[OSM-talk] GDPR introduction

Christoph Hormann osm at imagico.de
Tue Apr 17 12:14:04 UTC 2018

On Tuesday 17 April 2018, Simon Poole wrote:

> LWG GDPR Position Paper
> <https://wiki.openstreetmap.org/wiki/File:GDPR_Position_Paper.pdf>
> Please feel free to discuss on the talk page
> <https://wiki.openstreetmap.org/wiki/Talk:GDPR> or on this list.

A number of questions/comments:

* Is there some sort of document outlining the data retention practice 
for user logins on the OSM website which according to your suggestion 
would be the basis of granting access to metadata in the future.  
Obviously some level of retention of such data is permitted (for abuse 
prevention etc.) but it would be nice to know how long and in what form 
such data is retained.  This is not directly related to the GDPR but 
would become increasingly relevant if functionality on the OSM website 
is more often subject to being logged in.

* I am not completely sure about the view of the LWG regarding the 
question if the geodata itself (that is geometries, tags and IDs of 
nodes, ways and relations) contains personal data according to the 
GDPR.  Your recommendations seem to indicate you think it does not but 
that is not necessarily self-evident.  Note i am not talking about 
special cases here where mappers add personal data (like names of 
people living in a house) although they should not, i am talking about 
normally mapped stuff where you could identify individual mappers from 
tagging and geometry characteristics and based on timing derived from 
feature IDs.

* When you add new 'terms of use' or 'data processing agreement' 
provisions that people who want to access OSM data with metadata need 
to agree to does that constitute an amendment of the ODbL and therefore 
a change in license?  If not would any downstream data user who 
distributes a derivative database be allowed to add similar terms of 
use that restrict use of the data to the data they distribute?

* Your position paper does not seem to mention the OAuth service - it 
seems to me registering an application to use this in the current form 
would also need to require a special agreement.  In addition it might 
be a good idea (i think i suggested this already in the past) to 
provide an anonymous OAuth service - where the application using it 
gets confirmation that the user is logged in as an registered OSM user 
but which does not provide any information on this user's identity.

Christoph Hormann

More information about the talk mailing list