What’s on your mind? How private is your brain?
I spent Data Protection Day, 28 January, at the Council of Europe/EDPS/CPDP Conference in Brussels where the presentations reflected current data protection law challenges. We heard the priorities of those holding the new EU political mandates, as well as new emerging topics.
My first experience of a session on neuroscience, neurotechnology and data protection was a highlight.(1) In conventional terms, personal data relates for example, to people’s physical characteristics, work performance, geographical location and online activities. Many people use fitness apps to measure body weight, run times, heart monitoring and number of steps taken. But analysis of emotions, sentiment analysis has a science fiction dimension to it, which seems to be based less on fact, more on fantasy.
The brain has until recently been a closed data book. But neuroscience research is moving so fast that understanding what is happening in the brain is moving quickly from “never” to “five years from now,” declared Marcello Ienca, Professor of Ethics and AI and Neuroscience, School of Medicine and Health, Technical University of Munich. He said “The brain is the most powerful and complex data repository in the universe … So is the challenge to read out from the brain only science fiction?”
He explained that it is already possible to assess a person’s mental state, as information can indicate markers for Alzheimer’s Disease and dementia which can lead to judgement about a person. But “mind reading is not necessarily bad … Around half the population will develop a mental problem. The reading of a person’s mind while awake and/or dreams when asleep could become a therapeutic necessity in some psychological treatments.”
This point leads to the classic data protection issues of access and accuracy: Who gets the right to read brains? To what extent does this reading out from the brain erode the classic rights to information self-determination, personal autonomy, dignity, expectation of privacy and freedom of thought? To what extent can such data fulfil the data protection law principle of accuracy?
These are not hypothetical questions, as Ienca explained that the big tech sector is now working on neuroscience. A consequence is that it could lead to forecasting individual people’s behaviour.
Neuro rights as new human rights?
There is a right to remain silent and a right to not incriminate oneself in relation to the criminal offence that a person is suspected or accused of having committed, said Anna Austin, Jurisconsult, the European Court of Human Rights. However, she made the point that “if you can read someone’s mind, does this right remain?”
Limor Shmerling Magazanik, Member of the Data Governance Expert Group at the OECD, with 36 Member States from different continents, leads the work stream on health data governance, including a programme on neurotechnology and privacy. This group has an economic and social perspective. It is now revising its health document after five years, including the principles of autonomy, consent and protection of confidentiality in the context of ageing populations in many western countries. The principle of autonomy means that it is important to know that tech has been used on a person in a fair manner.
Alessandra Pierucci, lawyer at the Garante, Italy, and former Chair of the Council of Europe Consultative Committee of Convention 108, referred to the “conceptualisation of mental privacy” gaining traction. She mentioned the specific reference to the protection of data on brain activity in Chile’s constitution, as in 2021, it became the first country to enact legislation directly relating to neuro data. It extended conventional data rights to neural data which can be expressed as neuro rights.
Informed consent plays an important role as a legal basis for processing in many privacy laws. But will this legal basis be challenged in the context of brain function tracking? Why would a person consent to emotional monitoring if there could be negative consequences in recruitment, in the workplace, not to mention dating apps? There will be a need to conduct a mental privacy risk assessment.
Ienca said that neurotechnology is being extended from the output stage to an input stage. Neuroscience is developing the artificial creation of memory which could replace traumatic memories, for example, of war, or with implications for witnesses in a criminal trial. While tech implants in humans started in the 1970s, AI is now a catalyst in this process.
Who will conduct such activities, under what conditions, and who will gain access to the data forming the results? The risk is unconsented revealing of people’s emotions, an arms race to people’s minds. Who will be the gate keepers to this knowledge?
These developments raise the question of whether we need a new human right or should we rely on existing rights? An expansive interpretation of existing rights leads to “rights inflation.” But on the other hand, there is an advantage of keeping to existing rights because “new rules take time whereas neuroscience is moving very fast.” The consensus was that there is no need for new rights, as existing rights can be flexible and can be adapted to neuroscience and neurotechnology.
PL&B’s 38th Anniversary edition
I expect that most of us have not given much thought to data protection aspects of neurotechnology so I am pleased to bring you what I learned for my blog for this 38th Anniversary edition of PL&B International Report. As always, we at PL&B are facing forwards while not neglecting more traditional issues, such as:
- DPA sanctions in France and Ireland
- Settlement with the DPA in Australia
- A court decision in Poland
- Revised laws in Malaysia and Singapore, and
- An analysis of a draft law in Cambodia.
The authors of our article on non-material damage awards in Germany will be speakers at our 38th International Conference 7-9 July at St. John’s College, Cambridge, as will Professor Graham Greenleaf, our longstanding Asia-Pacific Editor.
This week, we are running our Ireland Conference in Dublin and on 11 March, we have organised our next conference in London: What’s right for children and their data: Keeping on the right side of the law. All these events are available both in-person and online. We look forward to meeting you there.
Regards
Stewart Dresner
Publisher, Privacy Laws & Business
February 2025
REFERENCE |
News & Blogs |
February 2025 Report Contents |
Next |