An introductory overview of the data protection challenges arising from the processing of Neurodata

Experts in ethics, data protection and data security have been discussing the recent development of new devices and methodologies for using information directly taken from the brain. These new advances are focused on understanding how the human brain works. As there is not an agreed definition of neurodata, concepts such as: “personal brain data” (defined by the OECD as: “data relating to the functioning or structure of the human brain of an identified or identifiable individual that includes unique information about their physiology, health, or mental states”) or “brain activity” (i.e. electrical or neural activity), may help to understand the concept.

• Some companies are already engaged in development projects related to this topic. Apple recently filed a patent related to a “new wearable electronic device for measuring biological signal parameters from a user” (the Patent Application Publication can be accessed on this website . The ID Document is: US 20230225659A. Interestingly, the accompanying images within the document represent Airpods).  Another company that already offers a product is Neurable, which is taking pre-orders to buy headphones that, in their words, “work by safely collecting electrical signals produced by your brain”. Therefore, the topic is relevant for companies interested in developing tools/devices to process this data and also for the individuals whose data will be in scope of those tools.

As mentioned above, this topic is also relevant from a Data Protection perspective and has been a subject of comment from the Spanish Data Protection Authority: “Neurodata and neurotechnology: privacy and protection of personal data I and II”, published last November 2022 and in January 2023 . The ICO’s website also includes specific information on this topic: “lCO tech futures: neurotechnology” as well as a recent post alerting about the “real danger” of discrimination in new technologies that monitor the brain. Given this relevance, this article provides views on:

1) The basic definitions of Neurodata and approaches taken by both the UK and Spanish Supervisory Authorities as regards their consideration as personal data;

2) Key Takeaways and preliminary recommendations and

3) Other relevant and remaining open points.

1. The Basic Concepts and approaches taken by both Supervisory Authorities: What is neurodata, and is it Personal Data?

The ICO, for the purposes of its report, defines neurodata as: “first order data gathered directly from a person’s neural systems (inclusive of both the brain and the nervous systems) and second order inferences based directly upon this data”. To increase clarity, the ICO includes within this definition: “information drawn from both the brain and the neural system, as well as morphological data (data allowing identification as well as classification)”. Out of scope of their report is the “neurodata inferred via biometric technologies and their data”. 

The AEPD uses different terms:

• “Brain data”: “brain data is unique and personal, can reveal information that is not known to the individual or it could be even beyond his or her control, it can be used for predictive purposes and opens new possibilities in representations of the individual through data”;
• “Neurodata” and “Neurological data” “as they are associated with identified or identifiable individuals, are personal data”.
• For the AEPD: “Brain data or neurodata could also be used to infer emotional and cognitive states, processes associated with personality, thoughts or feelings”. Another term used by the AEPD is “Brain Information” which “is unique and personal, each human brain is unique and allows personal identification through its anatomy (similar to a fingerprint)”.

From a global perspective, Brain Data, Neurodata and Brain Information seem to be certainly aligned on their potential context as predictive sources; but with slight differences: brain data or neurodata seem to appear for the AEPD as potential tools to predict behaviour or personality characteristics while brain information seems to have the condition of being predictive itself of people’s behaviour, like the genome.

• Is neurodata personal data?

On the one hand, the Spanish Agency makes clear that, based on its understanding of the concept of “personal data” within the GDPR, neurodata is personal data. On the other hand, the ICO makes an interesting statement: “Personally identifiable neurodata is always considered to be personal information irrespective of purpose”. In practical terms, the ICO seems to be opening the door to the option of processing some type of neurodata that would not be personal data, while the Spanish Agency seems to starts from a perspective that neurodata is personal data.

With regard to whether neurodata is Special Category Data, the wording used by both Authorities seems to create some flexibility. . The Spanish Agency provides the following hint in this regard: “they could be considered sensitive or very personal data (WP248 guidelines), since they are data that correspond to the most intimate sphere of the person. To the extent that the processing of such data could involve biometric identification-oriented information, political opinions, sexual orientation and health data, among others, neurodata would then qualify as processing of special categories of personal data”. The ICO, recommends organisations not to assume that neurodata is immediately health data simply because it derives from a person’s physiology.

Both these different definitions and considerations of whether neurodata is personal data require organisations to assess their proposed processing in contexts in order to meet data protection requirements.

2) Key Takeaways and preliminary recommendations:

As regards the framework to be considered by organisations interested on the processing of neurodata, the main recommendations would be:

1.  Take a global approach by considering which type of information would be gathered and processed, from who and how, and consider all the related steps that are part of the project.
   • In this global approach, the specific sector in which the processing will take place needs to be included; an interesting point in common for both Supervisory Authorities is their reference to potential uses of neurodata connected to different sectors, such as health, gaming, marketing or even military. Considering the context will be helpful to define several key points closely connected to the data protection framework to be built (i.e. legal basis, further uses or, even, the categorisation of neurodata within your project as personal data or as special category).
2. In addition to the pure Data Protection concerns, we would advise taking into account, from the early stages of the project, ethics related issues that might have an impact on fundamental rights; such as freedom of thought, freedom of expression, body integrity, personal dignity, non-discrimination and fairness and justice.
   • The development of a DPIA can be helpful (even if this is may not be, in principle, mandatory for your project) to identify the risks potentially arising from your project and minimise them. For example, the ICO post mentioned above specifically mentions the risk of discrimination for neurodivergent people. The Spanish Agency also warns of potential risks for bias, error and inaccuracy as regards the processing of brain information.
3. Keep an eye on the evolving general context of the technology related to the processing of neurodata as well as on the legal challenges.

By addressing each of the above recommendations your organisation will have a head-start in ensuring that the key data protection issues relevant to Neurodata are considered. However, there are additional issues may need to be considered alongside data protection, and these will be examined in the next section.

3) Other relevant and remaining open points.

As mentioned above, the lack of an agreed definition of neurodata may become one of the challenges to its processing. The difficulties may be also increased as technologies that are closely related to the collection/use of neurodata proliferate; because the concept of “Neurotechnology” is also currently under discussion. We have seen the complexity arising from a lack of an agreed definition in other concepts such as Artificial Intelligence (which is also closely connected to this topic and whose regulation in the EU is currently still ongoing to be approved). Most of the neurotechnology tools and devices available on the market use AI. Therefore, in addition to applicable laws on data protection, the forthcoming AI Regulation will also be relevant for how neurotechnology is developed and used.

• The question of the legal coverage (or even specific recognition) of the neurorights. These can be understood, in the words of the Council of Europe, as: “the ethical, legal, social, or natural principles of freedom or entitlement related to a person’s cerebral and mental domain”. The topic remains open with main 2 positions:

1) Some organisations and jurisdictions are considering the specific recognition of these rights. Examples include The Neurorights Foundation and Chile, which amended its Constitution, in 2021, to include a specific reference to the protection of brain activity – art.19.1 of its Constitution.

2) On the other hand, some are not convinced about the need to create new rights, and argue that expanding the existing ones (i.e. freedom of thought) cover these challenges.

The main concerns around these positions are related to aspects such as the potential implications arising from the interactions between neuroscience and the AI tools, including those related to privacy and data protection, but also any potential manipulation of the individual. In this regard, the UNESCO, provides also some insights within the documents: “The risks and challenges of neurotechnologies for human rights” & “Preliminary study on the technical and legal aspects relating to the desirability of a standard-setting instrument on the ethics of neurotechnology”, both published in 2023.

As we have seen above, there are different open aspects to be considered by those organisations that intend to develop any project or product intended to process any kind of information related to the human brain. In the article, some of them are explored with the aim of helping those organisations thinking about using neurodata on how to consider them from the starting point of any project.

Trilateral Research provides services in research, data protection (DPIAs) and cyber-risk, ethics innovation (AI Assessments) and sociotech insights by taking an end-to-end approach that fully integrates the technical, legal and social science dimensions. Our experienced advisors are available to assist organisations to build compliance into new projects. Get in touch with us today to find out how we can effectively support your organisation.