[OSM-dev] GDPR implementation on planet.osm.org

Simon Poole simon at poole.ch
Wed Jun 20 07:26:26 UTC 2018

Am 20.06.2018 um 07:58 schrieb Jochen Topf:
> [ a lot of stuff that is (technically) reasonably easy deleted ]
> On Tue, Jun 19, 2018 at 10:54:07PM +0200, Frederik Ramm wrote:
>> 3a. issue guidelines about what you are allowed to do with the user data
>> files,
>> 3b. ensure that everyone who has an OSM account agrees to these
>> guidelines one way or the other,
> This is the part that's not easy and where there is a lot of important
> detail missing. You have to get everybody to agree, which is not going
> to happen. So you have to add some flag to the database telling the
> system whether you are allowed to download or not. You probably have to
> change rules in the future so you have to make this generic, keeping
> information about who clicked through which version of the rules. So you
> are generating more information you are tracking with each user, more
> personal information for which you need consent from the user. 
A) we are not asking for consent, B) yes, we will need an extra flag for
ToU acceptance.

But in any case up to here this is a fairly accurate description of what
the intent is.

> All of
> this needs to be tied in the OAuth stuff and it has to be done in a way
> that 3rd party services using OSM data can ask *their* downstream users
> to identify in the same way which allows OSM to track everybody who uses
> the full OSM data everywhere adding more personal data to keep and to
> explain to users and get permissions from users for.
-  anybody using OSM data without the user data is not going to be
affected at all and they don't need to change anything (I've seen
indications that this could be more than 99% of all users downloading
OSM data)
- as has been outlined before, 3rd parties using OSM data with user data
will be acting as independent data controllers and will not be
processing data on behalf of the OSMF (which would require a DPA and all
the associated complications). They will have to make their own
determinations on how to deal with the situation. We will  provide some
support to such entities to help them fulfil their legal obligations
(for example a list of deleted users), but that's it. Naturally the GDPR
applies to such entities completely regardless of what we say, since the
GDPR just happens to be the law. There are still some open questions on
exactly what needs to be done, in particular wrt transfers of data to
countries where the EU hasn't made an equivalence determination, but we
are slowly firming that up.

> Please stop this nonsense now!
> Jochen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstreetmap.org/pipermail/dev/attachments/20180620/ff608420/attachment-0001.sig>

More information about the dev mailing list