Data harvesting: privacy concerns and opportunities

Published: 28 July 2023

1016
Dr Jan C Greyling, Department of Agricul-tural Economics and
Lead of the Stellenbosch AgroInformatics Initiative, Stellenbosch University

Producers are generating an unprecedented volume of data, encompassing diverse aspects such as specific crop yields, livestock health, soil composition profiles, drone and satellite imagery, and more. Whenever I am asked to speak about agricultural technology, I stress that we often focus too much on the tangible ‘stuff’ like tractors, combines, drones, and robots. However, going forward, the focus will shift towards the intangible ‘stuff’ – data.

Currently, most of the major agricultural manufacturers, input suppliers, and numerous startups are developing algorithms, dashboards, and more to extract value from this data for producers, and possibly for themselves. They could be doing this to lock producers into their ecosystems or to keep their products at the forefront. Thus, there is potential for both good and bad outcomes from processing producer data.

The debate
Currently, there isn’t much debate about producer data privacy in South Africa, likely because our producers have other pressing concerns. However, this debate has been ongoing in the United States and Europe for years.

In the United States, farm data privacy came into focus in 2014 when a consortium of leading agricultural technology providers unveiled the ‘Privacy and Security Principles for Farm Data’. Although these principles offered a degree of reassurance by advocating for transparency in data handling and producer control over data sharing, their voluntary nature has been criticised. Critics argue that these principles fail to provide sufficient legal safeguards for producers.

Europe, in contrast, presents a different scenario with its robust data protection regulations. The implementation of the General Data Protection Regulation (GDPR) in 2018 imposed strict controls on personal data collection, storage, processing, and sharing. However, interpreting these regulations in the context of agricultural data remains ambiguous. While the GDPR unambiguously protects producers’ personal data, the classification of agricultural data, which could be construed as non-personal, isn’t clear-cut. This ambiguity has sparked ongoing debates about whether agricultural data should be treated as personal or non-personal data.

In South Africa, data privacy has been a forefront issue before and after the implementation of the Protection of Personal Information Act (POPIA), similar to the GDPR in Europe. Although POPIA emphasises the rights of individuals to control their personal information, its applicability to non-personal data like crop yields or soil quality is unclear, as most farms operate as separate legal entities. Hence, as with the GDPR, this ambiguity necessitates further clarification for all businesses.

The concerns
In the debate around data privacy, regardless of region, a primary motivation is to protect producers from potential exploitation; a concern stemming from the possible repercussions of data sharing. There are fears that – if shared unregulated – detailed data on crop yields, soil conditions, livestock health, farming techniques, etc., could provide third parties with a comprehensive picture of a farm’s operations. This could, amongst others, be used against producers to manipulate market prices, adjust interest rates, or enable insurance companies to unfairly modify premiums.

The opportunities
However, a balance must be struck, as pooling data could yield collective benefits from the analysis of agricultural data. This type of data is invaluable for advancing agricultural research and development. This approach could facilitate the development of personalised services for producers, such as tailored insurance products or expert advice from agronomists. Nonetheless, a prerequisite for this approach is the establishment of stringent anonymisation and aggregation standards to prevent data misuse.

What companies say
Unfortunately, most participants in this debate approach it on ideological grounds without scrutinising the privacy statements themselves. Hence, I have analysed the data privacy statements of three of the largest global agricultural machinery providers. These statements legally articulate the conditions under which the processing and sharing of personal data are permissible, revealing both similarities and differences.

All three emphasise that data cannot be shared with third parties unless the client explicitly consents, a consent that can be withdrawn at any time. They all underline the importance of maintaining security and confidentiality during data processing and storage. They also clarify that data can be processed and, in some cases, shared by the manufacturer to ‘fulfil contractual obligations’ and pursue their ‘legitimate interests’. The former refers to the necessary processing of personal data to deliver on a contract, while the latter allows a company to process personal data if it has a genuine and justifiable reason, provided this doesn’t unduly infringe on the individual’s rights and interests. Notably, there are significant differences between the three privacy statements.

Company A provides a clear interpretation of ‘contractual obligations’ and ‘legitimate interest’. In terms of contractual obligations, they outline several reasons for their data processing, including providing services to customers, responding to inquiries, and maintaining access to related services. When processing data for a ‘legitimate interest’, the reasons cited include maintaining IT environments, preventing criminal activities, and product development.

Company B doesn’t specifically refer to ‘contractual obligations’ as a reason for processing client data, but the concept is implied in most of the examples provided. These include fulfilling customer requests, enhancing relationships with customers, and conducting marketing activities. The company also makes it clear that customer data can be shared with subsidiaries, affiliates, and authorised dealers for marketing purposes.

Company C strongly emphasises the non-commercialisation of personal information without consent. In accordance with the principles of ‘contractual obligations’ and ‘legitimate interest’, the company outlines specific circumstances in which personal information may be shared, such as during payment facilitation and business restructuring scenarios. It also expands on the disclosure of personal information in the context of legal claims, law enforcement requests, and the prevention of harm or financial loss.

What South African producers say
Almost without exception, the South African producers we spoke to for our current research project into the topic, indicated that as long as companies don’t share their data with third parties without their consent, they are content to make it available to the provider for improving their algorithms and services. This sentiment seems to be supported by the three privacy statements analysed. However, another point all producers agreed on is that they wished there were a unifying platform that collated, analysed, and visualised their data for decision-making or use with precision farming systems. It could be that manufacturers are over-compensating with respect to privacy, thus making such an integrated platform difficult to realise, or it might be that the race for the dominant platform and ecosystem is still ongoing. Time will tell.

Definitions
Fulfilling contractual obligations: When a person (or entity) enters into a contract with a company, the company may need to process that individual’s personal data to fulfill its obligations under the contract. For example, if a person buys a product from an online store, the store needs to process the customer’s delivery address to send them the product. This processing is done on the legal basis of ‘fulfilling contractual obligations’.

Legitimate Interest: This is one of the legal grounds for processing personal data under the GDPR. It means that a company may process personal data if it has a genuine and legitimate reason for doing so (including a business or commercial reason), unless this is outweighed by harm to the individual’s rights and interests. For instance, a business might use personal data to prevent fraud or enhance the security of its network and information systems – both of which could be considered a legitimate interest. This allows data processing even in the absence of explicit consent, provided that the processing doesn’t disproportionately infringe on the individual’s privacy rights.