Specific Details
Common Agricultural Policy (CAP) Strategic Plan - sharing of personal data
Intended results
To welcome the opportunity, as part of the Common Agricultural Policy Strategic Plan (CSP) Monitoring Committee, to provide feedback and comment on this important topic, in what is a significant departure from existing operational arrangements and carries with it significant risk of infringement of the fundamental rights of farmers.
The central tenant / justification to the proposed Statutory Instrument (S.I) presented is that the results-based orientation of the new Common Agricultural Plan (CAP) (2023-2027), and its associated legislative framework, place a number of legal obligations on Ireland which necessitates the sharing of data (including personal data at a beneficiary level) with relevant stakeholders in order to achieve the strategic objectives set out in out CSP.
To highlight what is lacking within the Statutory Instrument (S.I) is detail pertaining to governance structures and/or most importantly how the privacy and data protection rights of the farmer will be secured and protected at all times, including therein details of sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use.
To acknowledge the potential efficiency gain of leveraging off existing datasets from all stakeholder perspectives (i.e. avoids duplication of effort), and the imperative need to preserve vital Common Agricultural Plan (CAP) funding,
To emphasise that the level of ongoing monitoring of on-farm activities in pursuit of Common Agricultural Strategic Plan (CSP) obligations must be proportionate and similar to that afforded to other employment cohorts.
To insist that the sharing or transfer of data from one data source to another, even within individual entities, must not be permitted without the prior explicit consent of the farmer, not something that is secured because there contains a clause/condition buried somewhere within the expansive list of terms/conditions of participating schemes.
To ensure that farmers cannot be unduly disadvantaged, penalised or prone to increased on-farm inspections following direct/indirect advances in available technologies; data collection or monitoring mechanisms when implementing the Common Agricultural Strategic Plan (CSP). Monitoring / inspection efforts should move to one that helps farmers to become more compliant, not one of opportunity to penalise and generate revenue.
To raise the following concerns re 'Obligations on Member States to share Personal Data for the achievement of the Common Agricultural Strategic Plan (CSP)
1. Public Authority Definition and Permissible Stakeholders
The definition of “public authority”, and therein potential recipients of shared personal data, is extremely broad and may include, for example Non-Governmental Organisations with anti-farming objectives, based on elements of the definition presented
(xv) a board or other body (but not including a company under the Companies Act 2014) established by or under statute,
(xvi) a company under the Companies Act 2014, in which all the shares are held— (I) by or on behalf of a Minister of the Government,
II) by directors appointed by a Minister of the Government,
(III) by a board or other body within the meaning of paragraph (xv), or (IV) by a company to which subparagraph (I) or (II) applies, having public administrative functions and responsibilities
To point out that a more restricted and defined list of relevant stakeholders, pertaining solely for the purposes of fulfilling CSP obligations, is required.
2. Minimise Public Access
Section 3 (1) of the draft Statutory Instrument S.I seeks to provide public access to collated datasets. This must be avoided, and at a minimum, it is imperative that Section 3 (2) is executed in full, and regularly monitored, to protect the confidentially of personal data.
Without significant difficulty, it may be possible to identify individual farm operations via location, which when combined with other datasets (e.g. Environmental Protection Agency (EPA), Common Agricultural Policy (CAP) Beneficiaries etc) users may be able to manipulate data for personal needs or motivations, to the disadvantage of the farmer.
3. Maintaining Data Protection Rights
To emphasise that the need to comply with EU Law must be aligned with all principles of the General Data Protection Regulation (GDPR), not just the lawfulness of processing noted. While Article 5 of the General Data Protection Regulation(GDPR) requires lawful processing, it also mandates data minimisation and purpose limitation. The Statutory Instrument must ensure data minimisation, purpose limitation, transparency, and proportionality.
Article 6 of the General Data Protection Regulation (GDPR) article specifies the conditions under which personal data processing is lawful, including compliance with a legal obligation (Article 6(1)(c)) and the performance of a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e)).
To challenge the interpretation of 'necessary' as employed in the draft statutory instrument while acknowledging the Department's legal obligations under the Common Agricultural Policy (CAP), Article 6(1)(c) of the GDPR provides a legal basis for the processing of personal data when it is "necessary for compliance with a legal obligation to which the controller is subject.
The key term here is 'necessary'. This necessity must be understood as processing what is strictly required to fulfil the legal obligation, and not simply what might be convenient or beneficial. Herein, the need for data sharing at scheme and beneficiary level must be clearly outlined.
To insist that the interpretation of 'necessary' must also consider the availability of less intrusive means to achieve the same objectives. EU case law, such as Digital Rights Ireland Ltd (C-293/12), highlights the importance of a strict interpretation of 'necessary' in the context of data protection.
To highlight that these rulings emphasise that broad and indiscriminate data collection is not in line with the fundamental rights enshrined in the General Data Protection Regulation (GDPR). There exists many parallels between what is contained within C-293/12 and the proposed European Union (Common Agricultural Strategic Plan, Information Sharing) Regulations 2023
1. Broad Data Sharing Scope Similar to the Directive in Digital Rights Ireland, the proposed Regulations involve extensive sharing of personal data of farmers. The scope of data sharing appears to be broad, without clear differentiation or limitation, which could be argued as disproportionate to the objectives of the CAP.
2. Specific Safeguards and Data Minimisation the Regulations should explicitly include safeguards that limit data sharing to what is strictly necessary and ensure effective protection against misuse.
3. Proportionality in Data Processing It is imperative that any measure involving extensive processing of personal data must be strictly proportionate to the objectives pursued. It is critical to assess whether the Regulations' approach to data sharing is the least intrusive means to achieve the strategic objectives of the Common Agricultural Plan (CAP)
To propose that the processing of farm data, particularly personal data, should occur only after obtaining explicit and informed permission from the farmer, or through other legal basis such as contracts, licensing, public task, legitimate interest, or other mutually agreed arrangements*. Any consent notice and contractual terms must be easily located and provided in an readily accessible format.
That farmers' consent should be sought when granting external access to, and use of farm data generated from their enterprises through expressed consent or other legal bases such as contracts, licensing, public task, legitimate interest, or other mutually agreed arrangements. Farmers should be given assurances that their privacy and anonymity will be protected.
The types of third parties to which their data can be disclosed to, and the choices available for limiting its use and disclosure should be made available.
That farmers should be provided with contact information regarding inquiries, requests and complaints relating to processing of the data generated from their farms. The contact information should be easily located and in a readily accessible format.
That any contract, agreement, licence, policy or terms should recognise and clearly state the purposes for processing farmers' data and if it is the case, how farmers will benefit from their farm data being processed*
That the effects of a farmer's decision to opt-in to, opt-out of, or disable the sharing of farm data on the availability of services and features offered should be clearly explained.
That contracts, licences and agreements relating to farm data must not be amended without the prior consent of the farmers with at least three months' notice. This notice must be provided directly or details given on how to access the amendment, which should be easily located and available in a readily accessible format.
That all data retention, retrieval policies and disposal procedures, should be clearly explained including all specific requirements. These policies and procedures should be included in contracts, agreements, data policies and terms and conditions, and be easily located and readily accessible.
To propose amendments to the Statutory Instrument (SI) as follows
1. Introduce Clause on Specific Data Types and a Clear Definition of ‘Necessary'.
2. Amend to include a specific list of data types that can be shared, excluding sensitive personal data such as financial information unless explicitly consented to by the data subject.
3. Include a clause in the Regulations that specifies the criteria for determining the necessity and proportionality of data sharing. This clause should outline measures to ensure that only data essential for the direct administration and monitoring of CAP objectives are shared.
4. Introduce a clause that where there are legal obligations to collect, manage and publish agricultural data but no requirement to disclose personally identifiable data, the data should be rendered anonymous before publication, preventing the identification of the individual.
5. Include a clause that all ‘necessary' data can only be shared from a public authority to the principal reporting entity (i.e. Department of Agriculture, Food and the Marine (DAFM)) charged with ensuring compliance with Common Agricultural Strategic Plan (CSP) obligations. The Department of Agriculture, Food, and the Marine (DAFM) will establish a dedicated unit, charged with undertaking necessary monitoring requirements from information provided by relevant public authorities.
The otherwise sharing of personal data between public authorities is not permitted under any circumstances.
6.Implement strict safeguards to ensure the security and confidentiality of shared data especially given the sweeping definition of “public authority” in the Statutory Instrument (SI), and establish clear oversight mechanisms to monitor compliance with these safeguards.
To propose that a thorough impact assessment of effect of the proposed Statutory Instrument (SI) should be conducted, particularly concerning the effects on farmers' privacy and data rights e.g. the inadvertent or otherwise publication of data that can be used to personally identify farmers through publishing open data sets such as the Department of Agriculture, Food, and the Marine (DAFM) Derogation Herd Locations 2015-2021.
This should also, but not be limited to, scrutinising the Strategic Environmental Assessment for its comprehensiveness in addressing data protection issues and using anonymised and/or aggregated data instead in line with the data minimisation and purpose limitation principles of the General Data Protection Regulation (GDPR).
To propose that an Oversight Committee or advisory board should be established, including farmer representatives, to monitor data sharing practices.