Just over two years ago, Atlassian’s Public Policy team launched a set of eight principles for what we believed sound tech regulation looks like.
In the spirit of “open company, no bullshit” our regulatory principles ensure we are open with governments about our perspective and approach. They guide how our team engages with governments around the world and we regularly refer back to them in our submissions to policy consultations.
Our principles serve as a stake in the ground for what we believe good regulation looks like, and ultimately, what should be avoided.
Why do we need guiding principles? Regulating an innovative and shifting tech landscape is hard – and even with the best of intentions, governments sometimes miss the mark. Tech can accelerate and empower the best of humanity, enabling creativity, innovation and making it easier to start, grow and scale new businesses globally. But sadly, it can also amplify some of humanity’s worst traits and behaviors.
We had concerns that governments were over-indexing on the bad stuff. So at their core, our principles state that government attempts to minimize the negatives must be balanced against their potential impact on the positives. Particularly the impact regulation can have on customer trust in technology providers’ custodianship of their data.
It’s our responsibility to lead by example
The tech sector must be active participants in policy processes. In addition to providing our perspective, we should be proactive to help governments understand the opportunities and risks of new technology.
We believe it is the industry’s responsibility to build trust and confidence in how we develop and use new technologies with both governments and customers. Atlassian’s Responsible Technology Principles guide how we build, deploy, and use new technologies – like AI – in a way that is well-considered, human-centric, pro-customer, and pro-privacy.
At Atlassian, our Global Policy team works collaboratively with governments: to listen, inform, educate, and build mutual understanding. And, when regulatory measures threaten to interfere with the best interests of our customers, we engage with industry partners to push back and seek course corrections.
How Atlassian Gives Customers Control Over Their Data
“Don’t F&**k the customer” is a value we live by. From a product perspective, that means we’re always striving to give our customers options to manage their data in a way that meets their unique requirements – such as best in class security for our cloud, Bring Your Own Key (BYOK) encryption, and the ability to install our Data Center offerings on your choice of infrastructure.
While we believe in a single open and free Internet, we recognize that customers have strong preferences for controlling how and where their data is handled. To this end, we are working on a growing footprint of data residency options.
Similarly, the potential impact that proposed government regulations and policy could have on our customers and partners is always top of mind. We strategically collaborate with industry and civil society to improve laws in line with our principles, as we did with Australia’s Assistance and Access Act. The Reforms to the Act that we called for, including greater oversight and independent authorization, were backed by the Independent National Security Legislation Monitor’s (INSLM) review. We remain optimistic that the current Australian Government will implement these important reforms to improve customer trust.
Atlassian’s approach to working with governments today
The tech regulatory landscape has accelerated over the last decade. Some developments have been good, some bad, and some downright ugly.
While openness and transparency builds trust, secrecy builds suspicion. As stated in our regulatory principles, policymakers should Consult Early, Consult Often and Let the Light In, not just because it avoids developing mistrust, but because it also leads to better policy outcomes.
We support open and consultative efforts that seek to build trust in technology – like cybersecurity-focused initiatives such as NIST’s Secure Software Development Framework and the Australian Government’s Security of Critical Infrastructure (SOCI) Act. In contrast, the secrecy surrounding the US Government’s foreign surveillance regime has done more to fuel customer concerns around cloud adoption than any technical hurdle.
It’s our belief that customers are best served (and less confused) by greater regulatory harmonization – particularly around the management and protection of personal information. This allows customers to more readily trust that their technology providers will apply a consistent, understandable set of practices. To that end we have called for the Australian Government to adopt a clear distinction between processors and controllers in its review of the Privacy Act, bringing it into line with the EU’s General Data Protection Regulation (GDPR). Recognizing this global dynamic is the basis of our regulatory principle Tech (and trust) is global.
What Atlassian is doing today to influence future data regulation
For decades, tension has existed between the protection of personal communications and privacy and the desire for law enforcement and national security agencies to increase surveillance options. Many would argue that since 2001, the balance of these powers has shifted too far in favor of surveillance.
The OECD’s Declaration on Government Access to Personal Data Held by Private Sector Entities, the first set of multilateral safeguards on law enforcement and national security access to data, is a very welcome development in resetting this balance.
However, we still need real national-level surveillance law reform.
Later this year, the US Congress will consider the reauthorization of Section 702 of the FISA Amendments Act, a law that permits US agencies to undertake surveillance outside the US. Similarly, the EU is implementing its e-Evidence Regulation and the Australian Government is engaged in electronic surveillance reform.
We encourage the US and EU to continue to work together towards a new CLOUD Act agreement – joining the agreements already signed with Australia and the UK – to clarify the rules of the road (including checks and balances) around extraterritorial government access to data.
Across all of those processes, Atlassian will be advocating for better protections for enterprise customer data and improved transparency, and welcome others in the tech industry to join us.
Lastly, as we say in Australia, we’re not here to f**k spiders.
Be it improved security and data protection measures, increased options for data storage or pushing hard for better checks and balances in international law – Atlassian is on your side when it comes to guarding your data. We know our customers have lots of questions about Atlassian products and regulations; please keep them coming! Hearing what matters to you, allows our Global Policy team to prioritize the issues that drive your business forward.