Smart farming: IoT and your farming equipment

The Internet of Things (IoT) is a term used to describe the connecting of physical objects to each other via the internet in order to exchange data between them. IoT capabilities are increasingly becoming an important tool for farmers to measure relevant data remotely and in real time. However, like all things that are connected to the internet and capable of gathering vast amounts of data, the all-important “T’s and C’s” attached to the use of IoT-enabled farming equipment should receive careful consideration where such IoT devices allow access to sensitive data by IoT service providers and even other unauthorised third parties.

30 Nov 2022 3 min read Combined Agriculture, Aquaculture & Fishing, and Technology, Media & Telecommunications Alert Article

At a glance

  • IoT in farming: IoT devices such as drones and sensors provide farmers with real-time data for decision-making, reducing risks and improving yield viability.
  • Risks of IoT: Farmers should consider the terms and conditions associated with IoT devices, as service providers and unauthorized third parties may access sensitive data. Compliance with data protection laws, like the Protection of Personal Information Act (POPIA), is crucial.
  • POPIA and data protection: IoT service providers must adhere to POPIA's provisions when processing personal information, including the principle of "minimality." Data subjects have the right to withdraw consent and request deletion of their personal information. Non-compliance can result in penalties and criminal sanctions.

IoT and farming

Examples of IoT farming devices and equipment include autonomous tractors, drones, robots, and remote sensors. These IoT devices can gather large amounts of information ranging from soil moisture, chemical application, dam levels and livestock health to data relating to the monitoring of fences, vehicles and weather. The advent of IoT in farming means that a farmer’s ‘gut instinct’ can be backed up with validated data points to support decision making, which can eliminate significant risks relating to farming operations and the viability of a yield.

All upsides have downsides (potentially)

A particular risk to be aware of is where IoT service providers are based in a foreign country that does not have adequate data protection laws in place. Such an instance may see a service provider use the data gathered by these IoT devices for purposes unknown to the farmer, including even potentially selling the data for economic gain.

This is precisely why the Protection of Personal Information Act 4 of 2013 (POPIA) was created. Any person (both natural and juristic) whose personal information is processed within the borders of South Africa enjoys the protections afforded by POPIA. Where a service provider sells an IoT device to a farmer who uses the device within South Africa, the service provider must comply with the provisions of POPIA.

The IoT service provider will be considered a “responsible party” in terms of POPIA and must ensure that any processing of personal information is done in accordance with the prescripts of POPIA including by adhering to the concept of “minimality” (section 10 of POPIA), which requires personal information to only be processed if the purpose for which it is processed is adequate, relevant and not excessive. Furthermore, cross-border data transfers are also required to be carried out in compliance with POPIA. The best way in which to manage data-related risks is to assess the service provider’s IoT service terms of use and privacy policy. These documents should illustrate the service provider’s processing activities in a transparent and informative way.

What if I have consented already?

Fear not, POPIA once again has a remedy for a person who would like to withdraw their consent. Section 11(2)(b) of POPIA affords a data subject (end-user) the ability to withdraw their consent at any time. Furthermore, POPIA also extends a right to a data subject that allows them to request the deletion of their personal information (section 24(1)). The IoT service provider that does not allow a data subject the ability to exercise their rights under POPIA can be reported to the Information Regulator by following the prescribed complaints procedure (i.e. by completing the prescribed POPIA Form 5 available on its website and sending it to the designated email address ( Responsible parties who don’t comply with POPIA may be liable for administrative penalties and may be subject to criminal sanction if they commit an offence in terms of the Act.


Both farmers and IoT service providers should be aware of their rights and duties under POPIA. It is now more important than ever to be mindful of how data is processed and what it is being used for – particularly in the new economy strongly driven by data.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us