Yes I was being sarcastic because removing PI from both the unrestricted accessible planet dumps and diffs has been a clear legal requirement since 2018. OSM has just choosed to ignore that till someone files a complaint, but I’m sure that when that happens the absolute non-brainer of a change will happen within days.
Which btw will shaft all the data consumers using diffs at that point instead of affording them time to migrate in an orderly fashion.
Anyway once that is in place you could for example run osmcha (or something similar) on the diffs with PI and take appropriate action on the ‘public’ diffs. Obviously you could do more elaborate checks if you instantiated the changed geometries, but I suspect that just checking node position changes (that requires retrieving the original position) would catch a lot of additional issues.
Serious question, what is considered PI in an OSM context? Aren’t usernames essentially anonymous identifiers (unless the users choose to otherwise identify themselves in user profiles and so forth)? Does the fact that PurpleFlyingMonkey123 mapped a manhole cover on a certain date/time cause a PI concern?
The important bit is that it is related to a specific natural person that is directly or indirectly identifiable. The requirement is -not- that the person has already been identified or even that the controller has further information that would allow that.
With other words latest after that talk the standard and popular take on the matter that it was just a couple of LWG members hallucinating should have been put to rest.
The important bit is that it is related to a specific natural person that is directly or indirectly identifiable. The requirement is -not- that the person has already been identified or even that the controller has further information that would allow that.
The answer could be consent.
Maybe it is also relevant that we encourage users to use multiple usernames for improving their privacy? There is no 1:1 relationship between pseudonyms and natural persons.
Processing shall be lawful only if and to the extent that at least one of the following applies:
(e)
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Clearly the usernames are necessary for the performance of a task, running OpenStreetMap, carried out in the public interest.
NO it can’t be. Could you for once stop trying to second guess people that actually know what they are doing?
For the people not around at the time, here’s the announcement of the paper and the changes that then “didn’t happen” [OSM-talk] GDPR introduction . Overall we consulted with three different and independent sets of lawyers, not counting those in the LWG and informal contacts.
Basing our privacy policy on consent (for the geodata related part of our process) was rejected early on as it would have had massive consequences on how OSM operates. If you so want, what we proposed at the time was “GDPR compliance lite” with a minimal impact.
There certainly is some legitimate interest in storing PI but no idea how much of that can be legitimately shared with third parties. The less the better I suppose.
I believe there could be a conflict, some people might be hesitant to contribute because they would reveal some information about themselves, e.g. areas where they have been to, and others might be interested in having their contributions attributed to themselves and maintaining reputation in the project. I don’t think everybody wants to be anonymous, but I can imagine some do.
It seems the possibility of explicit consent is also stated in the document you linked on page 5:
In summary we currently lack both the explicit consent and contractual obligations to process the personal data lawfully in all of the current ways we do so. The Contributor Terms and Privacy Policy could be updated to explicitly describe and require affirmative consent to all data processing
The other point, on page 3 in the position paper, the clauses identified as relevant for OSM in art. 6, skip over e) (“carried out in the public interest”). Is it clear that this doesn’t apply to OSM?
Small correction to the LWG paper, there is a typo on page 9, last paragraph the reference should be to Art 6(1)f and not Art 5(1)f, the text quote is correct though.
While obviously at the time, 6 years ago, a lot of things were not so clear (because the law hadn’t actually gone in to force yet and no rulings based on it had occurred), I don’t think that the general take on how it applies to OSM has changed.