OSM data: Privacy Risks and GDPR compliance
07-09, 15:00–15:20 (UTC), Track 1 - Talks

OSM publishes with its geodata also meta data describing the contribution process and contributor. This talk gives an overview of the actual privacy prospects for OSM consumers, potential privacy risks for OSM contributors, and attempts a preliminary compliance check with respect to the EU’s general data protection regulation (GDPR).

I am a professional data protection expert and a passionate long-term contributor to OSM.

For this talk, I want to combine both worlds and discuss:

  • 0) How OSM already today is beneficial for the privacy of OSM consumers?
  • 1) Which personal data is in the OSM public database (spoiler: behavioural
    data of contributors)?
  • 3) Which potential privacy risks stem from the data for OSM contributors?
  • 4) What are the GDPR compliance issues?
  • 5) What is the outlook? I open the discussion (Q&A) with some ideas to mitigate privacy risks. They involve likely changes to the current data governance, OSM database structure and OSM data itself.

Problems that are already evident that I plan to mention:
1. transparency on the processing of personal data of contributors
2. tracking of contributors, e.g. via
- https://resultmaps.neis-one.org/oooc
- https://overpass-turbo.eu/ with search "user:username"
- https://hdyc.neis-one.org/?username
3. sharing of OSM data with third parties, see https://wiki.osmfoundation.org/wiki/Registered_data_controllers

For the purpose of the discussion, I want to introduce the audience to a few core data protection concepts:
- purpose limitation
- data minimisation
- definition of personal data in the GDPR
- concept of anonymous and pseudonymous data

Talk keywords

contributor privacy, GDPR, privacy


European Data Protection Supervisor

Robert Riemann holds a Bachelor’s and Master’s degree in Physics from the University of Berlin. In 2017, he received the degree of a doctor in computer science from the Ecole Normale Supérieure in Lyon for his research on the subject of distributed communication systems. Since then, he works at the European Data Protection Supervisor (EDPS) in Brussels in the IT Policy unit. He covers mainly web technologies and P2P and follows up on recent technological developments.