Neurodata en de GDPR: How can we protect our brain data? (Part 1)
With some recent developments in neurotechnology and AI, there is a rapidly growing proliferation of “Internet of Bodies (IoB),” this includes any form of technology where brain activity is monitored and the information gathered is transmitted through the Internet, directly or indirectly through the intervention of another device such as a smartphone.
This IoB gives us access to the brain data or neurodata of a particular individual. This type of data can be used to identify people, infer their emotional state, ideas or feelings and reveal a laundry list of other types of data.
. Does the GDPR apply to neurodata? In the first part of this blog, we will discuss what neurodata are and whether the GDPR is applicable to these neurodata. In het tweede deel zullen we ingaan op de bescherming die de GDPR kan bieden en de mogelijke gevolgen wanneer deze bescherming tekortschiet.
1. What is Neurodata?
The term “neurodata” refers to data that directly represents the function of the human brain. It is data generated by the nervous system, which consists of the electrical activities between neurons or proxies of this activity. These neurons help perform tasks such as comprehension, movement, and communication.
This data enables its owner to literally investigate the human brain and see what processes are going on in the brain.
Possession of this information can be of great value in various contexts where one party wants to exert influence over another party or gain certain knowledge, especially when it allows for a more complete understanding and prediction of the actions of one party.
In recent decades we have not had to worry much about this Neurodata. Indeed, due to several medical obstacles, it was not yet possible to apply neurodata very actively.
Door enkele recente ontwikkelingen in de cognitieve wetenschap zijn we op een punt gekomen waar dat wel het geval is.
One of those developments is the perfecting of the Brain-Computer Interfaces (BCIs). For example, in December 2021, the first words were tweeted by a paralyzed man using only his thoughts and a brain-computer interface (BCI) implanted by the company Synchron.
The BCIs give paralyzed people who can no longer even move their eyes the chance to communicate with their loved one. This is of course a wonderful phenomenon, but we should also not forget that brain data contains our most personal data. This brain data could tell us a lot about both the identity and the mental state of a person.
2. Does the GDPR apply to neurodata?
To know whether the GDPR can offer protection to neurodata, we will have to ask ourselves when the GDPR applies.
In general, the GDPR provisions apply to data subjects in terms of ‘the processing of personal data.’ When determining whether activities fall within this scope, so two elements need to be assessed.
First, the data must be “processed. Data protection law has a very broad view of what qualifies as processing. It is generally assumed that the processing of personal data includes:
“…any act or series of acts performed on personal data. . . “
Furthermore, the GDPR applies to processing that may be ‘wholly’ or partially automatic.
In other words, “data processing” has a very broad meaning and probably includes most of the operations likely to occur in the collection and storage of brain data. In terms of this dimension of the regulation, it seems clear that any conceivable BCI will certainly process data in a regulatory-relevant way.
Secondly, we must also ask ourselves whether neurodata can be qualified as personal data.
This is because the GDPR only applies to “personal” data. If the data turns out to be anonymous, GDPR rules no longer apply (See: European Parliament and Council 1995: Article 3; Recital 26 & Working Group Article 29, Opinion 5/2014 on anonymization techniques, adopted April 10, 2014, 0829/14/NL WP 216).
Data such as an address or a name can easily be linked to a specific person. This is more difficult with neurodata. Neurodata are essentially signals of brain activity, can they be linked back to a particular person in the same way that an address can be linked back to someone?
Often, neurodata will be personally identifiable, especially when combined with other identifying data linked to an individual. Consider, for example, the situation where the neurodata is linked to a specific user profile.
Does this mean that neurodata can be anonymized and the GDPR will therefore no longer apply?
It is important to remember in this context that nevertheless the link that neurodata has to the marital status of an identifiable individual can clearly be broken (in the sense that one could destroy the name at the top of a neurodata file, leaving only the raw data remains), the data remains a unique representation of that particular individual’s identity and mental state. This means that neurodata can never be called ‘anonymized’ in the same way as, for example, travel information.
In addition, the GDPR states in its Recital 30 that:
“Individuals may be linked to online identifiers through their equipment, applications, tools and protocols, such as internet protocol (IP) addresses, identification cookies or other identifiers such as radio frequency identification tags.”
This consideration confirms that technical identifiers can be considered personal data if there is a clear link to a natural person.
We can certainly conclude from all the above that it concerns personal data.
Another question we can ask ourselves in this regard is whether this data is a sensitive date? In our opinion, this question should certainly be answered in the affirmative.
The fact is that
can be predicted based on brain activity. According to some studies, it would even go so far that someone’s political leanings could be predicted based on brain activity. Research into a person’s brain activity can therefore reveal the most intimate aspects of a person. To qualify this data as sensitive, one can call it an ‘understatement’.
Perhaps even more important from an ethical point of view is the fact that neurodata could be used to identify a person’s thoughts and intentions. his can have serious consequences for the individual in that their “private brain states” essentially become an apparent open source from which to characterize their thought processes.
However, how to view these brain recordings and the data derived from them is a difficult question. In terms of the GDPR, it is certainly being processed. By being an identifier of a data subject, either in itself or through a link with other data, it is also personal. These research requests also appear to be very significant data that can be regarded as sensitive.
There is no denying that neurodata access can give access to highly sensitive data about individuals.
It is therefore a sure thing that GDPR applies and should apply to this kind of data. In the second part of the blog, we will take a closer look at the protection that the GDPR already offers and how this protection still needs to be improved.