<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">Am 21.04.2018 um 01:39 schrieb Rob
Nickerson:<br>
</div>
<blockquote type="cite"
cite="mid:CAK4yQTkrQSUXfNNYGZN2rz2mNWcg6NTJzLS=N6_adofui0u1zQ@mail.gmail.com">
<div dir="ltr">
<div>
<div>Thanks Simon. Lots of work has obviously gone in to this
so a big thank you (and the LWG) for your time.<br>
<br>
</div>
<div>Three questions/comments:<br>
</div>
<ol>
<li>It's quite a long document so would benefit from a Exec
Summary if time permits.</li>
<li>I'm interested in who you have engaged with as we are
clearly not the only company affected. In addition to the
"professional <span class="gmail-highlight
gmail-selected">couns</span>el" have we reached out to
similar groups to the OSMF - for example WikiMedia and
maybe the Open Data Institute?</li>
</ol>
</div>
</div>
</blockquote>
We've had contact with the WMF, but no input from them (I have to
say that that tends to be the norm). Two external specialists and
input from legal teams of members of the advisory board.<br>
<br>
<blockquote type="cite"
cite="mid:CAK4yQTkrQSUXfNNYGZN2rz2mNWcg6NTJzLS=N6_adofui0u1zQ@mail.gmail.com">
<div dir="ltr">
<div>
<ol>
<li>I understand that GDPR does not stop companies from
using/processing data (business as usual activities)
internally and it does not stop them sharing it with a
third party under standard business contracting. Rather it
is setting the rules of the game - or more precisely
creating a common standard across the EU (the UK has had a
Data Protection Act for many years now). As such OSMF can
continue to use/process the full dataset, but as we know
OSMF company is small with no full time employees. Their
hands off approach to date has allowed for an ecosystem to
grow around OSM. In the new GDPR world, OSMF will be
forced to make more decisions as to which parties can be
handed the full dataset ("processors"/"third parties" in
GDPR speak if I have understood it correctly). Do we know
how OSMF intend to manage this? Will OSMF now be in a
position where it has to formally commission/contract out
research projects if we want to analyse user stats to
better understand our member diversity (as an example)?<br>
</li>
</ol>
</div>
</div>
</blockquote>
The model we are gyrating to for third parties, is that while we
will provide some support (for example a deleted user list), we are
trying not to put ourselves in the role of deciding who can and who
cannot have the meta-data (outside of restricting access to
countries where a equivalence determination has been made, which we
may not be able to get around). The minimal implementation would
likely simply be a list of persons/entities that have obtained the
meta-data with contact details and links to the respective privacy
policies.<br>
<br>
That doesn't mean that there will be no changes for such third
parities, they need to think about the consequences of the GDPR for
themselves, and how they can show that the processing they are doing
is lawful. If the OSMF actually wanted such processing to be done on
contract by a third party, yes then it would need a contract :-),
but afaik that hasn't occurred in the last 14 years and is unlikely
to happen in the next 14.<br>
<br>
Simon<br>
<blockquote type="cite"
cite="mid:CAK4yQTkrQSUXfNNYGZN2rz2mNWcg6NTJzLS=N6_adofui0u1zQ@mail.gmail.com">
<div dir="ltr">
<div>
<p>That last question is probably one for the OSMF Board and
is a reflection that their hand's off style may have to
change in light of GDPR - unless of course they decide that
nobody should get the complete data.<br>
</p>
</div>
<div class="gmail_extra">Thank you,<br>
<br clear="all">
</div>
<div class="gmail_extra">
<div>
<div class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr"><span style="color:rgb(0,0,255)"><b>Rob</b></span><br>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On 17 April 2018 at 11:48, Simon
Poole <span dir="ltr"><<a href="mailto:simon@poole.ch"
target="_blank" moz-do-not-send="true">simon@poole.ch</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>On the 25th of May 2018 the <b><a
href="https://en.wikipedia.org/wiki/General_Data_Protection_Regulation"
rel="mw:ExtLink" target="_blank"
moz-do-not-send="true">General Data Protection
Regulation (GDPR)</a></b> will enter in to force,
this will likely result in some changes in how
OpenStreetMap operates and distributes its data.</p>
<p>The LWG has prepared a position paper on the matter
that has been reviewed by data protection experts and
in general the approach to not rely on explicit
consent has been validated. It should be noted that
while the paper outlines our approach, some of the
details still need to be determined. In particular the
future relationship with community and third party
data consumers that utilize OSM meta-data and what
will actually be dropped/made less accessible of the
data listed in Appendix B.</p>
<p><a
href="https://wiki.openstreetmap.org/wiki/File:GDPR_Position_Paper.pdf"
rel="mw:ExtLink" target="_blank"
moz-do-not-send="true">LWG GDPR Position Paper</a></p>
<p>Please feel free to discuss on the <a
href="https://wiki.openstreetmap.org/wiki/Talk:GDPR"
target="_blank" moz-do-not-send="true">talk page</a>
or on this list.</p>
<span class="HOEnZb"><font color="#888888">
<p>Simon<br>
</p>
</font></span></div>
<br>
______________________________<wbr>_________________<br>
osmf-talk mailing list<br>
<a href="mailto:osmf-talk@openstreetmap.org"
moz-do-not-send="true">osmf-talk@openstreetmap.org</a><br>
<a
href="https://lists.openstreetmap.org/listinfo/osmf-talk"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.openstreetmap.<wbr>org/listinfo/osmf-talk</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>