Neurodata, Neurotechnology and Data Protection in the UK

5 minute read | August.25.2023

The UK Information Commissioner’s Office (“ICO”) has published a report on the evolving nature of neurotechnology and its implications for data protection laws. The report highlights the risks of neurotechnology and sets the stage for further guidance.

What is Neurodata?

The ICO defines “neurodata” as “first order data gathered directly from a person’s neural system (inclusive of both brain and the nervous systems) and second order inferences based directly upon this data.” This means that if you are processing information drawn from an individual’s brain or neural system, you are likely processing neurodata.

What is Neurotechnology?

The ICO defines “neurotechnology” as “consumer, enterprise and healthcare devices and procedures, both invasive and non-invasive, that directly record and process neurodata for the purposes of gathering data, controlling interfaces or devices, or modulating neural activity.” The report distinguishes between two types of neurotechnology:

Non–invasive (non–implanted) technology (i.e., wearable technology).
Invasive (implanted) technology (i.e., electrodes implanted within the brain).

What are the key privacy considerations?

Using neurotechnology raises potentially serious concerns under the UK GDPR, particularly:

Individuals have no direct control over the information disclosed due to the intrinsic and involuntary nature of neurodata.
Organisations can potentially collect large data sets about an individual and draw detailed inferences from this highly sensitive information.
The insights gained from neurotechnology may be used for profiling and modulating behaviours. This increases the risk of an automated use of personal information, which in turn has a significant impact on individuals’ rights and freedoms.

What sectors will neurotechnology affect?

In the next two to seven years, the ICO anticipates that neurotechnology will have a major impact on the following UK sectors:

Health and medical research
Wellbeing and sports
The workplace
Entertainment and gaming
Marketing
The military
Education

Short-term impacts

The ICO anticipates that neurotechnology will have the greatest short-term impact on the medical sector and professional sports sector.
- Medical and health: An increase of invasive neurotechnologies is highly likely, with technology being used for direct brain stimulation to diagnose, monitor and treat certain medical conditions, such as epilepsy and Parkinson’s disease. Processing this data will constitute a special category of health data, requiring significant protections.
- Professional sports: The use of non-invasive neurotechnologies is likely to increase, enabling the analysis of professional athletes’ responses to stimulus and concentration levels. This could even include the ability to track injuries, recovery and long-term effects.

Medium-term Impacts

Workplace: Employers may use non-invasive neurotechnology to monitor and record employees’ performance. Wearable neurosensors could lead to real-time monitoring of employee brain activity and stress levels, enabling an employer to understand periods of optimised productivity. Employers may also adopt neurotechnology in recruitment to identify individuals that fit a certain pattern of behaviour.
Entertainment and gaming: Rapid development of neurodata-led gaming is likely.

Long-term Impacts

Education: The higher education system may use neurotechnologies to monitor students’ stress or concentration levels. The devices could offer personalised approaches to learning by identifying areas of struggle for individual students.
Neuromarketing: Neuromarketing is well-established, but using neurodata to influence consumer behaviour raises concerns about privacy, consent and potential manipulation. In the future, non-invasive devices capable of reading responses may be used to tailor consumer preferences. The ICO provides the example of headphones that can target advertising and commercials for a variety for goods, similar to cookie-enabled tracking online.

Key Regulatory Difficulties

In addition to the key risks identified above, the ICO also reported on several regulatory difficulties concerning handling personally identifiable neurodata, including:

Regulatory definitions: There is no uniform definition of neurodata as either a form of personal information, or special category data under the GDPR. The ICO noted that the classification of neurodata as special category data under the GDPR will depend on the purpose of processing rather than the type of neurotechnology used.
Neuro-discrimination: Significant risks and challenges come with using neurotechnologies to analyse complex behaviours or emotions – an analysis that could happen without the knowledge of the individual in question. The insights gained from an individual’s thoughts and emotions, and the uncertainty around the ability of neurotechnology to accurately detect emotional cues, raises concerns that new forms of discrimination may arise, particularly when fed into automated systems.
Consent: Organisations must identify a lawful basis for processing personal data under the GDPR. Relying on consent could pose difficulties. Where data is obtained through neurotechnology, ensuring that individuals understand the potential implications and uses of the data can be challenging due to the complexity of the technology and the inferred nature of the data collected. This could lead to concerns about the validity of meaningful and informed consent.
Closed-loop processing: GDPR provisions on profiling and automated decision-making require transparency, the right to human intervention and the ability to contest a decision. Some worry that closed loop processing of neurodata, which involves automated algorithmic processing to assess personal information, will heighten the risk associated with automated processing.
Accuracy and data minimisation: Neurodata can generate vast amounts of data, and organisations will need to ensure they collect and process only necessary and relevant data. The accuracy of neurodata output will need to be carefully considered, specifically those relating to decisions reached at a specific time that cannot be considered accurate later due to the brain’s neuroplasticity (unlike more permanent forms of personal data such as date of birth).
Information rights: Neurotechnologies may present new challenges to people exercising their information law rights, and the ownership and control of data generated by neurotechnology will require clarification. The exercise of rights regarding access, rectification, erasure and data portability may prove difficult. For example, a rectification request may require significant technical knowledge to interpret and may limit who in a business can process the request.

What’s next?

The ICO will work with the public to better understand concerns in this emerging area. The ICO is developing neurodata guidance, which should be published by 2025. Organisations planning to develop or use neurotechnology should begin considering the data privacy impacts which may arise now rather than waiting for further regulatory guidance. Not doing so may put organisations at risk of sanctions and penalties.

Authors

Kelly Hagedorn Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Londra

See my bio

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Fintech
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kelly Hagedorn Partner

Londra

Kelly provides comprehensive regulatory advisory services to clients, including counseling on the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. She has designed and implemented data protection compliance programmes for clients in a range of sectors, including technology, gaming, manufacturing, and private equity.

Kelly has worked with companies to respond to data incidents that range from small-scale issues that do not attract regulatory attention to large, multi-jurisdictional breaches requiring coordination across numerous different regulatory regimes. She has also advised extensively on litigation matters involving allegations of fraud and financial crime, and in connection with securities laws.

During her career, Kelly has undertaken secondments to the Serious Fraud Office and a major telecommunications company. At the Serious Fraud Office, she worked on a number of cases dealing with restraint and confiscation matters. During her time with the telecommunications company, she helped develop and implement the company’s group-wide anti-bribery compliance programme security associated with data retention, processing, and transfer.

Colette Deamer Managing Associate, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Londra

See my bio

D:+44 20 7862 4630
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Technology & Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Colette Deamer Managing Associate

Londra

Colette has experience working on multi-jurisdictional matters and advising clients on the development and implementation of privacy compliance strategies and documentation. She helps clients navigate complex data protection issues and provides practical advice, tailored to the client’s needs. She has also advised on high profile European regulatory investigations.

Colette previously spent nine months on secondment in the EMEA privacy team at one of the largest social media platforms where she advised on complex privacy and data protection issues. She also spent time on secondment with an online fashion retail platform, where she provided strategic privacy advice in relation to the company’s expansion into EU and UK markets.