[OSM-talk] GDPR introduction
osm at imagico.de
Tue Apr 17 12:14:04 UTC 2018
On Tuesday 17 April 2018, Simon Poole wrote:
> LWG GDPR Position Paper
> Please feel free to discuss on the talk page
> <https://wiki.openstreetmap.org/wiki/Talk:GDPR> or on this list.
A number of questions/comments:
* Is there some sort of document outlining the data retention practice
for user logins on the OSM website which according to your suggestion
would be the basis of granting access to metadata in the future.
Obviously some level of retention of such data is permitted (for abuse
prevention etc.) but it would be nice to know how long and in what form
such data is retained. This is not directly related to the GDPR but
would become increasingly relevant if functionality on the OSM website
is more often subject to being logged in.
* I am not completely sure about the view of the LWG regarding the
question if the geodata itself (that is geometries, tags and IDs of
nodes, ways and relations) contains personal data according to the
GDPR. Your recommendations seem to indicate you think it does not but
that is not necessarily self-evident. Note i am not talking about
special cases here where mappers add personal data (like names of
people living in a house) although they should not, i am talking about
normally mapped stuff where you could identify individual mappers from
tagging and geometry characteristics and based on timing derived from
provisions that people who want to access OSM data with metadata need
to agree to does that constitute an amendment of the ODbL and therefore
a change in license? If not would any downstream data user who
distributes a derivative database be allowed to add similar terms of
use that restrict use of the data to the data they distribute?
* Your position paper does not seem to mention the OAuth service - it
seems to me registering an application to use this in the current form
would also need to require a special agreement. In addition it might
be a good idea (i think i suggested this already in the past) to
provide an anonymous OAuth service - where the application using it
gets confirmation that the user is logged in as an registered OSM user
but which does not provide any information on this user's identity.
More information about the talk