Neurodata: privacy and protection of personal data (II)
Brain-computer interfaces make possible to record the activity generated by the brain. This activity depends on internal and external factors to the individual, which act on a certain genetic basis. These technologies allow the collection of neurodata which, as they are associated with identified or identifiable individuals, are personal data. These technologies could allow profiling, they could also infer new personal data, modify the behavior and they could themselves be biometric identification and authentication mechanisms.
Neuro-technology and Brain-Computer Interfaces (BCIs) make possible measuring and recording the brain activity. The brain waves, recorded by a BCI, once processed and decoded, are translated into physiological data. This activity depends on various internal factors to the individual (age, sex, psycho-affective state, pathologies, ...) and external (environmental, activities, stimuli, ...), which act according to a certain genetic basis.
These technologies enable the collection of neurological data or neurodata which, as they are associated with identified or identifiable individuals, are personal data. With advanced analysis and the use of Artificial Intelligence, they could infer and reveal information associated with thoughts, feelings, or states of health, as well as profiling the individual.
Scientific reports show that many characteristics of the human brain depend on genetic, non-genetic biological, and environmental factors, which enable identification through brain anatomy (brain fingerprinting) and could themselves act as a biometric identification and authentication mechanisms.
In short, brain data is unique and personal, can reveal information that is not known to the individual or it could be even beyond his or her control, it can be used for predictive purposes and opens new possibilities in representations of the individual through data. Aspects related to the person's behavior, personality, feelings and thoughts can be collected in real time. They have the potential not only to diagnose, but to predict predispositions to disease, and also to predict behavior and personality characteristics.
Genetic data, which is considered special category data by the GDPR, and brain data or neurodata share characteristics and qualities. The brain is an unique identifier as a fingerprint or a genome. Both offer the possibility to predict or infer other information and can reveal clues about the past and about your future. Both also expose unique and personal aspects, which are not observable or known to the individual.
The electrical activity generated by the brain varies depending on various factors and acting on a certain genetic basis. Genetic profiles may reflect the causes of neurological or psychiatric (in some cases hereditary) diseases and disorders. For example, in most people the left hemisphere of the brain tends to be dominant in the area of language, so genetic variants affecting brain development and asymmetry may affect people's language performance.
Like the genome, brain information is also predictive of people's behavior, and is subject to subjective interpretation, leaving room for bias, error and inaccuracy, with greater privacy implications and associated risks. But unlike genomic information, neurotechnology allows a two-way path, not only information can be collected in real time, but through the same interface, neurological stimuli can be generated with the purpose of altering brain activity and modifying a person’s behavior, both in the short and long term.
In this way, this technology has the potential to affect not only our privacy, but also the fundamental rights linked to it, such as freedom of thought, freedom of expression, bodily integrity, personality, personal dignity, non-discrimination and fairness and justice.
The GDPR adopts a broad concept in the definition of personal data, and in this framework neurodata are personal data. Generally speaking, in some cases they could be considered sensitive or very personal data (WP248 guidelines), since they are data that correspond to the most intimate sphere of the person. To the extent that the processing of such data could involve biometric identification-oriented information, political opinions, sexual orientation and health data, among others, neurodata would then qualify as processing of special categories of personal data. In the latter case, in order to be processed, it would be necessary to lift the prohibition established in Article 9 of the GDPR, with some of the exceptions provided for in that article (for example, explicit consent), and there must also be a legal basis that legitimizes the processing, according to Article 6 of the GDPR.
More information related to this topic can be found on the Innovation and Technology website at:
- Neurodata and neurotechnology: privacy and protection of personal data
- IoT (II): from the internet of things to the internet of bodies
- Metaverse and Privacy
- Use of biometric data: Assessment from a data protection perspective
- A Guide to Privacy by Design
- WP248 Guidelines on Data Protection Impact Assessment (DPIA) and for determining whether processing is likely to result in a high risk for GDPR purposes
- GDPR compliance of processings that embed Artificial Intelligence. An introduction
- Risk Management and Impact Assessment in the Processing of Personal Data