[OSM-dev] GDPR implementation on planet.osm.org

Christoph Hormann osm at imagico.de
Wed Jun 20 19:31:45 UTC 2018

On Wednesday 20 June 2018, Roland Olbricht wrote:
> [...]
> Taking GDPR serious means every data processor must decide which use
> cases they make simple, which use cases they make hard, and tailor
> the documentation according to that. For example, for that reason
> Overpass API has no feature to track all actions of a single user. I
> have proposed a declaration tailored to Overpass API on the FOSSGIS
> list (the FOSSGIS is sponsoring the server operations), and I would
> prefer to go forward with that one. A central ToU does not help,
> hence having it ticked or not is of no interest to the data
> processor.

Since not everyone knows the draft you suggested in FOSSGIS - the plans 
you sketch there (correct me please if i am wrong) essentially say that 
you intend to continue distributing geodata and timestamps without 
access restrictions but plan to manage restricted access to other data 
(changesets and user identities) using your own mechanism and own 
criteria of approval (which are not completely finalized yet).

As i understand your mail here you think this clashes with the OSMF 
plans because these will require you - for accessing the raw data to 
feed into the Overpass API - to accept the OSMF ToU which likely will 

a) not allow you to distribute data with timestamps without access 
b) require you to implement access restrictions using OAuth

I assume if this is actually the case will depend on the specifics of 
the OSMF ToU.  I would also assume that (b) most likely would not 
require you to use OAuth with every request, you probably could just 
use OAuth when people register with you for an API key.

Christoph Hormann

More information about the dev mailing list