What is neural data and what protections exist in the EU?

There’s a need for stronger EU protections against the collection and resale of neural data collected from brain tech devices, experts say. 

Brain tech gear already for sale collects data from your brain to fight anxiety and depression, improve sleep, or monitor focus in students when they’re taking tests. 

In September, California passed amendments to its Consumer Privacy Act that included more protections for neural data, making it one of just four places to do so. 

We take a look at what brain data is being collected, what rights people have, and what the EU is doing in this burgeoning area of data protection. 

What is neural data?

Rafael Yuste, Director of the NeuroTechnology Center (NTC) at Columbia University, describes neurotechnology as anything that records or changes the activity of the nervous system of the brain.

Most of these technologies are seen in hospitals, like the electroencephalogram (EEG) machine that measures electrical activity in the brain, he continued. 

These machines and the data they collect, Yuste continued, fall under medical laws and have strong protections “all over the world”. 

In the EU, medical devices undergo conformity assessments to make sure they meet the legal requirements, according to the European Medicines Agency (EMA).

Devices labelled “high-risk” need to get an additional opinion from expert panels before being issued a European Conformity (CE) mark on it. 

Yuste said consumer devices don’t have the same types of protections, making the data they register available for sale. 

“This data is medical, even though the device may be more consumer electronics … so we think this should be very private information and should be protected,” he said. 

In April, the US-based Neurorights Foundation released a report on the data protection policies of 30 popular wearable neurotech companies.

The report found that the companies can share data with third parties and that the extent to which they can or cannot resell the data was unclear.

The question of what can be done with the data collected is something that regulators and companies are both struggling with, according to Linda Clark, a partner at US law firm Morrison Foerster in the Privacy and Data Security Group. 

“The question is whether or not any of us can really give meaningful or informed consent with this sort of data where we may not fully understand what is being captured,” Clark said. 

ADVERTISEMENT

Companies that are collecting it are still not sure what they could use it for as well, she added. 

‘Our thoughts could be recorded’

In some cases, Yuste said some artificial intelligence (AI) systems could use that neural data to read our thoughts. 

Last December, a research team from the University of Technology in Sydney, Australia developed what they call a “portable, non-invasive system that can decode silent thoughts,” to turn them into text. 

Participants in the study wore an EEG that recorded their thoughts while they silently read passages of text.

ADVERTISEMENT

The team’s AI, called DeWave, translates the EEG signals into words and sentences from the data collected. 

Yuste calls this study the beginning of what could be “a systematic use of neurotechnology to decode language with great applications … for the consumer market”. 

“The brain is not just another organ of the body, but it’s the organ that generates all of our mental and cognitive activity,” Yuste said.

“Our thoughts, our memories, our emotions, our imagination … could be recorded,” he said. 

ADVERTISEMENT

What protections exist in the EU for neural data?

The EU’s General Data Protection Regulation (GDPR) has existing protections for consumer data such as the right to access information that’s being held about you or the right to correct your personal data, according to Bojana Bellamy, president of the global information thinktank the Centre for Information Policy Leadership. 

Bellamy believes lawmakers should use the legislation already in place, either the GDPR or recommendations from bodies like the Organisation for Economic Co-operation and Development (OECD) to deal with the data these new consumer neurotechnologies collect. 

“We have too many laws potentially,” Bellamy said. “When you put it all together, there is a quite interesting patchwork of laws that would apply to this in a very … comprehensive way,” she said. 

A July study from a panel of experts at the European Parliament says neuro data could be added explicitly to an article of the GDPR. 

ADVERTISEMENT

It also states that there needs to be more work to minimise the risks of neurotechnologies that collect this data going forward, especially when “boosted by the transformative and transgressive power of AI”. 

Experts suggested that the EU put in place a series of measured responses, like studying how the harvested data could be used with AI, teaching people about the risks and benefits of neurotechnologies, and creating an EU data space to store the data collected.