<div dir="ltr"><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>> However, nothing explicitly states that personal data in metadata is distributed with our
geo-data, and a person who does not fully investigate OSMF’s APIs and data dumps would
not necessarily understand this.
In summary we currently lack both the explicit consent and contractual obligations to process
the personal data lawfully in all of the current ways we do so. The Contributor Terms and
Privacy Policy could be updated to explicitly describe and require affirmative consent to all
data processing.<br></div><div><br></div><div>I couldn't see that last point in the Recommendations. Is it not an option to simply be more explicit in the Contributor Terms that your username, timestamp, and geo-data which you are uploading to OSM is made publicly available? That would prevent any need to cut out metadata from the public apis, data dumps.</div><div><br></div><div>I can understand having in place a clear policy on what OSMF does with non-public data like user email, ip address, but OSM was designed to make the username and timestamp of all edits public.</div></div><br></div></div></blockquote><div><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" id="inbox-inbox-docs-internal-guid-36dfda70-d9c0-dd58-f618-fbfe6bf2d906"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Unfortunately, this would not help retroactively with edits made before the policy went in place. Also, with a consent model, the user would still have the right to request deletion, which would mean we would need the technical ability to make these types of metadata non-public on a user-by-user level, upon request. </span></p><br> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"></div><div class="gmail_extra"></div></div><div dir="ltr"><div class="gmail_extra"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">On 18 April 2018 at 02:23, Simon Poole<span> </span></span><span dir="ltr" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><<a href="mailto:simon@poole.ch" style="color:rgb(17,85,204)" target="_blank">simon@poole.ch</a>></span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span> </span>wrote:</span><blockquote class="gmail_quote" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">The GDPR applies to anybody either in the EU or processing data of EU residents, there is no reason that you can't run a hdyc like site outside of the EU (it would likely have to be in a country for which an equivalence determination has been made), as long as you adhere to the relevant regulations.</div></blockquote><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div></div></div><div dir="ltr"><div class="gmail_extra"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">I guess I'm trying to work out is there any way OSM communities outside the EU can avoid being caught up in this?</div></div></div></blockquote><div><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" id="inbox-inbox-docs-internal-guid-36dfda70-d9c1-b6b4-9e31-7dc433ccbc49"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The EU intentionally designed this law to capture as many actors as they could, especially internationally-operating organizations. I suppose that a OSM local chapter in a non-EU country could keep their local membership list of only local residents, etc. without reference to GDPR, but given that OSMF is in an EU country, I don’t see how activities involving OSM data that could be personal data can avoid GDPR. </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">But there will still be a public dataset, so if the community sticks to using the public dataset, then it probably doesn’t have to deal with GDPR itself, apart from what OSMF will do, because it won't be handling personal data.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span></p> </div></div></div>