[OSM-dev] Working with OSM data with less or no metadata

Fri Feb 16 13:24:54 UTC 2018

2018-02-16 13:37 GMT+01:00 Simon Poole <simon at poole.ch>:

> The intellectual property rights (I re-quote: "that is restricted by
> copyright, database right or any related right") have nothing to do with
> the subject at hand, the data privacy rights of the individual data
> subject. As a consequence the contributor terms have no bearing, in any
> form, at all, even in an alternative universe, on the matter.
>

I really have no idea what "related right" means, not even if it relates to
"copyright and database right" or to "Contents".

>
> If you look at our recommendation document you will note that we believe
> that we currently do not have consent as defined by the GDPR for the
> processing we do. As a consequence we will likely recommend  asking for
> explicit consent somewhere in the sign up process (from a content pov this
> already exists in the privacy policy but it needs to be re-jigged to work
> as part of the terms of use that will have to be explicitly agreed to for
> account creation).
>
> However having valid consent for current processing does not remove the
> issue that Paul has pointed out (again) that consent can be redrawn and
> that such a withdrawal applies retroactively. The main cause why we one way
> or the other should change what data we distribute to the general public.
>

by asking explicitly we would confirm we believe that privacy rights are
relevant, and it could indeed become more of a problem as people revoke.

You are refering to this document:
https://docs.google.com/document/d/1EjccQNm3awl7eQlk1jGYyoGJVavJG_bEfX8iCMEuC9U/edit#

The relevant paragraph is "Does the OSMF process ‘personal data’?"

I don't share the interpretation that OSMF processes personal data (besides
the e-mail addresses and maybe IP addresses used by its contributors, which
are neither distributed nor public), because I don't think that our mappers
can be identified with the data and metadata of their contributions. I.E.
they are not identifiable natural persons because they cannot be
identified, directly or indirectly. Yes, if you know who they are you can
see what they did, but you cannot see from what they did who they are. At
best you can guess, but it only works if you have additional information
that the person (or someone else) would have to provide you with. What we
have according to these definitions is "pseudonymisation" (because OSMF has
the sign-up e-mail address associated with the user number, and is therefor
in a position to make personal data from the contributions).

If someone tries to reverse the pseudonymisation of our contributor's data
and metadata, it would be this person to be in breach of the law.

An exception might occur in very rare cases in areas where the contributor
is the only person being there within a big distance, i.e. extremely remote
areas, and probably not in the European Union.

For reference,

General Data Protection Regulation
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Cheers,
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/dev/attachments/20180216/c33a6762/attachment-0001.html>