The neurotechnology and data privacy interface
28 September 2023
In 2016, Elon Musk entered the world of neurotechnology when he launched Neuralink Corporation with a team of scientists and engineers. The California-based company aims to develop implantable brain-computer interfaces (BCIs) to connect a computer directly with the human brain.
“The idea is, through painless surgery, to implant very thin wires about five microns in diameter into the cerebral cortex to obtain and send information,” explained Sudeep Chatterjee, a partner at Singh & Singh in New Delhi. The objective is cognitive enhancement.
That same year, American entrepreneur Bryan Johnson founded Kernel and developed a prototype of a non-invasive brain interface based on near-infrared spectroscopy with a team of neuroscientists, engineers and physicists. According to the company’s website, Kernel has built “unparalleled technology for non-invasively measuring the brain with the goal of making precision neuroscience the standard.”
Neurotechnology, or neurotech, has been around for almost half a century. It is a technology for analyzing human brain activity, recording signals emanating from the organ and manipulating brain or nervous system functions, done via invasive and non-invasive means. For invasive neurotechnology, implants may be placed within the brain, on the dura, under the scalp or through the blood vessels, etc. Meanwhile, non-invasive methods use wearables or tools that may be worn, such as headbands, watches and helmets.
Neurotech is already widely used in the medical world, where experts have been tapping the technology for treating mental, neurological, sensory and movement-related disorders. It scored its first breakthrough with the emergence of brain imaging technology using magnetic resonance imaging (MRI) scans.
Beyond its medical applications, neurotech also has the potential for practical applications in other areas. These include education, sports, national security and consumer devices.
Implications on data privacy and protection
Neurotechnology may sound like rocket science, but it doesn’t take a genius to realize it has implications for data privacy and protection. Neuroscience data produced by neurotech applications can be personally identifiable, according to Manh Hung Tran, managing lawyer at Baker McKenzie in Hanoi.
“For instance, a brain MRI image demonstrates the brain’s unique structure that can single out whom the data pertains to,” he explained. “Analysis of neuroscience data can also uncover one’s health condition or predict the risk of future diseases. Studies have also shown that neurotech can decode mental contents in the brain and predict future behaviors such as criminal propensity.”
He added: “To this extent, neurotech poses challenges not only to personal data protection but also to mental integrity and freedom of thought at large.”
In addition, the collection, use and disclosure of data acquired from neurotech is subject to similar risks and vulnerabilities as other types of data. These include data reuse, the risk of re-identification of data and hacking.
On top of these, neuro data is subject to the risk of disclosing more information than needed, as neuro data doesn’t just pertain to names, addresses and other basic information, which typify other data sets. Neurotechnology can also make the processing of involuntary brain activity possible.
According to Andy Leck, principal and head of IP and technology at Baker McKenzie Wong & Leow in Singapore, neuro data has two main characteristics that set it apart from other data types. One of these characteristics is its volatile nature.
“Neuro data does change based on the age of an individual, the environment the individual is in, and even the mood of the individual at that juncture as compared with the other types of data sets that typically remain constant and consistent for a period of time,” he said.
The second characteristic is its unique depth and form of insight into an individual.
“As to what we mean by ‘unique depth and form of insight into an individual,’ our understanding is that studying brain activity can reveal a significant amount of information about an individual that would otherwise not be accessible, such as their personality, cognitive abilities and state of health,” explained Leck, adding that such information may be more than what is necessary for collecting the data.
Citing the various types of wearables in the market that analyze neuro data, he said the purpose for analyzing such data also varies. For example, Dreem offers wearables for sleep monitoring to enhance deep sleep quality while BrainCo offers wearables to provide instant feedback about one’s mindset.
“Even if the data collected is only used to analyze a particular trend such as sleep, the same collected set of data may arguably reveal other types of trends as well if the technology or algorithm used to analyze the data changes,” he said. “The risk profile when collecting, using and disclosing neuro data increases from a data privacy and protection perspective due to these two main characteristics.”
According to Chatterjee, each technique of neurotechnology will have implications and potential to pose significant risks to data privacy and protection. BCIs could potentially capture sensitive information about a person’s thoughts, emotions and intentions, which could be misused and exploited.
“For example, data consisting of human memories that are captured may eventually be admissible in court as neuro-evidence,” he said.
There is also the risk of neurotechnological devices remotely accessing neural data directly and storing such information without reference to or consent of the data source.
“This leads to concerns regarding the downstream and other uses of such data, especially as it may be possible to modify or interfere with neural data,” said Stanley Lai, partner and head of IP practice at Allen & Gledhill in Singapore.
Lai added: “For example, the Bioethics Advisory Committee in Singapore has expressed concerns that brain intervention may lead to physical disabilities or changes in cognition, emotion and even personality. The committee has also expressed that research into neurodegenerative diseases also comes with its attendant risks, including the practical difficulty of obtaining informed consent for using neural data from research participants who may be suffering from neurological or psychiatric disorders.”
According to Tran, the jurisdiction’s data privacy and protection laws are broad enough to cover neurotechnology. Neurotech will be brought under the Vietnamese administration when it collects and processes personal data.
“Future legislation will also define certain types of personal data, including data on unique physical and biological characteristics. As sensitive data subject them to a higher protection threshold to the extent that neurotechnology poses a threat to one’s private life and secrets, the laws on personal privacy are in place to regulate,” he explained.
However, in the past few years, Tran said that concerns on privacy intrusion in connection with neurotechnology have only been sporadically elaborated on in Vietnam.
Meanwhile, neurotech in India is still a bit foreign, said Chatterjee.
“There is no specific law or regulation in India that governs the use of neurotechnology,” he revealed. “However, there are certain existing law and regulations that can be interpreted to include the governance of neurotechnology.”
One of these is the Right to Privacy verdict, a landmark decision of the Supreme Court of India in Justice K.S. Puttaswamy & Anr. v. Union of India & Ors. In this context, Chatterjee said two aspects of the right to privacy become important: informational privacy and informational self-determination.
He explained: “Informational privacy is concerned with an individual’s mind and body. According to Puttaswamy, the mind is an inseparable component of an individual’s personality, and the sanctity of the mind is the very foundation of one’s right to privacy. Therefore, the right to informational privacy exists to promote individual autonomy by protecting one’s mind from the dissemination of personal information. As a result, any technology that interferes with one’s thoughts violates these liberties.”
In addition, the Information Technology Rules, 2011, and the proposed Digital Personal Data Protection Bill, 2022, by the Ministry of Electronics and Information Technology provide the said personal information, including biometric data, health information, genetic data and other sensitive information. Organizations are also required to obtain consent from individuals before collecting, processing and storing their personal information.
“We will need a proper and separate framework and laws to regulate the usage of the emerging technology of neurotechnology,” said Chatterjee. “But until then, the present laws could be interpreted in a way that may be able to protect data that could be collected from neurotechnology.”
However, a problem remains. Chatterjee explained that although the Digital Personal Data Protection Bill, 2022, defines personal data, it is uncertain if neural data can be included in its scope.
The concept of neurotechnology still remains largely foreign in the country, but activities in certain areas of neurotech are perceived to be seen in India soon. These are BCIs – neuroimaging used to study the brain, check its health and diagnose diseases; and neuromodulation, which focuses on nerve activity. Research initiatives on transcranial magnetic stimulation and transcranial direct current stimulation, two neuromodulation techniques, are currently being undertaken as potential treatments for certain neurological disorders.
In Singapore, neurotech is still a growing and expanding field, but there is a lot of interest in it. Universities, pharmaceutical companies and healthcare institutions are actively interested in harnessing neurotech for medical or clinical use, according to Lai. SingHealth, for example, reported in 2017 that neurotechnological treatments such as deep brain stimulation treat neurodegenerative diseases such as Parkinson’s disease and dementia.
Additionally, the National Neuroscience Institute and the Singapore Institute for Neurotechnology websites indicate that these institutions research nascent technologies such as brain stimulation, BCIs, neuroimaging, stem cell therapy and neuro-pharmaceuticals.
As for laws, the Singapore Personal Data Protection Act (PDPA) could potentially regulate neurotechnology from the perspective of data privacy and protection.
However, Leck said there is a lack of clarity onhow the definitions and concepts in the PDPA would apply to neuro data and how organizations will use reasonable efforts to ensure that neuro data collected is accurate and complete. This obligation is premised on the basis that a data set stays constant and consistent for some time.
While neuro data does change, neuro data collected at a particular juncture will almost always be accurate and complete. However, if the neuro data collected stems from a false memory or a lie, it is unclear if this compromises the accuracy of the collected neuro data.
It also remains unclear how organizations will deal with “correction requests” related to neuro data and the “reasonable grounds” for an organization to reject a correction request.
“It is unclear because neuro data collected at a particular juncture will almost always be accurate and complete, albeit some neuro data collected may stem from a false memory or a lie,” explained Leck.
A gray area also arises to the question of when neuro data is considered “anonymized” to fall outside the scope of the PDPA as compared with other datasets, which are more clear-cut.
Leck noted: “While the link to an identifiable individual can be removed, like redacting or deleting the individual’s name from the file, and may not be considered personal data, the nature of the data in itself is still unique in representing a specific individual.”
Another question is whether neural data constitutes personal data and, if so, to what extent.
“The PDPA requires organizations to notify and obtain consent for collecting, using and disclosing personal data, which must be for reasonable purposes,” said Lai. “The PDPA defines personal data as data, whether true or not, about an individual who can be identified from that data on its own or together with other information to which the organization is likely to have access.”
He added: “Within the construct of the PDPA, there may be practical difficulties associated with collecting neural data only for specific reasonable purposes, as neurotechnology may not be sophisticated to collect only specific purpose-limited categories of neural data. The consent regime may also have to be refined to clear obligations under the PDPA.”
According to Lai, the risks of unauthorized collection, future uses, collections and disclosure of neural data are likely to become increasingly prevalent because neurotechnology is rapidly developing and is gaining more awareness. Thus, he believes existing legislation may have to be further reviewed to ensure adequate safeguards are in place.
If this is not undertaken, organizations, data processors and data collectors may be “tempted into obtaining broad-ranging consents from data subjects to manage compliance risk under data protection laws.”
“Further clarity on how the definitions and concepts used in the PDPA would apply to neuro data – by way of the Personal Data Protection Commission’s advisory guidelines similar to the Guide on the Responsible Use of Biometric Data in Security Applications – would be appreciated,” added Leck. “Neural data specific laws and regulations may have to be further enacted to address express or implied obligations in this field of endeavour.”
Neurotech and the future
Neurotechnology broke new ground in medicine with the emergence of brain imaging using MRI scans. Brain imaging using MRI scans brought significant advancements to medicine through neurotechnology.
A more recent groundbreaking development took place in July 2022 when Synchron, a leading New York-based implantable brain-computer interface company, implanted its flagship innovation called the Stentrode in a human patient for the first time at Mount Sinai West hospital.
The Stentrode is an endovascular brain implant developed for severe paralysis patients. The technology allows the patients to control and use their gadgets for texting, emailing, online shopping and more in a wireless environment, using only their thoughts. It does not need open-brain surgery like other BCIs. Instead, an approximate two-hour minimally invasive surgery is all it would take for the implantation.
It was the first clinical trial in the U.S. for the brain implant.
Meanwhile, Neuralink conducted trials on animals. In April 2021, the company released a clip showing a monkey with a brain implant playing the Pong video game.
“Companies are already thinking about ways to use our brain data to market ads to us. For instance, Facebook has already invested in this neurotechnology,” said Chatterjee.
Developments are also happening as far as legislating neurotechnology is concerned.
In Chile, these positive developments started in 2021 when the Senate approved a bill seeking to include “neuro rights” in the constitution. That same year, Chile’s Chamber of Deputies approved the amendment to the country’s constitution. Once the president signs the bill into law, Chile will become the first country to have neuro rights as part of its constitution.
Chile is also mulling a constitutional reform to amend Article 19 of the Magna Carta to protect the brain from neurotechnology.
Somewhere in the interface between neurotech, data privacy and protection, there is a huge disconnect. As with other modern technologies, neurotech is rapidly making huge strides, but laws and regulations on neuro rights and data privacy haven’t caught up with this remarkable progress.
However, Chile seems to lead the way in this regard. Other jurisdictions should well follow suit.
- Espie Angelica A. de Leon