> what are the plans for Overpass API regarding GDPR?
First of all and most important: we are in no hurry.
There is a substantial risk to break things. And it is not even clear
whether we process personal data at all: Wikimedia has concluded in a
quite similar setting that they do not process personal data at all.
I'm currently preparing a document to clarify the situation of Overpass
API. Please note that there are substantial differences to the setting
of openstreetmap.org. Most account-related data is not present at all.
But on the ohter hand, openstreetmap.org does not even bring node
coordinates and "historic" ways together.
Overpass API never had a feature to track user activity and probably
never have to. One reason for the design decision to work with time
slices has been that it is privacy-friendly: you have no know beforehand
at what timestamp something intereting happens.
> The recommendation regarding meta data seems to be to limit access to
> logged-in users. So Achavi would require authentication, but so would
> any query with 'out meta'?
At the moment, I suggest not to require any authentication at all. The
same logic as above applies: you have to know beforehand the changeset
id of interest. Traversing all changesets that way is not possible, not
even all changesets of a really active user within reasonable time.
The first two steps and the moment are to ensure that minute updates
continue to work and to find a practical solution for the clone feature.
Permission management for the database will follow later.
Currently, I doesn't look useful to use the opensteetmap.org OAuth at
all. That way, we pile up a new category of personal data, which is
precisely the opposite of what the GDPR intended. In addition, there is
no clean solution to ensure that people have read the Overpass API
privacy declaration, and the framework is for our purpose