OSM publishes with its geodata also meta data describing the contribution process and contributor. This talk gives an overview of the actual privacy prospects for OSM consumers, potential privacy risks for OSM contributors, and attempts a preliminary compliance check with respect to the EU’s general data protection regulation (GDPR).
I am a professional data protection expert and a passionate long-term contributor to OSM.
For this talk, I want to combine both worlds and discuss:
* 0) How OSM already today is beneficial for the privacy of OSM consumers?
* 1) Which personal data is in the OSM public database (spoiler: behavioural
data of contributors)?
* 3) Which potential privacy risks stem from the data for OSM contributors?
* 4) What are the GDPR compliance issues?
* 5) What is the outlook? I open the discussion (Q&A) with some ideas to mitigate privacy risks. They involve likely changes to the current data governance, OSM database structure and OSM data itself.
Problems that are already evident that I plan to mention:
1. transparency on the processing of personal data of contributors
2. tracking of contributors, e.g. via
- [https://resultmaps.neis-one.org/oooc](https://resultmaps.neis-one.org/oooc)
- [https://overpass-turbo.eu/](https://overpass-turbo.eu/) with search "user:username"
- [https://hdyc.neis-one.org/?username](https://hdyc.neis-one.org/?username)
3. sharing of OSM data with third parties, see [https://wiki.osmfoundation.org/wiki/Registered_data_controllers](https://wiki.osmfoundation.org/wiki/Registered_data_controllers)
For the purpose of the discussion, I want to introduce the audience to a few core data protection concepts:
- purpose limitation
- data minimisation
- definition of personal data in the GDPR
- concept of anonymous and pseudonymous data