Add GDPR project

[simonpoole]

As there seems to be some doubt as to which issues the EWG should discuss with the LWG, here is an example from the list of affected services wiki page.

Just so that is clear to all, that page is an interpretation of the LWG recommendations by the community, not a LWG document. The main contributors being @woodpeck and @mmd-osm .

That said, for the specific call suggesting to deny access (/changeset/#id) for users that have not agreed to the ToU makes sense as a "reduced" content version of the call would likely only include the id, bounding box, num changes and maybe the times, which is likely not particularly useful and probably more work than its worth.

[fititnt]

If we (as EWG) can move the discussion to be officially endorsed by LWG first, then it makes sense, even if the final result does not differ too much from the "community draft". Add to this that the LWG white paper from 2018 is not by itself easy to convert to actionable points we would need to make feasible EWG bids without at least another round of feedback.

And, of course, even if LWG and EWG agreed on specific changes, I suspect some might need more time to be implemented. If OSMF already has LWG more ready to give advice and/or priorities features, any "last minute" problem (what could block a PR implemented based on the specification) could ideally be decided hopefully in 1 to 2 months. So yes, I agree that is a good idea wait for a more explicitly approved version from LWG, and also that have they in stand by to review if necessary.

PS.: And yes, I like @mmd-osm know about the document, but for 2024, he already has a lot of responsibility inside both EWG and OSMF. Any GDPR-related bid could get more complex, and reduce precious time for you to do other tasks.

[simonpoole]

IMHO it is unreasonable to expect the LWG to review a technical document, definitely not without someone from the EWG or other person knowledgeable of the OSM API walking them through it.

That said the last time I looked through the list which is a couple of years back it seemed to be a good interpretation of the recommendations

[fititnt]

Okay. Then @simonpoole, what if, from the entire list , we could agree if the proposed changes on the Notes API matches the idea of the LWG? ref https://wiki.openstreetmap.org/wiki/GDPR/Affected_Services#Map_Notes_API

Worst case scenario (e.g. still be able to be implemented, but not disrupt API customers), I suspect maybe the code might be delivered and eventually merged, but enforcement disabled by some sort of configuration, without need to rollback the code.

The reason for the Notes API suggestion is merely is because another bid already is related to this. ( https://github.com/osmfoundation/ewg_bidding/pull/13 , https://github.com/openstreetmap/openstreetmap-website/pull/4481 ).

I suspect a initial more focused approach might be easier both to get endorsement from LWG and deliver the implementation.

[simonpoole]

@fititnt the problem this is really the wrong way around, changes to the API, website data storage etc, should be vetted from a privacy regulation pov, at least since 2018, before a substantial amount of work has gone in to them.

Waits till everybody has stopped laughing.

In the case of notes for example adding tags or attributes (is that planned?) would clearly need some consideration as they can hold, matter fact in some cases the whole point would be to do so, personal information (for example the app that was used to create note or comment).

In the list no access is suggested without login, so adding extra things on is unlikely to have an effect, however I suspect that the motivation for making notes not accessible was again more a question of if it is worth the effort to produce skeleton notes with little to no PI.

[simonpoole]

I just noticed that the OSMF is running after its own tail on the subject of accepting the ToS in the last public minutes of the EWG.

It has been pointed out many many many times to the OSMF board that only new sign ups since May 2019, see https://github.com/openstreetmap/openstreetmap-website/pull/2028, have agreed to the ToS and that they need to schedule a date and make an announcement as to when it will be mandatory. Yes that needs a bit of coding, but could be based on what was used for the licence change.