[Osmf-talk] GDPR introduction

Simon Poole simon at poole.ch
Sat Apr 21 07:55:27 UTC 2018 


Am 21.04.2018 um 01:39 schrieb Rob Nickerson:
> Thanks Simon. Lots of work has obviously gone in to this so a big
> thank you (and the LWG) for your time.
>
> Three questions/comments:
>
>  1. It's quite a long document so would benefit from a Exec Summary if
>     time permits.
>  2. I'm interested in who you have engaged with as we are clearly not
>     the only company affected. In addition to the "professional
>     counsel" have we reached out to similar groups to the OSMF - for
>     example WikiMedia and maybe the Open Data Institute?
>
We've had contact with the WMF, but no input from them (I have to say
that that tends to be the norm).  Two external specialists and input
from legal teams of members of the advisory board.

>  1. I understand that GDPR does not stop companies from
>     using/processing data (business as usual activities) internally
>     and it does not stop them sharing it with a third party under
>     standard business contracting. Rather it is setting the rules of
>     the game - or more precisely creating a common standard across the
>     EU (the UK has had a Data Protection Act for many years now). As
>     such OSMF can continue to use/process the full dataset, but as we
>     know OSMF company is small with no full time employees. Their
>     hands off approach to date has allowed for an ecosystem to grow
>     around OSM. In the new GDPR world, OSMF will be forced to make
>     more decisions as to which parties can be handed the full dataset
>     ("processors"/"third parties" in GDPR speak if I have understood
>     it correctly). Do we know how OSMF intend to manage this? Will
>     OSMF now be in a position where it has to formally
>     commission/contract out research projects if we want to analyse
>     user stats to better understand our member diversity (as an example)?
>
The model we are gyrating to for third parties, is that while we will
provide some support (for example a deleted user list), we are trying
not to put ourselves in the role of deciding who can and who cannot have
the meta-data (outside of restricting access to countries where a
equivalence determination has been made, which we may not be able to get
around). The minimal implementation would likely simply be a list of
persons/entities that have obtained the meta-data with contact details
and links to the respective privacy policies.

That doesn't mean that there will be no changes for such third parities,
they need to think about the consequences of the GDPR for themselves,
and how they can show that the processing they are doing is lawful. If
the OSMF actually wanted such processing to be done on contract by a
third party, yes then it would need a contract :-), but afaik that
hasn't occurred in the last 14 years and is unlikely to happen in the
next 14.

Simon
>
> That last question is probably one for the OSMF Board and is a
> reflection that their hand's off style may have to change in light of
> GDPR - unless of course they decide that nobody should get the
> complete data.
>
> Thank you,
>
> *Rob*
>
> On 17 April 2018 at 11:48, Simon Poole <simon at poole.ch
> <mailto:simon at poole.ch>> wrote:
>
>     On the 25th of May 2018 the *General Data Protection Regulation
>     (GDPR)
>     <https://en.wikipedia.org/wiki/General_Data_Protection_Regulation>*
>     will enter in to force, this will likely result in some changes in
>     how OpenStreetMap operates and distributes its data.
>
>     The LWG has prepared a position paper on the matter that has been
>     reviewed by data protection experts and in general the approach to
>     not rely on explicit consent has been validated. It should be
>     noted that while the paper outlines our approach, some of the
>     details still need to be determined. In particular the future
>     relationship with community and third party data consumers that
>     utilize OSM meta-data and what will actually be dropped/made less
>     accessible of the data listed in Appendix B.
>
>     LWG GDPR Position Paper
>     <https://wiki.openstreetmap.org/wiki/File:GDPR_Position_Paper.pdf>
>
>     Please feel free to discuss on the talk page
>     <https://wiki.openstreetmap.org/wiki/Talk:GDPR> or on this list.
>
>     Simon
>
>
>     _______________________________________________
>     osmf-talk mailing list
>     osmf-talk at openstreetmap.org <mailto:osmf-talk at openstreetmap.org>
>     https://lists.openstreetmap.org/listinfo/osmf-talk
>     <https://lists.openstreetmap.org/listinfo/osmf-talk>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/osmf-talk/attachments/20180421/3d98a5f4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstreetmap.org/pipermail/osmf-talk/attachments/20180421/3d98a5f4/attachment.sig>

More information about the osmf-talk mailing list