No to black mirror fantasies: data protection advice for neurotechnologies

Contents

Anyone who fears that companies will use AI chips transplanted into the brain, as in many a Black Mirror episode, to make some people dependent and take control in the future should have nothing to worry about. At least not if the recommendations of the Berlin Group, the International Working Group on Data Protection in Technology (IWGDPT), are anything to go by. It has now published a working paper on data protection in neurotechnologies, which contains recommendations for legislators, supervisory authorities and developers, but also raises questions. It calls for a particularly strict, human rights-based data protection framework for neurotechnologies and brain data.

“Neurotechnologies could soon become relevant for the mass market beyond the medical field. We need to be prepared for this because they raise profound data protection and ethical questions, not least for the mental integrity of people,” says the Federal Commissioner for Data Protection and Information Security (BfDI), Louisa Specht-Riemenschneider, who chairs the Berlin Group.

According to the Berlin Group, new laws should only be passed after thorough examination. The first recommendation is to apply existing data protection and human rights laws more precisely to neurodata and develop them further. Above all, clear definitions of terms such as neurodata, mental identity and integrity, freedom of thought and cognitive freedom are required.

The handling of data that may be generated by neurotechnologies should be strictly regulated. There is a strong focus on transparency, informed consent and the prevention of improper data processing. The Berlin Group's report also takes up the demands of the Neurorights Foundation. According to this, neurorights should ensure that people retain control over their thoughts, identity, and freedom of choice even with the growing use of neurotechnologies and AI – and are protected from unwanted access, manipulation, or discrimination. The use of data for advertising purposes, for example, is therefore not okay.

Consent and human dignity

Consent is often considered a key element, but could be problematic in terms of implementation, as it is possible, for example, that the person giving consent may be impaired in their decision-making capacity. In this context, a high level of transparency and particular caution regarding consent are important. It should also be examined in which areas or sectors the processing of neurodata should be prohibited in principle or regulated particularly strictly – in line with the approach of the EU AI Act, which prohibits particularly manipulative or discriminatory behavior by AI systems. For this reason, medical applications and those that recognize emotions are subject to particularly stringent requirements.

Although the Council of Europe and UNESCO state that explicit consent is always required for the processing of neurodata, according to the Berlin Group, consent is often difficult to obtain as a legal basis for processing and is not always appropriate. Even with consent, processing is inadmissible if it violates human dignity – for example through invasive techniques or profiling. The report therefore raises the question of how “regulators can enable fair and appropriate use of this data across different systems while respecting the wishes of the data subject”.

Power imbalances can also be identified as a risk to genuine, free consent, according to the report. In the case of people with implanted neurotechnologies such as brain-computer interfaces, for example, consent should also be handled with particular care, as it is unclear whether the person concerned can give consent. Age limits for consent should also be reviewed.

Prohibition of discrimination and profiling and co.

Neurodata must not be used for discrimination, stigmatization or unlawful profiling. Children, older people and people with disabilities in particular need special protection when neurotechnologies are used.

According to the report, state access to neurodata should also “only be permitted under strict legal conditions and with judicial oversight, in accordance with the principle of necessity and proportionality and with full respect for human rights and fundamental freedoms”.

Creating transparency

For developers and organizations, the report recommends checking before any processing of neurodata whether it is necessary and proportionate for the intended purpose. Both direct and derived neurodata should be treated as potentially sensitive.

Transparency should also be provided to data subjects, especially in the case of complex, technical processes. Companies should provide clear, understandable information and obtain user feedback. Neurotechnologies may only be used on a voluntary basis and with explicit, informed consent. This must be revocable at any time. The highest security standards, encryption, and access controls are required for the processing of data, which should be regularly reviewed and improved.

International efforts for neurodata protection

According to the Berlin Group report, efforts have been underway for years in Brazil and Spain to explicitly enshrine neurodata in data protection law. In other countries, such as Chile, “neuro rights” already exist. In Colorado and California, laws have been passed that consider neurodata to be particularly worthy of protection. The lack of protection for pseudonymized and aggregated data has been criticized in the past, as has overregulation by companies such as Meta and Google.

The Organization for Economic Cooperation and Development (OECD) recommends international standards for neurotechnologies. At the same time, the EU's AI Regulation already prohibits systems that use manipulative or subconscious techniques to influence people's decision-making behavior in a way that significantly impairs their ability to make informed decisions.

(mack)