diff --git a/CHANGELOG.md b/CHANGELOG.md
index 855e5c3cc1..a75d24f86a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Fixes
 
 - Only send userid in Dynamic Sampling Context if sendDefaultPii is true ([#2147](https://github.com/getsentry/sentry-java/pull/2147))
+- Remove userId from baggage due to PII ([#2157](https://github.com/getsentry/sentry-java/pull/2157))
 
 ### Features
 
diff --git a/buildSrc/src/main/java/Config.kt b/buildSrc/src/main/java/Config.kt
index f11778e5d9..bdde2efb87 100644
--- a/buildSrc/src/main/java/Config.kt
+++ b/buildSrc/src/main/java/Config.kt
@@ -5,6 +5,7 @@ object Config {
     val kotlinStdLib = "stdlib-jdk8"
 
     val springBootVersion = "2.6.8"
+    val springSecurityVersion = "5.6.5"
     val kotlinCompatibleLanguageVersion = "1.4"
 
     val composeVersion = "1.1.1"
@@ -72,7 +73,7 @@ object Config {
         val springBootStarterAop = "org.springframework.boot:spring-boot-starter-aop:$springBootVersion"
         val springBootStarterSecurity = "org.springframework.boot:spring-boot-starter-security:$springBootVersion"
         val springBootStarterJdbc = "org.springframework.boot:spring-boot-starter-jdbc:$springBootVersion"
-        val springBootStartOauth2ResourceServer = "org.springframework.boot:spring-boot-starter-oauth2-resource-server:$springBootVersion"
+        val springSecurityOauth2Jose = "org.springframework.security:spring-security-oauth2-jose:$springSecurityVersion"
 
         val springWeb = "org.springframework:spring-webmvc"
         val springWebflux = "org.springframework:spring-webflux"
diff --git a/sentry-spring-boot-starter/build.gradle.kts b/sentry-spring-boot-starter/build.gradle.kts
index a76ead65a3..84040d7f07 100644
--- a/sentry-spring-boot-starter/build.gradle.kts
+++ b/sentry-spring-boot-starter/build.gradle.kts
@@ -42,7 +42,7 @@ dependencies {
     compileOnly(Config.Libs.servletApi)
     compileOnly(Config.Libs.springBootStarterAop)
     compileOnly(Config.Libs.springBootStarterSecurity)
-    compileOnly(Config.Libs.springBootStartOauth2ResourceServer)
+    compileOnly(Config.Libs.springSecurityOauth2Jose)
     compileOnly(Config.Libs.reactorCore)
 
     annotationProcessor(Config.AnnotationProcessors.springBootAutoConfigure)
diff --git a/sentry/src/main/java/io/sentry/TraceContext.java b/sentry/src/main/java/io/sentry/TraceContext.java
index 28a235797b..5adbd57d47 100644
--- a/sentry/src/main/java/io/sentry/TraceContext.java
+++ b/sentry/src/main/java/io/sentry/TraceContext.java
@@ -56,17 +56,21 @@ public final class TraceContext implements JsonUnknown, JsonSerializable {
       final @Nullable User user,
       final @NotNull SentryOptions sentryOptions,
       final @Nullable TracesSamplingDecision samplingDecision) {
+    // user_id isn't part of the dynamic sampling context right now because
+    // of PII concerns.
+    // https://develop.sentry.dev/sdk/performance/dynamic-sampling-context/#the-temporal-problem
     this(
         transaction.getSpanContext().getTraceId(),
         new Dsn(sentryOptions.getDsn()).getPublicKey(),
         sentryOptions.getRelease(),
         sentryOptions.getEnvironment(),
-        getUserId(sentryOptions, user),
+        null, // getUserId(sentryOptions, user),
         user != null ? getSegment(user) : null,
         transaction.getName(),
         sampleRateToString(sampleRate(samplingDecision)));
   }
 
+  @SuppressWarnings("UnusedMethod")
   private static @Nullable String getUserId(
       final @NotNull SentryOptions options, final @Nullable User user) {
     if (options.isSendDefaultPii() && user != null) {
diff --git a/sentry/src/test/java/io/sentry/SentryTracerTest.kt b/sentry/src/test/java/io/sentry/SentryTracerTest.kt
index c5bc1a37a6..b5145a4658 100644
--- a/sentry/src/test/java/io/sentry/SentryTracerTest.kt
+++ b/sentry/src/test/java/io/sentry/SentryTracerTest.kt
@@ -496,7 +496,7 @@ class SentryTracerTest {
             assertEquals("environment", it.environment)
             assertEquals("release@3.0.0", it.release)
             assertEquals(transaction.name, it.transaction)
-            assertEquals("user-id", it.userId)
+            // assertEquals("user-id", it.userId)
             assertEquals("pro", it.userSegment)
         }
     }
@@ -569,7 +569,7 @@ class SentryTracerTest {
             assertTrue(it.value.contains("sentry-release=1.0.99-rc.7,"))
             assertTrue(it.value.contains("sentry-environment=production,"))
             assertTrue(it.value.contains("sentry-transaction=name,"))
-            assertTrue(it.value.contains("sentry-user_id=userId12345,"))
+            // assertTrue(it.value.contains("sentry-user_id=userId12345,"))
             assertTrue(it.value.contains("sentry-user_segment=pro$".toRegex()))
         }
     }