OSM data: Privacy Risks and GDPR compliance

Room: Track 1 - Talks

Friday, 15:00 UTC
Duration: 20 minutes (plus Q&A)

video on media.ccc.de
video on YouTube
video on YouTube (Russian (русский) translation)

• Robert Riemann

I am a professional data protection expert and a passionate long-term contributor to OSM.

For this talk, I want to combine both worlds and discuss:

• 0) How OSM already today is beneficial for the privacy of OSM consumers?
• 1) Which personal data is in the OSM public database (spoiler: behavioural data of contributors)?
• 3) Which potential privacy risks stem from the data for OSM contributors?
• 4) What are the GDPR compliance issues?
• 5) What is the outlook? I open the discussion (Q&A) with some ideas to mitigate privacy risks. They involve likely changes to the current data governance, OSM database structure and OSM data itself.

Problems that are already evident that I plan to mention:

1. transparency on the processing of personal data of contributors
2. tracking of contributors, e.g. via
   • https://resultmaps.neis-one.org/oooc
   • https://overpass-turbo.eu/ with search "user:username"
   • https://hdyc.neis-one.org/?username
3. sharing of OSM data with third parties, see https://wiki.osmfoundation.org/wiki/Registered_data_controllers

For the purpose of the discussion, I want to introduce the audience to a few core data protection concepts:

• purpose limitation
• data minimisation
• definition of personal data in the GDPR
• concept of anonymous and pseudonymous data