[Osmf-talk] GDPR introduction

[Andrew Harvey]

It looks like GitLab is dealing with this with a waiver which you are
required to agree to to log into your account. Adapted for OSM it reads:

As part of my voluntary contribution to OpenStreetMap, I acknowledge and
agree that my username and any geographic data I edit will become embedded
and part of the OpenStreetMap data, which may be publicly available. I
understand the removal of this information would be impermissibly
destructive to the project and the interests of all those who contribute,
utilize, and benefit from it. Therefore, in consideration of my
participation in any project, I hereby waive any right to request any
erasure, removal, or rectification of this information under any applicable
privacy or other law and acknowledge and understand that providing this
information is a requirement under the agreement to contribute to
OpenStreetMap.

I don't know how they plan to deal with users who choose not to agree, but
at least it shows how other organisations are dealing with this.

On 21 April 2018 at 18:14, Simon Poole <simon at poole.ch> wrote:

> This is going off a bit on a tangent, to restate: we are -not- proposing
> to go back to every contributor and get explicit consent from them.
>
> Besides the already mentioned issues in actually reaching out to them, it
> wouldn't solve anything, as lawful processing based on consent by the data
> subjects is the rabbit hole of problems that we are trying to avoid.
>
> What we will likely do is get everybody using the website and the API to
> re-read a revised privacy policy and agree to ToU that point out the
> obligations from the GDPR.
>
> Simon
>
> Am 21.04.2018 um 06:28 schrieb Andrew Harvey:
>
> The OSMF mission statement includes "protecting the OSM database, and
> making it available to all". Usernames and timestamps of edits are an
> important part of the OSM database, ensuring OSM is truly is an open and
> transparent about the edits that have taken place and when and where these
> came from. I feel it's the OSMF's role to do everything possible to
> continue to make the OSM database available to all and not redact part of
> that database from the public feeds/dumps.
>
> > Second, I don't have the exact stats, but I believe with the license
> change some 30% of mappers could not be reached. That is a *lot* of
> metadata that would be affected. My view is that it is important for OSM to
> maintain this metadata so that it can be referenced by DWG in future
> investigations, even if the metadata is treated confidentially.
> Additionally, sending out all those emails and tracking check-ins is
> logistically quite difficult. Given OSM's purposes, which really are in the
> public interest, I think a legitimate interests basis is on balance a
> better fit.
>
> Even if we won't get 100% of historical edits to accept new terms, at
> least we can ensure a significant proportion of historical and all future
> edits agree to new terms. Again, this is only worst case scenario if we
> need new terms to publish usernames and timestamps of historical edits.
>
> I do wonder what other orgs are doing. OSM seems no different to different
> to Wikimedia where the time and username or IP of your edits are made
> public, or Twitter where if you choose to post a geotagged tweet, your
> location, username and timestamp are made public.
>
>
>
> On 21 April 2018 at 14:12, Heather Leson <heatherleson at gmail.com> wrote:
>
>> Hi folks that for this conversation.
>>
>> To some of Rob's questions:
>>
>> Yes, let's create an exec summary and an faq wiki page to help the
>> clarity.
>>
>> In addition to Kathleen's input, Simon and I also got probono review from
>> the Brussels Privacy Hub and a lawyer from Cisco.
>>
>> Heather
>>
>> On Sat, 21 Apr 2018, 02:13 Rob Nickerson, <rob.j.nickerson at gmail.com>
>> wrote:
>>
>>> Thanks Simon. Lots of work has obviously gone in to this so a big thank
>>> you (and the LWG) for your time.
>>>
>>> Three questions/comments:
>>>
>>>    1. It's quite a long document so would benefit from a Exec Summary
>>>    if time permits.
>>>    2. I'm interested in who you have engaged with as we are clearly not
>>>    the only company affected. In addition to the "professional counsel"
>>>    have we reached out to similar groups to the OSMF - for example WikiMedia
>>>    and maybe the Open Data Institute?
>>>    3. I understand that GDPR does not stop companies from
>>>    using/processing data (business as usual activities) internally and it does
>>>    not stop them sharing it with a third party under standard business
>>>    contracting. Rather it is setting the rules of the game - or more precisely
>>>    creating a common standard across the EU (the UK has had a Data Protection
>>>    Act for many years now). As such OSMF can continue to use/process the full
>>>    dataset, but as we know OSMF company is small with no full time employees.
>>>    Their hands off approach to date has allowed for an ecosystem to grow
>>>    around OSM. In the new GDPR world, OSMF will be forced to make more
>>>    decisions as to which parties can be handed the full dataset
>>>    ("processors"/"third parties" in GDPR speak if I have understood it
>>>    correctly). Do we know how OSMF intend to manage this? Will OSMF now be in
>>>    a position where it has to formally commission/contract out research
>>>    projects if we want to analyse user stats to better understand our member
>>>    diversity (as an example)?
>>>
>>> That last question is probably one for the OSMF Board and is a
>>> reflection that their hand's off style may have to change in light of GDPR
>>> - unless of course they decide that nobody should get the complete data.
>>> Thank you,
>>>
>>> *Rob*
>>>
>>> On 17 April 2018 at 11:48, Simon Poole <simon at poole.ch> wrote:
>>>
>>>> On the 25th of May 2018 the *General Data Protection Regulation (GDPR)
>>>> <https://en.wikipedia.org/wiki/General_Data_Protection_Regulation>*
>>>> will enter in to force, this will likely result in some changes in how
>>>> OpenStreetMap operates and distributes its data.
>>>>
>>>> The LWG has prepared a position paper on the matter that has been
>>>> reviewed by data protection experts and in general the approach to not rely
>>>> on explicit consent has been validated. It should be noted that while the
>>>> paper outlines our approach, some of the details still need to be
>>>> determined. In particular the future relationship with community and third
>>>> party data consumers that utilize OSM meta-data and what will actually be
>>>> dropped/made less accessible of the data listed in Appendix B.
>>>>
>>>> LWG GDPR Position Paper
>>>> <https://wiki.openstreetmap.org/wiki/File:GDPR_Position_Paper.pdf>
>>>>
>>>> Please feel free to discuss on the talk page
>>>> <https://wiki.openstreetmap.org/wiki/Talk:GDPR> or on this list.
>>>>
>>>> Simon
>>>>
>>>> _______________________________________________
>>>> osmf-talk mailing list
>>>> osmf-talk at openstreetmap.org
>>>> https://lists.openstreetmap.org/listinfo/osmf-talk
>>>>
>>>>
>>> _______________________________________________
>>> osmf-talk mailing list
>>> osmf-talk at openstreetmap.org
>>> https://lists.openstreetmap.org/listinfo/osmf-talk
>>>
>>
>> _______________________________________________
>> osmf-talk mailing list
>> osmf-talk at openstreetmap.org
>> https://lists.openstreetmap.org/listinfo/osmf-talk
>>
>>
>
>
> _______________________________________________
> osmf-talk mailing listosmf-talk at openstreetmap.orghttps://lists.openstreetmap.org/listinfo/osmf-talk
>
>
>
> _______________________________________________
> osmf-talk mailing list
> osmf-talk at openstreetmap.org
> https://lists.openstreetmap.org/listinfo/osmf-talk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/osmf-talk/attachments/20180517/8c93772c/attachment.html>