Four years ago on May the 25th 2018 the, then new, EU-wide General Data Protection Regulations (GDPR) went in to force. It is therefore quite fitting that nearly to the day 4 years later, the OSMF has given up any pretense of ever fulfilling the legal requirements arising from the regulation and, perhaps more important, undertaking the ethically and morally indicated steps to protect the privacy of our contributors.
It isn’t as if the OSMF was caught by surprise in May 2018. The topic was by far the best researched, documented and planned change in its history. And it isn’t as if the quality of the work or the conclusions were in doubt, completely independent and unaware of what had been prepared by the LWG three years earlier, at last years SOTM there was a talk by Robert Riemann that came essentially to the same conclusions.
But, four years later, with the sole exception of new users having to accept the OSMF terms of service on sign up (added by yours truly), none of the required changes to the APIs and data access have even been started on OSMF properties.
To make the situation worse, OSM isn’t simply static, new services, third party and OSMF operated are being added, existing operations are changed and rarely are the data protection impacts and consequences considered.
Ironically some organizations in OSM-space have taken required steps, for example Geofabrik, OSMcha and Pascal Neis’s HDYC, that the OSMF has not.
Why have we ended in this fraught with legal and financial danger place? On the one hand there are no brownie points to be won with championing the changes to the OSM website, the API and data distribution. Since Frederik has left the board no director has been willing to show any support for the matter.
On the other hand, the technical community is full of data protection flat earthers. Some just believe that data privacy isn’t and shouldn’t be a thing, others believe that OSM has a get out of jail free card in such matters. As a consequence there is both passive resistance to making the changes and at the same time no volunteer developers that are going to code them.
All things given, I don’t believe that without making the matter a priority of the board and tasking an outside organisation any progress is going to be made. But I’m not holding my breath for anything to happen without the police banging on the door.
GDPR on the wiki has links to more material.