Preparing for the GDPR

Modified image. Original by TheDigitalArtist. Licence: CC0

The OSMF board and OSM working groups are preparing for upcoming legal changes regarding data protection rules. The General Data Protection Regulations (GDPR) come into effect in the EU on May 25, 2018. OpenStreetMap Foundation (OSMF), as a legal entity in the EU, is legally required to be compliant with GDPR. The OpenStreetMap License Working Group (LWG) wrote a white paper about GDPR to inform how we should prepare. To that end, we made a GDPR preparedness plan to be implemented over the next months. Many of the required changes are administrative. We want to help you understand what is changing based on how you might use OSM.

Here are some key points to help you learn more:

Do you use OSM to navigate the world?

OpenStreetMap is the free and open map of the world. If you are using OSM to navigate the world, there are no changes. Examples include viewing some form of maps and/or searching points of interest information, and routing instructions.

Do you contribute data to OSM?

Your contributions will not change. However, OSMF will update the Privacy Policy to specifically detail how personal data is collected and processed in accordance with GDPR. Please read that update when it comes out.

In addition, once OSM’s GDPR plan is fully implemented, access to metadata that may contain personal data will be limited. (Access to other data will not be affected. To see which API calls will be affected, please see this page on the wiki). Whether you as a contributor/edit user see changes as a result of these limitations will depend on which editor you use and whether the maintainers of a program you use make any alterations as a result of GDPR. OSMF will strive to help the maintainers of popular editors understand how these changes affect them. Please keep an eye out for further communications.

Are you a Service Provider that uses OSM?

If you are working on a project (e.g. software) that uses the types of OSM metadata most likely to contain personal data (the most prominent being usernames, userids, and changeset ids), you will need to abide by OSMF terms designed to protect personal data in order to have access to that data. These terms will be drafted in accordance with GDPR and will be available for the community to read through. Please keep an eye out for this future post.

You should also be aware that, after May 25, 2018, as someone processing personal data from EU residents, you are subject to the GDPR and will need to adapt accordingly. For example, there are transparency requirements as outlined in Art. 14 (https://gdpr-info.eu/art-14-gdpr/). OSMF and the LWG are working on templates to assist in streamlining compliance, but ultimately, you are responsible for GDPR compliance in any processing you do of personal data.

Does your project use OSM metadata?

Projects using metadata will be most impacted. If you are working on a project (e.g. software) that uses OSM metadata (e.g. quality assurance and data validation) this will be subject to the GDPR and will need to be adapted accordingly. Such projects will need to provide the information as outlined in Art. 14 to all OSM contributors and implement their own privacy policies and mechanisms.

What is GDPR?

There are many resources available to learn more about GDPR. Your data use and your data protection are the two key points to remember. The GDPR (EU) regulations can be read in full here. The OSM License Working Group’s GDPR White paper can be reviewed here. Additionally other organisations have created this clear diagram explanation and a checklist.

Is this compatible with ODbL?

Yes. ODbL concerns copyright and database rights. It explicitly disclaims trademark and patent on the IP side (which is why we have a separate trademark policy) or other national laws. It also specifically says “The right to release the Database under different terms, or to stop distributing or making available the Database, is reserved.” Similarly, the Contributor Terms specifically concern IP rights and the license used for them, but do not mention anything else like privacy law.

Find the Implementation plan

The following page will be used to track changes and provide updates. The OSMF board will also coordinate with the Licensing Working Group for further details in the coming weeks:

https://wiki.openstreetmap.org/wiki/GDPR

Questions

The OSMF Board and the various OSM working groups are available to answer key questions.

This post is also available in: Japanese Croatian