Skip to Content.
Sympa Menu

overpass - Re: [overpass] General Data Protection Regulation (GDPR)

Subject: Overpass API developpement

List archive

Re: [overpass] General Data Protection Regulation (GDPR)

Chronological Thread 
  • From: Roland Olbricht <>
  • To: , Norbert Renner <>
  • Subject: Re: [overpass] General Data Protection Regulation (GDPR)
  • Date: Tue, 22 May 2018 06:48:27 +0200


what are the plans for Overpass API regarding GDPR?

First of all and most important: we are in no hurry.

There is a substantial risk to break things. And it is not even clear whether we process personal data at all: Wikimedia has concluded in a quite similar setting that they do not process personal data at all.

I'm currently preparing a document to clarify the situation of Overpass API. Please note that there are substantial differences to the setting of Most account-related data is not present at all. But on the ohter hand, does not even bring node coordinates and "historic" ways together.

Overpass API never had a feature to track user activity and probably never have to. One reason for the design decision to work with time slices has been that it is privacy-friendly: you have no know beforehand at what timestamp something intereting happens.

The recommendation regarding meta data seems to be to limit access to logged-in users. So Achavi would require authentication, but so would any query with 'out meta'?

At the moment, I suggest not to require any authentication at all. The same logic as above applies: you have to know beforehand the changeset id of interest. Traversing all changesets that way is not possible, not even all changesets of a really active user within reasonable time.

The first two steps and the moment are to ensure that minute updates continue to work and to find a practical solution for the clone feature.
Permission management for the database will follow later.

Currently, I doesn't look useful to use the OAuth at all. That way, we pile up a new category of personal data, which is precisely the opposite of what the GDPR intended. In addition, there is no clean solution to ensure that people have read the Overpass API privacy declaration, and the framework is for our purpose disproportionately heavyweight.

Best regards,


Archive powered by MHonArc 2.6.19+.

Top of Page