[OSM-dev] GDPR implementation on planet.osm.org
Christoph Hormann
osm at imagico.de
Wed Jun 20 19:31:45 UTC 2018
On Wednesday 20 June 2018, Roland Olbricht wrote:
> [...]
> Taking GDPR serious means every data processor must decide which use
> cases they make simple, which use cases they make hard, and tailor
> the documentation according to that. For example, for that reason
> Overpass API has no feature to track all actions of a single user. I
> have proposed a declaration tailored to Overpass API on the FOSSGIS
> list (the FOSSGIS is sponsoring the server operations), and I would
> prefer to go forward with that one. A central ToU does not help,
> hence having it ticked or not is of no interest to the data
> processor.
Since not everyone knows the draft you suggested in FOSSGIS - the plans
you sketch there (correct me please if i am wrong) essentially say that
you intend to continue distributing geodata and timestamps without
access restrictions but plan to manage restricted access to other data
(changesets and user identities) using your own mechanism and own
criteria of approval (which are not completely finalized yet).
As i understand your mail here you think this clashes with the OSMF
plans because these will require you - for accessing the raw data to
feed into the Overpass API - to accept the OSMF ToU which likely will
a) not allow you to distribute data with timestamps without access
restrictions
b) require you to implement access restrictions using OAuth
I assume if this is actually the case will depend on the specifics of
the OSMF ToU. I would also assume that (b) most likely would not
require you to use OAuth with every request, you probably could just
use OAuth when people register with you for an API key.
--
Christoph Hormann
http://www.imagico.de/
More information about the dev
mailing list