In the publicly available version, OpenStreetMap is not data protection compliant usable, unless you want to install your own server. But there is a solution that is absolutely data protection compliant.
Live Demo
Here you see a data protection compliant interactive map for displaying a location, without any consent and without any data protection problems.
Further down you'll learn how it works and what features the solution has. In advance: it's free for commercial use. If you want to see directly how the solution works:
Introduction
The use of Google tools such as Google Maps is fraught with great legal uncertainties. Since Google Maps also uses technically unnecessary cookies and triggers various loading processes, the Google map product can only be used with consent. Update: As a commentator correctly pointed out, the Google Maps JavaScript API can be used to display the map without cookies. I therefore expand my argumentation: The data transfer to Google is not permitted without consent, I say. Elsewhere, I had investigated this: Google states that it uses user data collected through any Google service (including a map plugin) for its own purposes. Furthermore, Google Maps loads Google Fonts. I also consider this to be consent-based. The Privacy Shield theme could also be used here.
The best and most well-known free alternative in my opinion is OpenStreetMap (OSM). Unfortunately, OpenStreetMap cannot be used data protection compliant as it is delivered.
I will describe these and further possibilities of using OSM and their advantages and disadvantages in the following. Then I will show a solution that is absolutely data protection compliant.
Benefits of maps on websites
Before one considers laying down a card or keeping the current card, one should be clear about what benefit such a card would bring. Here's my opinion:
- Displaying a location: Better with own image material or images from city marketing.
- Route planner: For this no interactive map needs to be embedded, but a function to call a route planner must be available.
- Displaying multiple locations: Could one realize this with a personal map (image with locations)? An interactive map is often not very useful.
- Google data base: This could be exploited for the previously mentioned function. Advantage: Simple. Disadvantage: Map operation hardly possible in a data protection compliant manner. With not too many locations, these can be easily drawn on a map.
In my opinion and experience, only a few application cases remain that would justify the use of an interactive map. Such a map also has disadvantages:
- On small screens like smartphones, users often accidentally scroll over the map instead of the website and may get stuck on the map
- On large screens, maps are often displayed poorly, even though the entire screen has enough space
- Often maps show an unfavorable bird's-eye view. The actual location can only be guessed at, the immediate surroundings not visible at all
Possibilities of use
The most obvious way of using OSM unfortunately is not data protection compliant. Why this is so and what other types of use there are for OpenStreetMap maps will be shown in the following list.
Use OpenStreetMap directly
The OpenStreetMap maps are offered on the website https://www.openstreetmap.org/. Even this website must be embedded with a suitable JavaScript code in order to display a map. Also, the German-language website openstreetmap.de refers to openstreetmap.org, as shown by the German FAQ.
The most obvious way to use OpenStreetMap maps is not data protection compliant
Own investigation.
On the OpenStreetMap website, where the plugin can be downloaded (openstreetmap.org), both the data protection statement and the imprint are not properly accessible. Furthermore, the data processing is not well explained. This makes the maps unusable from a data protection point of view. A proof of what happens to the traffic data of users that OpenStreetMap receives from an integrating website cannot be led. On the German OSM-website (openstreetmap.de) are imprint and data protection notices available. If the map-plugin can be downloaded from there and the maps loaded from this German server, the problem would be solved.
My contribution to the data protection friendly OSM plugin contains some further criticism points regarding the direct use of OSM.
However, ideally one would have to conclude a contract for commissioned data processing (DPA) with the OSM plugin provider. The DPA would ideally guarantee that all received data from OSM are processed in accordance with GDPR and not for OSM's own purposes. Furthermore, the data should ideally remain within Germany or Europe, and the OSM organization should be purely German or European, at least not embedded in a US-American legal construct.
MapBox
_MapBox is an American provider that offers maps which also base on OpenStreetMap.
Since for MapBox Art. 44ff DSGVO a consent is required and I do not want to support American providers any further, MapBox will be excluded as a possible solution.
What applies to MapBox can also be transferred to other providers. There may be paid offers from GDPR-compliant providers in Europe or Germany. In this article, it will only be about free offers.
Self-hosted OpenStreetMap server
OpenStreetMap allows the operation of one's own Tile Servers. This server is stocked with the current data base from OpenStreetMap and can then spit out maps. It is controlled via a Javascript logic. The installation of this server is so complicated that it almost deserves to be called an impertinence.
In any case, such a self-operated OSM-Server is a data protection-friendly solution, but indeed an illusion for most websites.
Download and use a map snippet
On the website of OpenStreetMap you can define a map excerpt and then download the data for it. Via an export function you get an XML file. What to do with the XML file remains open for now. I haven't looked into it further because this solution is obviously not directly usable and requires technical expertise.
Maybe someone wants to write me how to get from an XML file to an interactive map simply.
On the website of OpenMapTiles, map data for the entire planet, individual continents or countries can be downloaded. However, commercial use is subject to a fee. Additionally, further steps and installations are required to get from the map data to the finished product. Sounds like everything is quite complicated and not mass-marketable.
Own solution
My initial solution shows how a map can be embedded without any privacy problems. The features of the solution are:
- No data transfer to third parties
- Works without consent
- No need for a data protection text
- No installation of a personal server
- Show only the relevant map excerpt
- Zoom is only possible within sensible limits
- Moving the map excerpt is only possible within reasonable limits
- Directly usable for the Germany map over hosting offer (for example, by me)
- Self-operation possible
- Storage requirements are not too high
- Data transfer is running over own server
The solution is free and has almost only advantages. Currently, installing it is a bit more complicated than the illegal integration of Google Maps, but it causes less work than integrating the data-craving map in a data protection-compliant manner. Not to mention the higher legal security.
This solution is law-compliant and ultimately saves work. In a self-managed operation, one must perform a relatively simple installation that consists mainly of copying files. Perhaps I'll offer a WordPress plugin for this purpose.
Update: There are even several variants for WordPress plugins available now. A configurator makes it easier to get a suitable plugin for one's own locations.
Conclusion
A self-operated OpenStreetMap Server is a way to use a map in compliance with data protection regulations. You even save yourself from having to read the data protection text. The installation, however, is not entirely uncomplicated. In addition, you should update the map material every few months.
As I have shown above, a data protection compliant solution is possible and already available.
I work on an OpenStreetMap Solution for the public, in order to simplify usage as much as possible and enable GDPR-compliant use. In the meantime there are some variants of map configurators available. Besides the JavaScript- and WordPress variant it is also possible to display several locations simultaneously on a map. For each location an individual labelling can be specified. The display of route planning is in progress. Further information will be announced when you regularly visit Dr. GDPR or subscribe to the newsletter.
I am open and grateful for further suggestions.
Key messages
OpenStreetMap can't be used in a way that complies with data protection regulations in its standard form.
Directly using OpenStreetMap maps on your website can be a privacy risk because their data handling practices are unclear.
A self-hosted OpenStreetMap server is a privacy-compliant way to use maps on your website, avoiding the complexities and legal issues of using services like Google Maps.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
