On Tuesday 17 April 2018, Simon Poole wrote: > > LWG GDPR Position Paper > <https://wiki.openstreetmap.org/wiki/File:GDPR_Position_Paper.pdf> > > Please feel free to discuss on the talk page > <https://wiki.openstreetmap.org/wiki/Talk:GDPR> or on this list.
A number of questions/comments: * Is there some sort of document outlining the data retention practice for user logins on the OSM website which according to your suggestion would be the basis of granting access to metadata in the future. Obviously some level of retention of such data is permitted (for abuse prevention etc.) but it would be nice to know how long and in what form such data is retained. This is not directly related to the GDPR but would become increasingly relevant if functionality on the OSM website is more often subject to being logged in. * I am not completely sure about the view of the LWG regarding the question if the geodata itself (that is geometries, tags and IDs of nodes, ways and relations) contains personal data according to the GDPR. Your recommendations seem to indicate you think it does not but that is not necessarily self-evident. Note i am not talking about special cases here where mappers add personal data (like names of people living in a house) although they should not, i am talking about normally mapped stuff where you could identify individual mappers from tagging and geometry characteristics and based on timing derived from feature IDs. * When you add new 'terms of use' or 'data processing agreement' provisions that people who want to access OSM data with metadata need to agree to does that constitute an amendment of the ODbL and therefore a change in license? If not would any downstream data user who distributes a derivative database be allowed to add similar terms of use that restrict use of the data to the data they distribute? * Your position paper does not seem to mention the OAuth service - it seems to me registering an application to use this in the current form would also need to require a special agreement. In addition it might be a good idea (i think i suggested this already in the past) to provide an anonymous OAuth service - where the application using it gets confirmation that the user is logged in as an registered OSM user but which does not provide any information on this user's identity. -- Christoph Hormann http://www.imagico.de/ _______________________________________________ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk