[OSM-dev] GDPR implementation on planet.osm.org

Frederik Ramm frederik at remote.org
Wed Jun 20 07:13:02 UTC 2018


On 20.06.2018 08:32, Christoph Hormann wrote:
> Such agreement would not be an agreement to process your own data given 
> by individuals to the OSMF (which is the kind of agreement you would 
> normally expect in the GDPR context).  You probably mean some kind of 
> contractual agreement about what can be done with the data.

Yes. This also requires the delicate distinction that not everything in
a .osm file is necessarily under ODbL.

> But to be 
> honest i don't really see the point in that.  People who download the 
> data can easily create an ad hoc account every time they download data. 

Yes. There would still be a natural person in front of the monitor who
clicks "I agree to be bound by these rules" though.

> The OSMF does not verify the identity of who is behind a user account 
> created. 

And doesn't intend to.

> So what do you expect to gain from such an agreement?  Is 
> there any reason to assume that in a case of such data being released 
> in a way that is not according to the legal requirements by a third 
> party the agreement can be used to avoid legal responsibility for the 
> OSMF it would otherwise need to face?

I think the idea is more: If someone releases, or abuses, personal OSM
data, it is clear that

* this violates OSMF policy and
* someone somewhere in the transport chain from OSM server to
rule-violating use has agreed to rules that they then broke.

In my view, this is not "cargo cult". If someone comes to us, today, and
complains that their OSM contributions are being used to stalk them,
then we cannot even point to a rule that says you cannot do this. The
stalker is, as far as OSMF is concerned, 100% within their rightful use
of the data. This is something that needs to stop - even if, in the
future, it only becomes marginally more difficult for the stalker to use
OSM data, at least we clearly say that (a) this use is not allowed, and
(b) the stalker knows it.

> What i can understand is giving people a simple selection option between 
> [ ] i want to be safe w.r.t. personal data and not being provided 
> potentially sensitive information when logged in.
> [ ] i want to have the possibility to access potentially sensitive data 
> when logged in.
> which would mainly be a service to the user - kind of like the sensitive 
> content switch on youtube.

This is essentially the login. If you are not logged in to OSM then you
will not have access to personal data. If you are logged in, then you
will. We are not currently planning to offer a third way (logged in with
the capability to edit but unable to see personal data).


Frederik Ramm  ##  eMail frederik at remote.org  ##  N49°00'09" E008°23'33"

More information about the dev mailing list