Am 20.06.2018 um 07:58 schrieb Jochen Topf: > [ a lot of stuff that is (technically) reasonably easy deleted ] > > On Tue, Jun 19, 2018 at 10:54:07PM +0200, Frederik Ramm wrote: >> 3a. issue guidelines about what you are allowed to do with the user data >> files, >> 3b. ensure that everyone who has an OSM account agrees to these >> guidelines one way or the other, > This is the part that's not easy and where there is a lot of important > detail missing. You have to get everybody to agree, which is not going > to happen. So you have to add some flag to the database telling the > system whether you are allowed to download or not. You probably have to > change rules in the future so you have to make this generic, keeping > information about who clicked through which version of the rules. So you > are generating more information you are tracking with each user, more > personal information for which you need consent from the user. A) we are not asking for consent, B) yes, we will need an extra flag for ToU acceptance.
But in any case up to here this is a fairly accurate description of what the intent is. > All of > this needs to be tied in the OAuth stuff and it has to be done in a way > that 3rd party services using OSM data can ask *their* downstream users > to identify in the same way which allows OSM to track everybody who uses > the full OSM data everywhere adding more personal data to keep and to > explain to users and get permissions from users for. Nope: - anybody using OSM data without the user data is not going to be affected at all and they don't need to change anything (I've seen indications that this could be more than 99% of all users downloading OSM data) - as has been outlined before, 3rd parties using OSM data with user data will be acting as independent data controllers and will not be processing data on behalf of the OSMF (which would require a DPA and all the associated complications). They will have to make their own determinations on how to deal with the situation. We will provide some support to such entities to help them fulfil their legal obligations (for example a list of deleted users), but that's it. Naturally the GDPR applies to such entities completely regardless of what we say, since the GDPR just happens to be the law. There are still some open questions on exactly what needs to be done, in particular wrt transfers of data to countries where the EU hasn't made an equivalence determination, but we are slowly firming that up. Simon > Please stop this nonsense now! > > Jochen
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev mailing list [email protected] https://lists.openstreetmap.org/listinfo/dev
