A day may come in the future when average citizens can widley access and regularly use neurotechnology. In our previous blog on brain data, we discussed the types of neurotechnologies that could enable this widespread adoption. In the event of this reality, the opportunity for brain data collection is enormous. Noninvasive and non-medical neurotechnologies have no regulatory parameters limiting direct-to-consumer access, opening an uncapped pool of data for companies and researchers to accumulate. But a vital question remains: what are the limits on how this brain data can be used and shared? For one, where you are in the world will determine what data governance laws have jurisdiction. The context of the brain data collection and the degree that it is tied to an individual’s identity will also determine how data can be used and shared.
Currently, the only country to have proposed legislation that outlines privacy protocols specific to brain data is the country of Chile. Chilean Senator Guido Girardi has drafted a bill with Senate lawyers that expressly forbids commercial sharing of brain data. This legislation is set to go before congress in the coming months. In other parts of the world where there are no specific provisions in place for the handling of brain data, the sharing of data collected from the brain is often regulated by that jurisdiction’s general and health data sharing laws.
Health Insurance Portability Accountability Act
In the U.S., the primary parameter that is applicable to brain data sharing is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is a law that governs how personalized medical and health information is shared among institutions and individuals. Brain data is categorized as HIPAA protected health information if it is individually identifiable and was collected in a healthcare context. Under HIPAA, when health data is personally identifiable there are many restrictions on how that information can be shared with outside entities. Selling HIPAA health data for the purpose of business is against the law. This prevents, for example, a hospital struggling with its cash flows from selling the identifiable brain data of patients with schizophrenia to a pharmaceutical company. Health data is also pretected under the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009 to specifically regulate the sharing of HIPAA protected digital health records. This Act increased the enforceability and penalty capacity of existing HIPAA privacy rules.
However, health data can be altered so that it is no longer protected by HIPAA regulations. If health data is scrubbed of all personal identification factors such as name, birthday, or cell phone number, HIPAA data restrictions on sharing and processing no longer apply. Anonymized health data can be bought and sold freely, providing commercial and research entities with insight into universal population trends. Though this usually will not infringe on the personal privacy of any one individual within the data, the information can be used for population wide health research. In the for-profit sector, it could be used by companies to optimize things like advertising and product development.
It is worth noting that anonymization is not an air-tight personal privacy protection method. While health information must be anonymized before being sold or shared, de-identified data has the possibility of becoming re-identified. When anonymized health data is cross referenced with additional data, such as public records or whatever records that entity has access to, the combined information could re-identify previously anonymized health data. Loopholes such as these detract from health information personal privacy measures and could be particularly problematic where brain data is concerned.
Non-medical U.S. Data Privacy Laws
HIPAA regulations only apply to brain data that is collected within healthcare contexts. However, neurotechnology is being increasingly applied outside of clinical or medical research settings. When neurotechnologies are sold directly-to-consumers for non-medical purposes, the data that these devices collect are treated legally like data from any other electronic device. As neurotechnologies increasingly take on nonmedical roles, the brain data arising from them will be no more protected from commerce than the data denoting our everyday interactions online.
There is no federal legislation existing in the U.S. for general data protection, let alone specific provisions for brain data. While there have been efforts made in congress to install federal data restrictions, including a senate hearing in December 2019 for a legislative proposal to protect consumer data privacy, so far the only successful initiatives have been carried out at the state level. California’s Consumer Privacy Act was signed into law in 2018 and began enforcement in 2020. This law implements privacy protection for personal data collected by medium to large businesses or any business that relies heavily on data commerce for their revenue. Other states including Massachusetts, New York, Hawaii, Maryland and North Dakota have pending data privacy legislative proposals. General laws like this might not be sufficient to protect the unique privacy vulnerabilities of brain data in the future, but they can help serve as a first line of defense for mental privacy protection.
Data Privacy Laws Around the World
Outside of the United States, the European Union has led one of the most comprehensive centralized data protection programs. The General Data Protection Regulation Act was written in 2016 and went into effect in 2018. All member states must adhere to these laws, which seek to give individuals control over their personal data and set rules around how personal data is processed. The law further distinguishes sensitive data as containing highly personal information on racial or ethnic identity, sexual orientation, political affiliation and biometric data, which brain data falls within. Sensitive data has further restrictions for processing and consent requirements.
At the international level, there are many initiatives surrounding data protection, but none have been adopted that specifically concern brain data. Furthermore, most international policy documents only become legally enforceable when nations choose to adopt them into their own country’s laws. Nonetheless, international declarations and other international policy mechanisms can be useful tools. Restrictions on the processing of genetic data, which are similar to brain data in that they hold ultra sensitive biometric information, has progressed over the past decades. Included within those efforts has been the International Declaration on Human Genetic Data ,which was adopted by the United Nations Educational Scientific and Cultural Organization (UNESCO) in 2003 to set standards on how genetic data is handled. International efforts like this can encourage other countries to sign similar provisions into enforceable law. Early efforts are now underway with UNESCO to set a similar international intention regarding the processing of brain data.
For so much of our history the brain has remained mysterious. Consequently, our ability to interpret brain data has only recently begun its rapid advancement. Privacy issues around personal data, health data, and genomic data have existed for relatively longer than brain data privacy concerns. Progressing data sharing protocols within these comparatively mature fields is necessary for overall privacy and will ultimately help inform policy on brain data handling. At the very least, general and health data protection can provide a minimum privacy standard for brain data use in the short run. This may do for the time being, as wireless and noninvasive neurotechnologies still only allow very rough recordings, providing low level information about focus, stress, or existing neurological conditions. However, neurotechnology’s capability to decipher more sophisticated insights from neurological signals is likely to grow in the coming years. At such a point, brain data may require its own specific legal protection. Given the delicacy of brain data privacy and the lengthy amounts of time that go into policy-making, now is the time to begin considering what such protection may look like.