[OSM-talk] GDPR introduction

Simon Poole simon at poole.ch
Tue Apr 17 12:58:47 UTC 2018 


Am 17.04.2018 um 14:14 schrieb Christoph Hormann:
> On Tuesday 17 April 2018, Simon Poole wrote:
>
>> LWG GDPR Position Paper
>> <https://wiki.openstreetmap.org/wiki/File:GDPR_Position_Paper.pdf>
>>
>> Please feel free to discuss on the talk page
>> <https://wiki.openstreetmap.org/wiki/Talk:GDPR> or on this list.
> A number of questions/comments:
>
> * Is there some sort of document outlining the data retention practice 
> for user logins on the OSM website which according to your suggestion 
> would be the basis of granting access to metadata in the future.  
> Obviously some level of retention of such data is permitted (for abuse 
> prevention etc.) but it would be nice to know how long and in what form 
> such data is retained.  This is not directly related to the GDPR but 
> would become increasingly relevant if functionality on the OSM website 
> is more often subject to being logged in.
Currently there is no formal policy on how long the logs for
openstreetmap.org are retained as far as I know, but it is one of the
things that should be documented.
>
> * I am not completely sure about the view of the LWG regarding the 
> question if the geodata itself (that is geometries, tags and IDs of 
> nodes, ways and relations) contains personal data according to the 
> GDPR.  Your recommendations seem to indicate you think it does not but 
> that is not necessarily self-evident.  Note i am not talking about 
> special cases here where mappers add personal data (like names of 
> people living in a house) although they should not, i am talking about 
> normally mapped stuff where you could identify individual mappers from 
> tagging and geometry characteristics and based on timing derived from 
> feature IDs.
We don't have a formal view on the pure geographic data itself, but are
naturally aware that taken to extremes it could be analysed the way you
suggest.
>
> * When you add new 'terms of use' or 'data processing agreement' 
> provisions that people who want to access OSM data with metadata need 
> to agree to does that constitute an amendment of the ODbL and therefore 
> a change in license?  If not would any downstream data user who 
> distributes a derivative database be allowed to add similar terms of 
> use that restrict use of the data to the data they distribute?
As the mail said, the exact details are not nailed down there yet,
however it is likely that we will not want to enter in to an agreement
with such people, but would simply offer to help with their obligations
from Art. 14. It is not as if the GDPR suddenly disappears when we
distribute data on ODbL terms so people processing the full dataset are
going to be subject to it in any case.

>
> * Your position paper does not seem to mention the OAuth service - it 
> seems to me registering an application to use this in the current form 
> would also need to require a special agreement.  In addition it might 
> be a good idea (i think i suggested this already in the past) to 
> provide an anonymous OAuth service - where the application using it 
> gets confirmation that the user is logged in as an registered OSM user 
> but which does not provide any information on this user's identity.
>
Well such an app can only access the data of the user that authorized
its access and even so not anything particularly critical (for example
it currently doesn't have access to the e-mail address), but it is clear
that there is opportunity for harvesting some data there. But in any
case this is more a question of if we want to validate apps in general
that access OSM or not, which in turn would imply blocking non-validated
ones and so on......

Simon

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstreetmap.org/pipermail/talk/attachments/20180417/8df69358/attachment.sig>

More information about the talk mailing list