Before exploring the government regulations and agreed sector organizations’ principles about Agri Data, it’s important to understand what they really are.
The following excerpts come from FABE @OhioStateUniversity illustrate it in a simple way.
Data from a specific farming operation or at the field level related to agronomy-based information such as yield, population, hybrid, nutrient application. Agronomic Data is tied to the land or field where it was generated…
Data that is compiled using multiple sensors located on agricultural machinery: from the CAN (controlled area network), it also includes guidance system information (autosteer, GPS path files, bearing, etc.), variable rate control/technology and seeding rate controllers, etc.
Internet of Things
Data automatically collected by sensors laid out in the field, such as soil humidity, air temperature, water flow in irrigation systems. The network of physical objects or “things” embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data…
THE BIG DATA FLOW
(source Department of Food, Agricultural, and Biological Engineering @OhioStateUniversity )
- A farmer will upload farm and personal data from ground and equipment sensors, drones, etc.
- Agricultural Technology Provider (ATP) will aggregate farmer’s data, combines other relevant data set, and applies algorithms to analyze.
- The ATP then gives the farmer a customized solution or recommendation based on data received.
- The farmer can then use the recommendations provided by the ATP to make agronomic, economic, and farm management decisions on their farm.
Agri Data in the USA
In the US the most active initiative so far has been achieved by an industry coalition led by the American Farm Bureau Federation (AFBF) that devised the Privacy and Security Principles for Farm Data in 2014.
Privacy and Security Principles for Farm Data
The American Farm Bureau Federation (AFBF), working with commodity groups, farm organizations, and agriculture technology providers, help establish the Privacy and Security Principles for Farm Data in November 2014. To date, numerous organizations have agreed to follow these “Core Principles.”
Following excerpts of the principles (complete text can be on the Farm Bureau website)
Education: ATPs (Agriculture Technology Provider) should strive to draft contracts using simple, easy to understand language.
Ownership: farmers own information generated on their farming operations…, it is the responsibility of the farmer to agree upon data use and sharing with the other stakeholders…
Collection, Access, and Control: ….collection, access and use of farm data should be granted only with the affirmative and explicit consent of the farmer…
Notice: Farmers must be notified that their data is being collected and about how the farm data will be disclosed and used…
Transparency and Consistency: ATPs (Agriculture Technology Provider) shall notify farmers about the purposes for which they collect and use farm data…
Choice: ATPs should explain the effects and abilities of a farmer’s decision to opt-in, opt-out or disable the availability of services and features offered by the ATP.
Portability: …. farmers should be able to retrieve their data for storage or use in other systems, with the exception of the data that has been made anonymous or aggregated and is no longer specifically identifiable…
Terms and Definitions: …ATPs should clearly explain the following definitions ….in all of their respective agreements: (1) farm data; (2) third party; (3) partner; (4) business partner; (5) ATP partners; (6) affiliate; (7) data account holder; (8) original customer data…..
Disclosure, Use, and Sale Limitation: An ATP will not sell and/or disclose non-aggregated farm data …..without first securing a legally binding commitment to be bound by the same terms and conditions as the ATP has with the farmer. Farmers must be notified if such a sale is going to take place and have the option to opt-out or have their data removed prior to that sale. ….
Data Retention and Availability: Each ATP should provide for the removal, secure destruction and return of original farm data from the farmer’s account upon the request of the farmer or after a pre-agreed period of time…
Contract Termination: Farmers should be allowed to discontinue a service or halt the collection of data at any time subject to appropriate ongoing obligations. …
Unlawful or Anti-Competitive Activities: ATPs should not use the data for unlawful or anti-competitive activities, such as a prohibition on the use of farm data by the ATP to speculate in commodity markets.
Liability & Security Safeguards: …Farm data should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification or disclosure. …
This Bill aims to define the conditions to provide decision support to farmers based on data gathering and analysis, in other words, it’s “digital agriculture” in action. Its policies to AG Data are data anonymized and aggregated. Within this contest, data will also be forbidden to be sold.
Introduced in March 2018, the bipartisan legislation aims to “increase the knowledge of how covered conservation practices or suites of covered conservation practices impact farm and ranch profitability (such as crop yields, soil health, and other risk-reducing factors) by using an appropriate collection, review, and analysis of data.” ((a) Purpose)
More specifically the legislation focuses on “COVERED CONSERVATION PRACTICE”:
” specific conservation practice or enhancement that is designed to protect soil health, farm, and ranch productivity, or both ….while maintaining or enhancing crop yields in an economically sustainable manner…”
“(2) Identify currently collected data relating to the impacts of covered conservation practices on enhancing crop yields, soil health, and otherwise reducing risk and improving farm and ranch profitability…”
“(3) Collect any additional producer data, baseline data, or other data… (related to point 2).
“(4) Ensure that producer data ….are collected in a compatible format at the field- and farm-level … (with) the lowest practicable burden on producers and improves the interoperability of the data collected …
“(5) Establish procedures for producers to voluntarily … provide supplemental data that may be useful in analyzing the impacts of covered conservation practices …
“(6) Integrate and analyze the data …
“(7) …integrate, collate, and link data ….with other external data sources that include crop yields, soil health, and conservation practices.
“(8) Establish a conservation and farm productivity data warehouse in order to make the results of the data collection and analysis ….available to academic institutions and researchers …
“(9) Widely disseminate the research, analyzed data, and other information obtained ….that demonstrates the impacts of covered conservation practices on enhancing crop yields, soil health, and otherwise reducing risk and improving farm and ranch profitability in a manner that makes it easily used and implemented by producers and other stakeholders.
Data integrity and confidentiality
“…Procedures … shall provide appropriate privacy protections to the producer data, including—
“(i) prohibiting the sale of any individual producer data; and
“(ii) requiring any published research to release only aggregated data.
“(1) …Not later than 3 years …shall provide technical assistance, including through internet-based tools, …., to assist producers in improving sustainable production practices that increase yields and enhance environmental outcomes.
“(2) INTERNET-BASED TOOLS.—Internet-based tools ….shall provide to producers…
“(A) confidential data specific to each farm or ranch of the producer; and
“(B) general data relating to the impacts of covered conservation practices on enhancing crop yields, soil health, and otherwise reducing risk and improving farm and ranch profitability.
Agri Data in EUROPEAN UNION
This very interesting study published by the “European Parliamentary Research Service Scientific Foresight Unit (STOA)” in November 2017 (Author: Mihalis Kritikos), addresses the data management subject providing some general background anticipating and confirming the following analysis of the GDPR.
Excerpts of the study:
(section 3.2. Data management, p 14-17):
“…It should be mentioned that not all categories of data involved in precision agriculture such as agronomic data, compliance data, and meteorological data, actually qualify as personal data (‘information relating to an identified or identifiable natural person’ in accordance with Article 4(1) of Regulation 2016/679)… …Consequently, the issues raised by the processing of each category of data may differ. Some categories of data will certainly qualify as personal data in practice due to their relationship to a ‘natural person’. These include financial/economic data and staff data or other data derived from people’s behavior, and sometimes environmental data (as far as it is being derived from human activity)…
… The collection and processing of huge quantities of untapped farming data entail risks associated with storage and access to confidential information concerning specific agricultural operations, access by farmers to data in a non-proprietary form and making confidential information sufficiently anonymous to avoid misuse when brought together by third parties…
… not all processing of personal data in the course of precision agriculture processing will constitute a limitation under Article 7. There can also be risks in relation to Article 8 of the Charter regarding the right to protection of personal data. It must be underlined that, where the processing of farm data also involves personal data, the rules of the EU data protection legislation must be complied with…
….Although there is at present no EU legislation that specifically regulates the question of ownership in data, and although ownership-like rights currently available are limited to intellectual property rights and trade secrets, the determination of data ownership, especially of datasets or derived data that may affect the content of the agreements/contracts signed by private providers of agricultural technological know-how in the form of data licenses, is of particular importance. These licenses may define the rights
to use, transform, and monetize the data…
… data needs to be defined in relation to who controls the value of the data. Raw, large agricultural data sets that may hold little value to the end consumer might develop special value to a third party who is able to aggregate it and analyse it for a different purpose (e.g., a company might be interested in seed, yield, and input rates for determining future pricing of their product).
… It should be noted that information in this field has spurred significant investment and development of information-based ….agricultural services that are based on service agreements that may waive farmers’ data ownership rights. This may signal an unprecedented power shift in the industrial farming process.….
…. ‘Primary data‘ is seen as owned by the farmer while, strangely, ‘computed data‘ is currently seen as being owned by the one who did the computing. The ownership of data becomes even more ‘murky’ once it is aggregated with other farmers’ data. In many cases, this then seems to be considered in the ownership of the aggregating company… fragmented and uneven character of the relevant data ecosystem: those who create data (farmers), those who have the means to collect it (data brokers), and those who have amassed the expertise to analyze it (data analytics) and currently shape the rules about how the data will be used, who gets to have access, and who gets to participate. Different actors within the sector have vastly different levels of access to information ….thus raising issues of information asymmetry”
The European Parliament and the Council have issued on 27 April 2016 a regulation (EU) 2016/679 about the protection of natural persons with regard to the processing of personal data and on the free movement of such data (repealing the previous Directive 95/46/EC).
This new regulation goes under the name of GDPR (General Data Protection Regulation) and will be applying from: ” 25 May 2018″ (Article 99).
Being a new relevant regulation becoming effective very soon it is, therefore, worth investing some time to evaluate the impact it has on the Agri Data.
Agri Data falling into GDPR (Personal Data vs. Agri Data vs. Farm Data)
Before analyzing GDPR contents it is important to notice that it refers to “personal data”.
Article 4 Definitions – (1) ‘ personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier…
Ad by the definitions of Agri Data by FABE of Ohio State University mentioned at the beginning of this article, we clearly recognize that none of them fall under the category of “personal data” as defined by Article 4 of GDPR. Indeed Agri Data refers to “things” within a Farm, which is a legal entity and not a natural person.
We can therefore already conclude that the impact of the GDPR on the Agri Data is quite limited. Indeed among the Agri data regulated by the GDPR, we can list just the ” identifiers of natural persons” such as email, telephone numbers, names.
Agri Data out of GDPR: almost all of them
Indeed once the “identifiers of natural persons” such as email, telephone numbers, names are removed, then it applies the following section of Article 4 of GDPR:
Article 4 Definitions – (5) ‘ pseudonymisation ’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information,…
By “pseudonymization” GDPR means “anonymous information” (mentioned elsewhere in the GDPR) and also in the “Portability” principle of the ” Privacy and Security Principles for Farm Data”
We can conclude that once email, telephone numbers, names are removed, the GDPR impact on Agri Data is significantly reduced.
EU GDPR vs. US “Privacy and Security Principles for Farm Data”
While comparing a government law with a voluntary private set of principles is like to compare apples and pears, we can anyway conclude that the US principles are definitely more restrictive than the GDPR, at least… when talking about Agri Data.
EU GDPR in short
Despite the partial impact of EU GDPR on Agri Data, it is certainly worth to take it into consideration as some data collected will fall into the “personal data” regulated by the GDPR.
Following general principles and excerpts of relevant articles.
Definitions to keep in mind
(excerpts of GDPR Article 4 – Definitions)
(7) ‘controller’ means the natural or legal person…. determines the purposes and means of the processing of personal data;…
(8) ‘processor’ means a natural or legal person….which processes personal data on behalf of the controller;
(9) ‘recipient’ means a natural or legal person…. to which the personal data are disclosed…
(10) ‘third party’ means a natural or legal person….other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
(16) ‘main establishment’ means:
- (a) as regards a controller… the place of its central administration in the Union
- (b) as regards a processor…. the place of its central administration in the Union
(17) ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor ….. represents the controller or processor …
Controller and processor responsibilities
Article 5 – (2)…The controller shall be responsible for… data shall be:…. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; … protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
Article 11 – (1) If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
Article 11 – (2)…. the controller shall inform the data subject accordingly, if possible…
Article 12 – (1) The controller shall take appropriate measures to provide any information referred to:
- Information to be provided where personal data are collected from the data subject…
- Information to be provided where personal data have not been obtained from the data subject
- The right of access by the data subject
- Automated individual decision-making, including profiling
- Communication of a personal data breach to the data subject
relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language,…
Article 13 – (1) 1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller…
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended ….;
(d) where the processing is based…;
(e) the recipients or categories of recipients of the personal data…;
(f) …the controller intends to transfer personal data to a third country or international organization
(2) ….following further information…:
(a) the period for which the personal data will be stored…
(b) the existence of the right to request from the Controller access to and rectification or erasure of personal data….;
(c) where the processing is based on….;
(d) the right to lodge a complaint with a supervisory authority;
(f) the existence of automated decision-making, including profiling…
Article 15 – (1) The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and….access to the personal data and the following information (similar to article 13)
Article 16 – The data subject shall have the right to obtain from the controller ….the rectification of inaccurate personal data concerning him or her…
Article 17 – (1) The data subject shall have the right to obtain from the controller the erasure of personal data…
Article 19 – The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out ….to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort…
Article 21 – (2)…. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her…
(4) At the latest at the time of the first communication with the data subject, the right ….shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
Article 24 – (2) Where proportionate in relation to processing activities……implementation of appropriate data protection policies by the controller.
Article 25 – (1) ….the controller shall, …..implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles…
Article 25 – (2) The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed…
Article 27 (Representatives of controllers or processors not established in the Union)
….the controller or the processor shall designate in writing a representative in the Union…
Article 28 (2) The processor shall not engage another processor without prior specific or general written authorization of the controller…
Article 32 (1) ….controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymization and encryption of personal data;
(b) …. resilience of processing systems and services;
(c) … restore the availability and access to personal data…
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures…
Article 33 (1) In the case of a personal data breach, the controller shall… notify the personal data breach to the supervisory authority… The processor shall notify the controller without undue delay after becoming aware of a personal data breach…
Article 35 (Data protection impact assessment)
1. Where a type of processing ….is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact…
Article 36 (1) The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
Article 37 (1) The controller and the processor shall designate a data protection officer in any case where:…
(b)…systematic monitoring of data subjects on a large scale;…
Article 42 (3) The certification shall be voluntary and available via a process that is transparent.
The lawfulness of processing (article 6)
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing….
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent….the controller shall….take into account:
(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected….
(c) the nature of the personal data, ….
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymization.
Conditions for consent (article 7)
1. Where the processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.
3. The data subject shall have the right to withdraw his or her consent at any time.
4. When assessing whether consent is freely given….provision of a service, is conditional on consent to the processing of personal data
Right to data portability
Article 20 1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided….
2. data transmitted directly from one controller to another, where technically feasible…
Article 89 (Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes)
1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimization. Those measures may include pseudonymization provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.
This article doesn’t intend to provide any legal advice, while purely sharing information about the Agriculture Data subject.
Marco is a Digital Agriculture international expert with 20Y+ experience in leveraging digital innovations to the benefit of the market. He owns a Math degree & MBA, and before focusing on digital agriculture, he successfully worked with his teams to develop and bring to market several new technologies and products in the fields of environmental monitoring (low-cost air quality city monitoring), risk mitigation (Unesco Petra site) focusing on Internet of Things (IoT), advanced sensors, Big Data, predictive analytics, Artificial Intelligence.
He co-founded 3 companies receiving international recognition by the European Enterprise Network (innovation success in 2007), was mentioned in Forbes in 2008, was awarded the Stanford University “Best Startup Award” at the Italian Innovation Day in 2011, and was IBM Smarter Planet finalist and Global Entrepreneur.
Recent tangible achievements: saving of water up to 50% with increased production of 250% in semi-arid climate; 30% average pesticide reduction in orchards along with agronomic risk reduction.
Main customers/partners supported in Digital Agriculture: Nestlé, Syngenta, Netafim, Omya, Agroscope, Purdue University.