Brain implants may be the next challenge for AI and GDPR. Our guest blogger Lahiru Bulathwela, LLM student in innovation and technology at the University of Edinburgh explores why and how.
What do brain implants, GDPR and AI share? Elon Musk recently demonstrated his brain-hacking implant on Gertrude the pig, which has begun to show a growth of interest within mainstream market consumption. Neural implants aren’t a recent development, they have been utilised by researchers and clinicians for several years; successful treatments with neural implants have helped patients who suffer from clinical depression, Parkinson’s and restoring limited movement for paralyzed individuals. The excitement for their development through companies like Neuralink is palpable, the potential for neural implants to treat individuals, and in the future, enhance people is certainly an interesting prospect. However, as with any innovative technology, the excitement of its development often overshadows concerns about its potential. For every person, the brain represents the total sum of your individuality and your identity, as such concerns surrounding neural implants are particularly sensitive.
Many potential obstacles face the development of neural implants, ranging from technological to physiological limitations. This blog will explore issues that relate to data protection as data protection is fundamentally central in our information dominated society, neural implants offer new challenges as the information it utilises is arguably, the most sensitive of data.
How do they work?
In the simplest terms, a neural implant is an invasive or non-invasive device that can interact with an individual’s brain. Certain devices can map an individual’s native neural activity and some devices can stimulate the neurons in a brain to alter functioning. While the technology is advanced, there are limitations to its efficacy, primarily surrounding our knowledge of native neural circuits. Currently, we can map an individual’s brain and record its neural activity but lack the knowledge to interpret that information in a meaningful way that would be expected of a consumer device. While limited at the moment, it is a question of when, rather than if, we will increase our understanding of native neural networks
GDPR and Neural implants
The GDPR is the most recent iteration of data protection regulation in the EU, and it sets a high regulatory standard. The GDPR is the most progressive data protection regulation to date but like other legislative tools, its development and implementation are in reaction to the rapidly evolving use of information in current society. Although the GDPR does not mention ‘neural information’ specifically within the definition of personal data in. Art.4(1), a person may be identified from said information, therefore it is personal data. :
«…’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;»
Factors such as physical, physiological or mental could potentially be attributed to neural information. Any measured neural condition is personal data. Information gathered from a person’s brain is the most sensitive of personal information, especially when you consider if it is even possible to consent to such collection.
When we consent to our information being collected or shared, we have a degree of control of what information is made available. A data controller must justify the lawful collection of that data (Art.6 and Art.9), and ensure that consent is freely given, and not conditional for the provision of service or performance of a contract where the data is not necessary for the performance of that contract (Art.7(4)).
An individual can consent to share personal medical history with an insurer without having to share information on their shopping habits or their relationships. We can’t, however, limit that information within our brain, and neural activity cannot be hidden from a device that records electrical stimulation in the brain. The lack of control on what information our brain shares is a significant issue, despite the fact we are limited in our ability to interpret such information.
Future regulatory measures?
The GDPR is the most progressive regulatory instrument that has been implemented across the world, yet it lacks the necessary depth to deal with the ever-changing landscape of information gathering. The next iteration of data protection regulation requires the necessary foresight to effectively protect individuals from misappropriation of their information. Foresight to understand how overzealous regulation can hamper the progress of innovation, but ineffective regulation could hinder consumer confidence in neural implants.
When Elon Musk discussed his Neuralink implant as a «Fitbit in your skull» he minimised how invasive neural implants would be upon our privacy. While it could be said that individuals are more comfortable sharing their information in public fora through social media etc, there is still a choice of what information you choose to share. The lack of choice surrounding what information you provide through a neural implant necessitates the need for robust regulation; I predict that this regulation should include a requirement to use technology to enforce regulation.
Regulation through technology?
Governance using technology is a potential alternative to standard legislative tools. We have seen technologies such as Blockchain use cryptography to decentralises record keeping ensuring that information held on record is only accessible to verified individuals, and that no one single person or entity can access or control all the information.
More specific to neural implants would be the utilisation of machine learning in protecting an individual’s privacy. Machine learning is already being utilised in clinical environments to assist with brain mapping and it is possible that machine learning in the future will allow us to better understand our native neural networks. The use of machine learning to effectively regulate what information would be shared with a neural implant may seem far-fetched at this moment in time, but I would contest that this is due to a lack of understanding of our brains, rather than an algorithmic limitation. More research is required to understand what precisely can be interpreted from our neural activity, but we have the technological capability to create algorithms that could learn what information should and should not be shared.
Neural implants at present lack the sophistication to create any significant problems to an individual’s privacy, but they offer an opportunity for legislators and technologists to create proactive measures that would effectively protect individuals and build consumer confidence.