The US is still long way from adopting a GDPR style regulation that applies across the country to protect data privacy. We view data privacy as primarily a state matter--leading to a patchwork quilt of personal privacy laws--even though nearly every data platform is national in reach. Like it or not, it is inevitable if the US wants to remain competitive that we adopt a GDPR-like national privacy bill. What are the elements of GDPR we should adopt?
Definitions. Article 4 of the GDPR defines certain terms and those definitions apply across all EU member states. Some of these definitions include: personal data, pseudonymisation (making data sharable without identifiers), data processing, and data breach. One of the problems I noticed early in my work with ag tech contracts was a lack of consistency in terminology. GDPR does not define ag data, but it does define many other important terms and that is a good start.
Rights of Data Subjects. Articles 12-23 of the GDPR establish rights for data subjects, such as the right to erasure (right to be forgotten), the right to rectification (right to correct errors in data); right to data portability, and right to object. The Ag Data Core Principles are an attempt to bring consistency to ag data platforms, although admittedly the Core Principles are non-binding than GDPR's rights for data subjects.
Comprehensive enforcement procedures. The are real consequences for data processors that violate the rights of data subjects or ignore the requirements of GDPR, including fines and the rights for data subjects to obtain redress in courts. In the US, we rely on the Federal Trade Commission to enforce privacy rights, but the average consumer sees little change in how their data is collected and shared as a result of the FTC's efforts. The GDPR's enforcement mechanisms are much more robust.
Consent. Article 7 of the GDPR establishes the conditions for consent. Blanket consent is discouraged: "the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language." Consent that is not correctly obtain is not binding. In addition, GDPR states that a data subject has the right to withdraw consent at any time. These are much needed advancements, since many data platforms bury consent in the fine print.
In the coming years, we are going to hear more about data privacy, not less. This is true for both consumer products and agtech platforms that collect ag data. GDPR is not perfect, but it provides some great discussion points to move the conversation forward. And although US agriculture is generally reluctant to embrace more regulation, the inconsistency across states creates problems for ag tech companies trying to draft clear, concise contracts for their farmer customers everywhere. A national approach could help in this regard.