With the deadline looming (May 25, 2018) for compliance the European Union's General Data Protection Regulation (GDPR), ag data companies may be wondering whether their privacy policies need to be in compliance with the EU's regulation. This is the first in a series of posts on GDPR and its impacts on north American ag data platforms.
This post will answer the threshold question: Does the GDPR apply to collection of ag data in North America?
To answer this question, two definitions from the GDPR are important: "personal data" and "ag data."
The GDPR applies only to "personal data" collection. Personal data is defined in the GDPR as:
any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
GDPR, Art. 4, 1. There is lot in that paragraph, so let's break it down into its constituents. The first required element here is that personal data is from a "natural person." This means data generated by tractors, farm equipment, cows, or pigs are not covered by the GDPR--only data related to people.
The second required element is that the data contains "reference to an identifier" tied to that natural person. The definition gives us lots of examples, including name, ID numbers, location data, and other identifiers related to physical, physiological, genetic or cultural characteristics.
Of these, only "location data" potentially applies to ag data since yield data, planting data, machine data, etc. all include location information. Still, I do not think that is enough to bring ag data into the definition of the GDPR's "personal data" since these data streams are not tied to, or related to, a natural person.
My conclusion might be different if an ag data platform recorded location information about specific employees which is cross-referenced to collected ag data. For example, if a platform recorded not only machine location data but also which employee was driving that machine, this might pull "machine data" into GDPR's personal data definition.
In general, however, ag data is not "personal data." GDPR authorizes organizations to create "codes of conduct" for specific data uses. A number of EU farm organizations recently created an EU Code of Conduct on Agricultural Data Sharing by Contractual Agreement. This document defines "ag data" as inclusive of a number of data streams, including: farm operation data, agronomic data, compliance data, livestock data, machine data, service data, agri-supply data, and agri-service provider data. These definitions are different than "personal data" since they are not tied to a natural person.
Back to the question: does the GDPR extend to protect ag data? In general, the answer is "no," ag data is not "personal data." But, there may be examples where ag data does fit within this definition. All ag tech providers should examine this issue for their unique situation.
Links to content:
Do not rely on this post as legal advice. Consult an attorney for advice with compliance with GDPR.