[OSM-talk] HDYC, login requirement and "privacy"

Martin Koppenhoefer dieterdreist at gmail.com
Fri May 5 09:38:23 UTC 2017


Again on the term "personal data". According to the General Data Protection
Regulation (GDPR) (Regulation (EU) 2016/679) [1], pseudonymized data is not
concerned, unless it would be possible to attribute it to a natural person:

___
(26) "The principles of data protection should apply to any information
concerning an identified or identifiable natural person. Personal data
which have undergone pseudonymisation, which could be attributed to a
natural person by the use of additional information should be considered to
be information on an identifiable natural person. To determine whether a
natural person is identifiable, account should be taken of all the means
reasonably likely to be used, such as singling out, either by the
controller or by another person to identify the natural person directly or
indirectly. To ascertain whether means are reasonably likely to be used to
identify the natural person, account should be taken of all objective
factors, such as the costs of and the amount of time required for
identification, taking into consideration the available technology at the
time of the processing and technological developments. The principles of
data protection should therefore not apply to anonymous information, namely
information which does not relate to an identified or identifiable natural
person or to personal data rendered anonymous in such a manner that the
data subject is not or no longer identifiable. This Regulation does not
therefore concern the processing of such anonymous information, including
for statistical or research purposes."
___

Usually in statistics, information down to the block level is not
considered personal informationn. You won't be able from OSM edits to say
in which house someone lives, or who she is, so it doesn't seem to apply.
The part "Personal data ... which could be attributed to a natural person
by the use of additional information should be considered to be information
on an identifiable natural person. To determine whether a natural person is
identifiable, account should be taken of all the means reasonably likely to
be used, such as singling out, either by the controller or by another
person to identify the natural person directly or indirectly." leaves some
risk, but is essentially stupid, because with any kind and amount of
additional personal data you will hypothetically always be able to get to a
person, and costs and amount of time are always neglectible in the times of
electronic data processing, and given the rapid technological development.
So as pseudonymization is suggested in the directive to be applied, it
likely does restrict implicitly this paragraph to reasonably expectacle and
not every hypothetical case. To get from OSM edits to a natural person you
will need so much information about this person that you won't gain more
insights from looking at their edits.

Also, I am not sure whether this applies at all to OSMF, because OSMF never
collects personal data, it only collects an email address and doesn't
verify to whom it belongs and never publishes it, so probably there is no
"personal data which have undergone pseudonymisation", rather there wasn't
any personal data at any time.

At the moment we can't know what kind of data protection rules will govern
OSMF in the future, given that EU rules will not automatically apply any
more, soon, if Brexit is not stopped (nonetheless, local chapters might be
an issue here).


____________________
Btw: I think we should require our contributors to confirm to be adults (or
get explicit permission from their parents?), because children aren't able
to legally sign the CT, and their data is particularly protected. Current
CTs don't seem to account for this (or I haven't seen it).
____________________

Cheers,
Martin



[1] http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/talk/attachments/20170505/37d0c8c4/attachment-0001.html>


More information about the talk mailing list