[Osmf-talk] GDPR introduction

Kathleen Lu kathleen.lu at mapbox.com
Thu May 17 19:53:04 UTC 2018

The "in consideration of my participation in any project" wording makes me
think that they will try to rely on a "necessary for the performance of a
contract between the data subject and the controller" basis, rather than a
consent basis.

On Thu, May 17, 2018 at 8:08 AM Simon Poole <simon at poole.ch> wrote:

> Nice, except that it is at odds with the GDPR (if you ask for consent you
> can't stop people from withdrawing it).
> Am 17. Mai 2018 03:20:29 MESZ schrieb Andrew Harvey <
> andrew.harvey4 at gmail.com>:
>> It looks like GitLab is dealing with this with a waiver which you are
>> required to agree to to log into your account. Adapted for OSM it reads:
>> As part of my voluntary contribution to OpenStreetMap, I acknowledge and
>> agree that my username and any geographic data I edit will become embedded
>> and part of the OpenStreetMap data, which may be publicly available. I
>> understand the removal of this information would be impermissibly
>> destructive to the project and the interests of all those who contribute,
>> utilize, and benefit from it. Therefore, in consideration of my
>> participation in any project, I hereby waive any right to request any
>> erasure, removal, or rectification of this information under any applicable
>> privacy or other law and acknowledge and understand that providing this
>> information is a requirement under the agreement to contribute to
>> OpenStreetMap.
>> I don't know how they plan to deal with users who choose not to agree,
>> but at least it shows how other organisations are dealing with this.
>> On 21 April 2018 at 18:14, Simon Poole <simon at poole.ch> wrote:
>>> This is going off a bit on a tangent, to restate: we are -not- proposing
>>> to go back to every contributor and get explicit consent from them.
>>> Besides the already mentioned issues in actually reaching out to them,
>>> it wouldn't solve anything, as lawful processing based on consent by the
>>> data subjects is the rabbit hole of problems that we are trying to avoid.
>>> What we will likely do is get everybody using the website and the API to
>>> re-read a revised privacy policy and agree to ToU that point out the
>>> obligations from the GDPR.
>>> Simon
>>> Am 21.04.2018 um 06:28 schrieb Andrew Harvey:
>>> The OSMF mission statement includes "protecting the OSM database, and
>>> making it available to all". Usernames and timestamps of edits are an
>>> important part of the OSM database, ensuring OSM is truly is an open and
>>> transparent about the edits that have taken place and when and where these
>>> came from. I feel it's the OSMF's role to do everything possible to
>>> continue to make the OSM database available to all and not redact part of
>>> that database from the public feeds/dumps.
>>> > Second, I don't have the exact stats, but I believe with the license
>>> change some 30% of mappers could not be reached. That is a *lot* of
>>> metadata that would be affected. My view is that it is important for OSM to
>>> maintain this metadata so that it can be referenced by DWG in future
>>> investigations, even if the metadata is treated confidentially.
>>> Additionally, sending out all those emails and tracking check-ins is
>>> logistically quite difficult. Given OSM's purposes, which really are in the
>>> public interest, I think a legitimate interests basis is on balance a
>>> better fit.
>>> Even if we won't get 100% of historical edits to accept new terms, at
>>> least we can ensure a significant proportion of historical and all future
>>> edits agree to new terms. Again, this is only worst case scenario if we
>>> need new terms to publish usernames and timestamps of historical edits.
>>> I do wonder what other orgs are doing. OSM seems no different to
>>> different to Wikimedia where the time and username or IP of your edits are
>>> made public, or Twitter where if you choose to post a geotagged tweet, your
>>> location, username and timestamp are made public.
>>> On 21 April 2018 at 14:12, Heather Leson <heatherleson at gmail.com> wrote:
>>>> Hi folks that for this conversation.
>>>> To some of Rob's questions:
>>>> Yes, let's create an exec summary and an faq wiki page to help the
>>>> clarity.
>>>> In addition to Kathleen's input, Simon and I also got probono review
>>>> from the Brussels Privacy Hub and a lawyer from Cisco.
>>>> Heather
>>>> On Sat, 21 Apr 2018, 02:13 Rob Nickerson, <rob.j.nickerson at gmail.com>
>>>> wrote:
>>>>> Thanks Simon. Lots of work has obviously gone in to this so a big
>>>>> thank you (and the LWG) for your time.
>>>>> Three questions/comments:
>>>>>    1. It's quite a long document so would benefit from a Exec Summary
>>>>>    if time permits.
>>>>>    2. I'm interested in who you have engaged with as we are clearly
>>>>>    not the only company affected. In addition to the "professional
>>>>>    counsel" have we reached out to similar groups to the OSMF - for
>>>>>    example WikiMedia and maybe the Open Data Institute?
>>>>>    3. I understand that GDPR does not stop companies from
>>>>>    using/processing data (business as usual activities) internally and it does
>>>>>    not stop them sharing it with a third party under standard business
>>>>>    contracting. Rather it is setting the rules of the game - or more precisely
>>>>>    creating a common standard across the EU (the UK has had a Data Protection
>>>>>    Act for many years now). As such OSMF can continue to use/process the full
>>>>>    dataset, but as we know OSMF company is small with no full time employees.
>>>>>    Their hands off approach to date has allowed for an ecosystem to grow
>>>>>    around OSM. In the new GDPR world, OSMF will be forced to make more
>>>>>    decisions as to which parties can be handed the full dataset
>>>>>    ("processors"/"third parties" in GDPR speak if I have understood it
>>>>>    correctly). Do we know how OSMF intend to manage this? Will OSMF now be in
>>>>>    a position where it has to formally commission/contract out research
>>>>>    projects if we want to analyse user stats to better understand our member
>>>>>    diversity (as an example)?
>>>>> That last question is probably one for the OSMF Board and is a
>>>>> reflection that their hand's off style may have to change in light of GDPR
>>>>> - unless of course they decide that nobody should get the complete data.
>>>>> Thank you,
>>>>> *Rob*
>>>>> On 17 April 2018 at 11:48, Simon Poole <simon at poole.ch> wrote:
>>>>>> On the 25th of May 2018 the *General Data Protection Regulation
>>>>>> (GDPR) <https://en.wikipedia.org/wiki/General_Data_Protection_Regulation>*
>>>>>> will enter in to force, this will likely result in some changes in how
>>>>>> OpenStreetMap operates and distributes its data.
>>>>>> The LWG has prepared a position paper on the matter that has been
>>>>>> reviewed by data protection experts and in general the approach to not rely
>>>>>> on explicit consent has been validated. It should be noted that while the
>>>>>> paper outlines our approach, some of the details still need to be
>>>>>> determined. In particular the future relationship with community and third
>>>>>> party data consumers that utilize OSM meta-data and what will actually be
>>>>>> dropped/made less accessible of the data listed in Appendix B.
>>>>>> LWG GDPR Position Paper
>>>>>> <https://wiki.openstreetmap.org/wiki/File:GDPR_Position_Paper.pdf>
>>>>>> Please feel free to discuss on the talk page
>>>>>> <https://wiki.openstreetmap.org/wiki/Talk:GDPR> or on this list.
>>>>>> Simon
>>>>>> _______________________________________________
>>>>>> osmf-talk mailing list
>>>>>> osmf-talk at openstreetmap.org
>>>>>> https://lists.openstreetmap.org/listinfo/osmf-talk
>>>>> _______________________________________________
>>>>> osmf-talk mailing list
>>>>> osmf-talk at openstreetmap.org
>>>>> https://lists.openstreetmap.org/listinfo/osmf-talk
>>>> _______________________________________________
>>>> osmf-talk mailing list
>>>> osmf-talk at openstreetmap.org
>>>> https://lists.openstreetmap.org/listinfo/osmf-talk
>>> _______________________________________________
>>> osmf-talk mailing listosmf-talk at openstreetmap.orghttps://lists.openstreetmap.org/listinfo/osmf-talk
>>> _______________________________________________
>>> osmf-talk mailing list
>>> osmf-talk at openstreetmap.org
>>> https://lists.openstreetmap.org/listinfo/osmf-talk
> --
> Diese Nachricht wurde von meinem Android-Mobiltelefon mit Kaiten Mail
> gesendet.
> _______________________________________________
> osmf-talk mailing list
> osmf-talk at openstreetmap.org
> https://lists.openstreetmap.org/listinfo/osmf-talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/osmf-talk/attachments/20180517/92622720/attachment.html>

More information about the osmf-talk mailing list