Morrison Foerster is an international law firm with lawyers practicing throughout the United States, Asia, and Europe. Click to discover more.

mofo_share_image.jpg

Morrison Foerster

common-default.jpeg

Terms / Notices

Cookies

Privacy Policy

Reporting Hotline

Attorney Advertising

Alumni

  Linkedin

MoFo LinkedIN

  Facebook

MoFo Facebook

YouTube

MoFo Youtube

Morrison Foerster - Footer

It’s All in Your Head? Not Anymore: EU Data Protection Authorities Report on Applying Data Protection Law to Consumer Neurotechnologies that Process Brain Data

You have not solved the recaptcha challenge yet or session expired, try again.

Email Disclaimer

Disclaimer

Unsolicited e-mails and information sent to Morrison Foerster will not be considered confidential, may be disclosed to others pursuant to our <a href="https://www.mofo.com/about/privacy-policy.html">Privacy Policy</a>, may not receive a response, and do not create an attorney-client relationship with Morrison Foerster. If you are not already a client of Morrison Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

Feedback

mofo-logo-2022.svg

People

Capabilities

Resources

About

Culture

Offices

Careers

Stay Connected

Data Protection Authorities in Europe have begun to turn their focus to consumer devices that collect and process neural data, as neurotechnologies continue to rapidly advance.

We are Morrison Foerster — a global firm of exceptional credentials. Our clients include some of the largest financial institutions, investment banks, and Fortune 100, technology, and life sciences companies. Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger.Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.

About Morrison Foerster

people-default-header-desktop.jpg

people-default-header-mobile.jpg

Default Meta Data

Data Protection Authorities in Europe have begun to turn their focus to consumer devices that collect and process neural data, as neurotechnologies continue to rapidly advance. Consumer products are already on the market that use headbands or helmets to detect information from the brain and use it to infer information about a person, such as whether they are interested in something, paying attention, or drowsy. These devices are also used in consumer wellness products, such as items to help people meditate or relax. Technologies are also being developed to enable a person to control a device, such as a computer, with their minds. Neurotechnologies like these can be used in the medical, entertainment, marketing, wellness, safety, employee monitoring, and education industries, and many others.The Spanish supervisory authority (AEPD) and the European Data Protection Supervisor (EDPS) recently released a joint report titled “<a href="https://www.edps.europa.eu/system/files/2024-06/techdispatch_neurodata_en.pdf" target="_blank">TechDispatch on Neurodata</a>” detailing neurotechnologies and the data protection challenges associated with processing neural data (the “Report”).The Report follows recent increased attention to neural data in South America, Europe, and the United States. In 2021, Chile <a href="https://neurorightsfoundation.org/chile" target="_blank">amended its constitution</a> to protect neurorights. Last year, the UK Information Commissioner’s Office (ICO) published “<a href="https://ico.org.uk/media/about-the-ico/research-reports-impact-and-evaluation/research-and-reports/technology-and-innovation/ico-tech-futures-neurotechnology-0-1.pdf" target="_blank">ICO Tech Futures: Neurotechnology</a>,” a report that delved into the field of neurotechnology and its implications for data protection and privacy. This year in the United States, Colorado became the first state to expressly cover neural data in its comprehensive privacy law, and similar laws have been under consideration in California and Minnesota. (Read our recent <a href="/resources/insights/240514-protecting-the-mind" target="_self">MoFo Minute</a> about neural privacy).The Report highlights the approach European regulators might take to address the unique challenges posed by neural data under EU data protection law. These challenges stem from the sensitive nature of neural data, its potential to reveal unexpected intimate personal details, and the complex technical processes involved in its collection and analysis, all of which are being amplified by the power of artificial intelligence to infer information from neural data. The Report touches on many of the same issues that the ICO’s report addressed in more depth one year earlier. Below we highlight the key takeaways from the Report.<h4>Key Insights</h4><ul><li>Neural data is, at least in some cases, personal data. In some use cases, users of neurotechnologies identify themselves, so that data collected from them is associated with them. Even where that is not the case, the Report references research studies and other authorities for support that neural data can be used to uniquely identify an individual somewhat like a fingerprint. The Report assumes for its analysis that neural data is personal data.</li><li>Neural data is, at least in some cases, a “special category of data.” The Report notes that neural data often constitutes biometric data that can be used to uniquely identify a natural person, or data concerning health, both of which are “special categories of data” under the EU GDPR. The Report adds that neural data may provide “deep insights into people’s brain activity and reveal the most intimate personal thoughts and feelings, including those that do not translate into actions and consequently cannot be measured or inferred by data collected through other technologies.” Neural data that qualifies as a special category of data is subject to heighted requirements under the GDPR.</li><li>Proportionality and data minimization are especially important due to the intrusiveness of neural data. Because the brain is active 24/7 and is involved in many types of functioning, and because there is a massive amount of data that can be collected from the brain, and then additional data inferred from that data, neurotechnologies are “very intrusive, if not the most intrusive processing, encroaching upon the very mental privacy and possibly mental integrity of the person concerned.” Because of this, the Report advises that businesses considering processing neural data should analyze if the purpose sought justifies the sensitive and invasive nature of the processing.</li><ul><li>The Report notes that the European Data Protection Supervisor considers that “brain fingerprinting,” which is the detection of the existence of specific information from the brain, should only occur for healthcare purposes, and should be accompanied by all data protection conditions and safeguards.</li></ul><li>Neural data may be subject to accuracy limitations. The principal of accuracy under the GDPR requires that personal data must be kept up to date and reasonable steps must be taken to ensure that personal data that is inaccurate is rectified or deleted. However, because the brain changes over time (“brain plasticity”), and because of the possibility of errors when collecting neural data or false inferences made from neural data, the accuracy of neural data and the inferences drawn from it may be impacted. The EDPS and AEPD recommend that companies keep in mind the intrinsic accuracy limitations of neural data processing to prevent misuse.</li><li>Transparency may be difficult to achieve due to the nature of neural data and how it is collected. Under the GDPR, data controllers are required to disclose how neural data is processed and the potential implications to data subjects. Due to the intrinsic and involuntary nature of neural data, neural data may reveal more about a person than data subjects expect. Even after reading a privacy notice, they may not fully understand the potential implications of neural data processing. The Report warns that companies should consider this challenge, especially when it comes to minors, for example, in the education and entertainment sectors.</li><li>Neural data technologies must be assessed for fairness. The principle of fairness under the GDPR requires that companies handle personal data in ways that people would reasonably expect and not process personal data in ways that would have unjustified adverse effects on individuals. The Report notes the risk of discrimination in the development and use of neurotechnologies that could lead to biased or unfair outcomes. This risk can be exacerbated when AI is involved in the processing of neural data. Neurotechnologies must be carefully assessed and managed to reduce the risk of discrimination, especially in the education and healthcare sectors.</li></ul>The processing of neural data presents both opportunities and significant data protection challenges that require careful consideration. Businesses in the neurotechnology sector should closely monitor these regulatory updates and conduct thorough assessments when considering development of neurotechnologies or processing of neural data to ensure compliance with data protection laws.

It’s All in Your Head? Not Anymore: EU Data Protection Authorities Report on Applying Data Protection Law to Consumer Neurotechnologies that Process Brain Data

Sign Up

<div class="videoWrapper"><iframe title="Meet Alex van der Wolk, Privacy and Data Security Partner" src="https://www.youtube-nocookie.com/embed/DP4avINgkB8?rel=0" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen="1" class="sticky-video" title="iframe"></iframe></div>Alex van der Wolk, co-chair of Morrison Foerster’s preeminent Global Privacy & Data Security practice and managing partner of the firm’s Brussels office, employs his nearly 20 years of experience to advise global companies on their most complex data strategies and compliance programs governing all aspects of information management. Alex’s clients benefit from his practical approach and global perspective, saying: “he quickly gets to the heart of the issue and provides solid, pragmatic advice based on the experience he has gained,” “in addition to having very strong legal knowledge, he has a commercial understanding and provides great insight in global matters,” and  “Alex is a true privacy expert with the ability to offer practical guidance on complex problems” (Chambers EU).Alex helps clients develop privacy and data strategies at the forefront of their digital and data-driven endeavors, especially those involving new technologies, such as artificial intelligence and the metaverse. He has particular experience assisting clients with structuring their approach to data in specialized areas, such as health-tech, Agtech, and Adtech. Alex is an experienced litigator, representing clients in privacy litigation in Europe, including successfully representing clients in the first class action cases in the Netherlands and the UK. Additionally, Alex is often called upon to head crisis management teams for clients facing investigations by data protection authorities or responding to cybersecurity incidents. He counsels clients on their incident and cyber preparedness and has done significant work advising clients on EU cyber and data regulatory frameworks, such as NIS2, DORA, the Cyber Resilience Act, and the EU Data Act.Notably, Alex was one of the first practitioners in Europe to help companies set up Binding Corporate Rules (BCRs), and since that time has used this deep knowledge to develop a longstanding and unparalleled track record in obtaining regulatory approval for BCRs, both in the EU and in the UK.Alex is a frequent speaker at high-profile international conferences, including IAPP and South by Southwest (SXSW), and is a guest lecturer at the Tilburg Institute for Law, Technology, and Society. He is a Dutch-qualified lawyer and a member of the Amsterdam and Brussels Bars. He speaks fluent English and Dutch.

Alex van der Wolk

Managing Partner, Brussels

Carson Martinez is an associate in the Litigation Department of Morrison Foerster’s Boston office.Carson’s practice focuses on privacy and data security and consumer protection matters, with particular experience in compliance.Before joining Morrison Foerster, Carson was a summer associate at MoFo. Prior to her legal career, she advised cross-sector clients on policy matters pertaining to consumer health data privacy for a think tank. Additionally, Carson conducted compliance readiness assessments for the General Data Protection Regulation, California Consumer Privacy Act, and other privacy laws during her time at a major consulting firm.Carson received her J.D., cum laude, from the Boston University School of Law, where she served as editor of the Journal of Science and Technology Law. Carson received her B.S. in neuroscience from New York University and M.A. in bioethics and science policy from Duke University. During her time at NYU and Duke, she researched and worked on the policy and societal implications of emerging neuroscience and neurotechnologies at a think tank focused on neuroethics.

Carson Martinez

Associate

Privacy + Data Security