[OSM-dev] GDPR implementation on planet.osm.org

[Christoph Hormann]

On Tuesday 19 June 2018, Frederik Ramm wrote:
> [...]
> 3b. ensure that everyone who has an OSM account agrees to these
> guidelines one way or the other,

This is the point that looks very fuzzy to me.  Could someone point out 
the legal concept behind this idea for me?

Such agreement would not be an agreement to process your own data given 
by individuals to the OSMF (which is the kind of agreement you would 
normally expect in the GDPR context).  You probably mean some kind of 
contractual agreement about what can be done with the data.  But to be 
honest i don't really see the point in that.  People who download the 
data can easily create an ad hoc account every time they download data.  
The OSMF does not verify the identity of who is behind a user account 
created.  So what do you expect to gain from such an agreement?  Is 
there any reason to assume that in a case of such data being released 
in a way that is not according to the legal requirements by a third 
party the agreement can be used to avoid legal responsibility for the 
OSMF it would otherwise need to face?  To me this looks more like cargo 
cult actionism, doing something that communicates being a serious 
measure at the surface but which is a hollow promise at a closer look.

Note these concerns are not about the idea of restricting access to 
sensitive data to logged in users, it is about requiring some kind of 
agreement from these users.

What i can understand is giving people a simple selection option between 

[ ] i want to be safe w.r.t. personal data and not being provided 
potentially sensitive information when logged in.
[ ] i want to have the possibility to access potentially sensitive data 
when logged in.

which would mainly be a service to the user - kind of like the sensitive 
content switch on youtube.

-- 
Christoph Hormann
http://www.imagico.de/