Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

Recognition

  • Give kudos
  • My kudos

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage
Highlighted

Privacy shield; Atlassian pushing users towards cloud; GDPR compliancy EU customers? Edited

Since mid July Privacy Shield is void (https://www.privacyshield.gov/article?id=EU-U-S-Privacy-Shield-Program-Update) while Atlassian is pushing all customers towards Cloud. This raises some serious GDPR concerns: as an EU company we are not allowed to process personal data in the US.

There have been some hints in the past that Atlassian was considering to serve EU costomers from datacenters in Ireland (https://community.atlassian.com/t5/Jira-questions/GDPR-European-quot-General-Data-Protection-Regulation-quot/qaq-p/638038) but the current status is not clear to me.

8 comments

Time to move away from Jira within the next few years. Not gonna follow into the "cloud".

Like Thomas Dörfler likes this
Jack Community Leader Oct 18, 2020

I will move this to discussions since there really isn’t a question here.

One consideration is Data Center.

As a small company located in Germany, we have selected Jira as our collaboration tool and invested substantially to integrate it into our internal workflows. From the start we have chosen to run our own local server, to avoid privacy problems.

Atlassian forcing us to move to a international cloud system at a time they obviously have not understood (or do not care?) that privacy shield is dysfunctional and obsolete really makes me think how much they care about international IT laws and the safety of their customers data.

I hope that as many European user companies as possible will stand up and request a correction of this decision.

Like # people like this

We are located in Germany as well and will not move our data to a cloud system operated by foreign legal entities.

Like # people like this

> Since mid July Privacy Shield is void (https://www.privacyshield.gov/article?id=EU-U-S-Privacy-Shield-Program-Update)
> while Atlassian is pushing all customers towards Cloud.

Atlassian seems to ignore this fact:

https://www.atlassian.com/trust/privacy/gdpr
"We support appropriate international data transfer mechanisms by maintaining our Privacy Shield certifications,"

Beside of that there are more serious issues:

* Atlassian will store all data to whatever geographical region they want. Customers cannot restrict those regions.

* Atlassian is located in Great Britain and Australia. Both are / will become third party countries according to the GDPR.

* The CJEU court voided the privacy shield framework becaue the US does not provide a sufficient level of data protection (mainly because of US surveillance law).

* Atlassian is storing all data in the AWS which is operated by Amazon - a US based company.


More issues:

* Selecting a data center region within europe is not solving the issue as long as companies from third party countries do have access to the data that is stored. Just the ability to access data implies data processing as well. So in case of Atlassian there is at least the US, Australia and Great Britain. All of them are famous for their excessive intelligence laws - which was the reasons why privacy shield (and the predecessor "Safe Harbour") was voided.

* The SCC or BCR cannot be used when the data processor resided in a country without an appropriate level of data protection. Though many big companies are ignoring this fact. It is the duty of the data protection authorities to stop unlawful data transfers.


So when Atlassian is telling us to move to the cloud for compliance reasons and trying to make privacy shield to appear as a valid legal basis for data processing at the very same time it is not strengthen our confidence in Atlassian understanding european data protection laws.

Like # people like this

Our company is also in Europe, so if this is continued we will have to evaluate what we are going to do with it. I hope Atlassian comes up with a solution for this.

Like # people like this

Even if they come up with a solution for the GDPR-related issues, pricing will be another thing. How about connections from your local DC back and forth to the Atlassian Cloud (wherever it is located). How would you trigger a build from Bitbucket (in the cloud) on your local Jenkins servers? Does everybody get a free Bamboo-license with their Bitbucket License with unlimited cloud builds?

Daniel Eads Atlassian Team Oct 26, 2020

Assuming that long-term, you would prefer Cloud over Data Center, there are some on-premise build options for Bitbucket Cloud:

I don't think that many shops have their on-site Jenkins-server accessible by the internet. But that's beside the point.

The point being is that connectivity from the cloud to the inner parts of your DC or build environment is almost never easy because of firewall rules and such. And the fact that the origin of such requests is a cloud isn't it making it any easier.

Sure, if EVERYTHING is residing in cloud services, than it doesn't matter. But not everyone is running everything in the cloud, but hosts stuff still on normal servers in their own data-center or their own office for that matter.

Daniel Eads Atlassian Team Oct 23, 2020

Hi all,

As @Jack pointed out, Data Center allows you full control of where the application and its data are hosted - on your own on-premise infrastructure, a private cloud in your country, or in a public cloud (AWS, Azure) with region controls you deem fit.

In terms of the cloud applications, Data Residency is offered in our Enterprise Cloud offering, which allows for certain data types to be pinned to the US or EU region. The EU regions are in Frankfurt, Germany and Dublin, Ireland. In addition, we're working with our marketplace vendors to provide data residency options for marketplace apps, outlined on our product roadmap. If you don't see what you need for your industry on the roadmap today, Server still has 3 years ahead of it, and Data Center is the on-premise option beyond that.

And data location is not solving the issue that Atlassian has access to this data as well as Amazon (AWS). According to the GDPR this is considered data processing as well. So even when all data resides in Germany laws in Australia, Great Britain and the U.S. apply to legal entity having access to all stored data.

The misconception that all compliance issues can be solved when selecting an european data center is just a big big myth. A myth that is told by non-compliant big-tech companies.

This whole "data location can only be selected in highest priced tier", "moving data to whatever location Atlassian feels fits the best (for whom?)", "we are compliant regarding privacy shield" and the misinterpretation regarding the CJEU rule regarding SCCs just tells us the story, that Atlassian is not caring very much about data protection laws. To say at least.

Everyone within the EU choosing the Atlassian Cloud is taking serious risks. If Atlassian is serious about the GDPR they must have an independend legal entity within the EU without any obligations regarding non-EU legal entities when it comes to data access. And they must get rid of the AWS hosting ...

Like Thomas Dörfler likes this

For a large company the on-premise Data Center offer might be an option but for a smaller company this $ 20k offering would be prohibitively expensive.

Like # people like this

We are JIRA server using company and also have serious privacy concerns, not only related to GDPR and personnel data, but also we have our customers' data in our system that we are legally/contractually bound to store on-premises, moving this data into cloud is not an option.

With under 200 users the price hike moving to datacenter would be steep to say the least and we are looking at a disproportioned cost for development tools. We going to be between a rock and a hard place with this decision. We really hope the customers' voices would be heard and the decision reconsidered.

Comment

Log in or Sign up to comment
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you