<div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
it could be done like the license change, if you don’t agree with the
distribution of metadata for your edits, your (user value) would be
wiped from the objects and changesets, and you won’t be able to continue
contributing.</blockquote><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It’s a bit pointless anyway to ask for retroactive deletions, because the data is already distributed.<br>
<br></blockquote></div><div dir="ltr"><div class="gmail_quote"><div>So two issues that make this less than simple. <br>First, on retroactive deletions, I agree with you logically, but that is not the way the law is written. Under a consent model, the data subject has the right to revoke consent whether similar data is out there elsewhere in the world or not. <br></div><div>Second, I don't have the exact stats, but I believe with the license change some 30% of mappers could not be reached. That is a *lot* of metadata that would be affected. My view is that it is important for OSM to maintain this metadata so that it can be referenced by DWG in future investigations, even if the metadata is treated confidentially. Additionally, sending out all those emails and tracking check-ins is logistically quite difficult. Given OSM's purposes, which really are in the public interest, I think a legitimate interests basis is on balance a better fit. <br></div></div></div><div dir="ltr"><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Is there a list of countries that have (not) made agreements with the EU on this? Without a contract there is no way this law could be enforced outside the jurisdiction (as any law). We could distribute 2 versions, an EU version and one to work with.<br>
<br></blockquote></div></div><div dir="ltr"><div class="gmail_quote"><div>GDPR can be enforced against anyone in the EU or doing business in/with the EU. So that include OSMF and all the people who work on OSM projects who live in the EU. <br></div></div></div><div dir="ltr"><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I would still argue we don’t collect personal information, because the usernames are pseudonyms and without external references and knowledge there is no way to prove who someone is (unless they tell you, maybe). <br></blockquote><div><br></div><div>GDPR specifically contemplates indirect identification by reference to other sources:<br><i>"'personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person;"</i><br><br></div><div>For example, most legal interpretations of GDPR has concluded that IP addresses are personal data. Policy-wise, I agree with you, but we're concerned about how EU regulatory authorities will interpret this and want to be cautious. <br></div><div><br></div><div>-Kathleen</div></div></div></div>