[Osmf-talk] [OSM-talk] GDPR introduction
Kathleen Lu
kathleen.lu at mapbox.com
Fri Apr 20 18:49:58 UTC 2018
>
> it could be done like the license change, if you don’t agree with the
> distribution of metadata for your edits, your (user value) would be wiped
> from the objects and changesets, and you won’t be able to continue
> contributing.
> It’s a bit pointless anyway to ask for retroactive deletions, because the
> data is already distributed.
>
> So two issues that make this less than simple.
First, on retroactive deletions, I agree with you logically, but that is
not the way the law is written. Under a consent model, the data subject has
the right to revoke consent whether similar data is out there elsewhere in
the world or not.
Second, I don't have the exact stats, but I believe with the license change
some 30% of mappers could not be reached. That is a *lot* of metadata that
would be affected. My view is that it is important for OSM to maintain this
metadata so that it can be referenced by DWG in future investigations, even
if the metadata is treated confidentially. Additionally, sending out all
those emails and tracking check-ins is logistically quite difficult. Given
OSM's purposes, which really are in the public interest, I think a
legitimate interests basis is on balance a better fit.
> Is there a list of countries that have (not) made agreements with the EU
> on this? Without a contract there is no way this law could be enforced
> outside the jurisdiction (as any law). We could distribute 2 versions, an
> EU version and one to work with.
>
> GDPR can be enforced against anyone in the EU or doing business in/with
the EU. So that include OSMF and all the people who work on OSM projects
who live in the EU.
> I would still argue we don’t collect personal information, because the
> usernames are pseudonyms and without external references and knowledge
> there is no way to prove who someone is (unless they tell you, maybe).
>
GDPR specifically contemplates indirect identification by reference to
other sources:
*"'personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to
the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person;"*
For example, most legal interpretations of GDPR has concluded that IP
addresses are personal data. Policy-wise, I agree with you, but we're
concerned about how EU regulatory authorities will interpret this and want
to be cautious.
-Kathleen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/osmf-talk/attachments/20180420/d24b81ad/attachment.html>
More information about the osmf-talk
mailing list