your own on-premise infrastructure, a private cloud in your country, or in a public cloud (AWS, Azure) with region controls you deem fit.

In terms of the cloud applications, Data Residency is offered in our Enterprise Cloud offering, which allows for certain data types to be pinned to the US or EU region. The EU regions are in Frankfurt, Germany and Dublin, Ireland. In addition, we're working with our marketplace vendors to provide data residency options for marketplace apps, outlined on our product roadmap. If you don't see what you need for your industry on the roadmap today, Server still has 3 years ahead of it, and Data Center is the on-premise option beyond that.

Like
Reply
Stephan Munz
Stephan Munz October 26, 2020

And data location is not solving the issue that Atlassian has access to this data as well as Amazon (AWS). According to the GDPR this is considered data processing as well. So even when all data resides in Germany laws in Australia, Great Britain and the U.S. apply to legal entity having access to all stored data.

The misconception that all compliance issues can be solved when selecting an european data center is just a big big myth. A myth that is told by non-compliant big-tech companies.

This whole "data location can only be selected in highest priced tier", "moving data to whatever location Atlassian feels fits the best (for whom?)", "we are compliant regarding privacy shield" and the misinterpretation regarding the CJEU rule regarding SCCs just tells us the story, that Atlassian is not caring very much about data protection laws. To say at least.

Everyone within the EU choosing the Atlassian Cloud is taking serious risks. If Atlassian is serious about the GDPR they must have an independend legal entity within the EU without any obligations regarding non-EU legal entities when it comes to data access. And they must get rid of the AWS hosting ...

Like Thomas Dörfler likes this
Marcel Dermois
Marcel Dermois October 26, 2020

For a large company the on-premise Data Center offer might be an option but for a smaller company this $ 20k offering would be prohibitively expensive.

Like # people like this
Reply
plonnroth
plonnroth October 26, 2020

We are JIRA server using company and also have serious privacy concerns, not only related to GDPR and personnel data, but also we have our customers' data in our system that we are legally/contractually bound to store on-premises, moving this data into cloud is not an option.

With under 200 users the price hike moving to datacenter would be steep to say the least and we are looking at a disproportioned cost for development tools. We going to be between a rock and a hard place with this decision. We really hope the customers' voices would be heard and the decision reconsidered.

Like
Reply
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events