[Osmf-talk] [OSM-talk] GDPR introduction

Kathleen Lu kathleen.lu at mapbox.com
Wed Apr 18 17:18:29 UTC 2018 

> > However, nothing explicitly states that personal data in metadata is
> distributed with our geo-data, and a person who does not fully investigate
> OSMF’s APIs and data dumps would not necessarily understand this. In
> summary we currently lack both the explicit consent and contractual
> obligations to process the personal data lawfully in all of the current
> ways we do so. The Contributor Terms and Privacy Policy could be updated to
> explicitly describe and require affirmative consent to all data processing.
>
> I couldn't see that last point in the Recommendations. Is it not an option
> to simply be more explicit in the Contributor Terms that your username,
> timestamp, and geo-data which you are uploading to OSM is made publicly
> available? That would prevent any need to cut out metadata from the public
> apis, data dumps.
>
> I can understand having in place a clear policy on what OSMF does with
> non-public data like user email, ip address, but OSM was designed to make
> the username and timestamp of all edits public.
>
> Unfortunately, this would not help retroactively with edits made before
the policy went in place. Also, with a consent model, the user would still
have the right to request deletion, which would mean we would need the
technical ability to make these types of metadata non-public on a
user-by-user level, upon request.



> On 18 April 2018 at 02:23, Simon Poole <simon at poole.ch> wrote:
>>
>> The GDPR applies to anybody either in the EU or processing data of EU
>> residents, there is no reason that you can't run a hdyc like site outside
>> of the EU (it would likely have to be in a country for which an equivalence
>> determination has been made), as long as you adhere to the relevant
>> regulations.
>>
>
> I guess I'm trying to work out is there any way OSM communities outside
> the EU can avoid being caught up in this?
>

The EU intentionally designed this law to capture as many actors as they
could, especially internationally-operating organizations. I suppose that a
OSM local chapter in a non-EU country could keep their local membership
list of only local residents, etc. without reference to GDPR, but given
that OSMF is in an EU country, I don’t see how activities involving OSM
data that could be personal data can avoid GDPR.

But there will still be a public dataset, so if the community sticks to
using the public dataset, then it probably doesn’t have to deal with GDPR
itself, apart from what OSMF will do, because it won't be handling personal
data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/osmf-talk/attachments/20180418/ef9f77eb/attachment.html>

More information about the osmf-talk mailing list