On 17 April 2024, the Colorado House and Senate passed a Bill (No. 24-1058) to protect the privacy of individuals' biological data and neural data (the Bill). The Bill makes amendments to the Colorado Privacy Act by expanding the definition of "sensitive data" to include "biological data" and "neural data". The expansion to the definition of "sensitive data" takes steps to ensure that an individual's neural activity remains truly private. Colorado is the first U.S. state to address neural data under their privacy law. Meanwhile, a legislative amendment has already been implemented in Chile to address similar concerns, and other U.S. states are beginning to follow suit.

Neurotechnology and privacy risks

Neurotechnology is defined in the Bill as a type of technology which records, interprets or alters a user's individual central or peripheral nervous system. The data that can be collected about the human brain and nervous system by this technology is highly sensitive and can reveal intimate information about the individual from whom it is collected, including information about their health, mental state, emotions and cognitive functioning. The collection of "neural data" is always involuntary in the sense that the person cannot be fully informed of and understand the content of the information they are sharing and how it might be used in the future.

Neurotechnology is no longer limited to research and medical spaces. Companies such as Neuralink, owned by Elon Musk, have developed brain-computer interfaces (BCI). In January 2024, Neuralink implanted the BCI product into a person for the first time. We are likely to soon see other products capable of detecting, monitoring, and analysing brain activity. For example, Apple was recently granted a patent that appears to describe AirPods capable of monitoring brain activity.

Overview of the Colorado Privacy Act amendments

The Bill attempts to protect biological and neural data by expanding the definition of "sensitive data" to include:

• Biological data, defined as: data generated by the technological processing, measurement, or analysis of an individual's biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual's body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes; and
• Neural data, defined as: information generated by the measurement of the activity of an individual's central or peripheral nervous systems and that can be processed by or with the assistance of a device.

The expanded definition means that in addition to fingerprints and facial recognition, neural data is now also a piece of protected biometric data. Under the Colorado Privacy Act, sensitive information (which now includes biological and neural data) cannot be used without the individual's consent.

Comparing US and Australian approaches to data privacy

Despite these amendments to the Colorado Privacy Act, most of the U.S. does not protect neural or biological data. A federal Privacy Act 1974 in the U.S. applies only to federal agencies, not private sector entities. Only fifteen American States have their own privacy laws, including Colorado. Lack of comprehensive, national privacy laws means that private American companies that are collecting an individual's private data can use, sell or share this data without notifying the consumer.

The federal Health Insurance Portability and Accountability Act 1966 (HIPAA) regulates data collected by medical neural devices. Under HIPAA, patient data cannot be disclosed without the patient's consent or knowledge. However, this doesn't protect brain data collected by private and commercial (non-health) organisations.

However, other States within the U.S. have begun to consider the regulation of neural data. Minnesota and California are pushing for amendments to their privacy laws.

Central and South America leading the way in neural data privacy

Internationally, Chile was the first country to legislatively protect neural data, when it amended its Constitution to protect "mental integrity", stating: "Scientific and technological development shall be at the service of the people and shall be carried out with respect for life and physical and mental integrity. The law shall regulate the requirements, conditions and restrictions for its use in persons, and shall especially safeguard brain activity, as well as the information derived from it".

In 2023, Chile’s Supreme Court became the first to rule on a neuroprivacy case. The plaintiff, Senator Girardi, alleged that his brain data was inappropriately collected by U.S.-based company Emotiv. Emotiv, had developed "The Insight", a headband that recorded detailed information about the brain’s electrical activity. The Court found that Emotiv had violated Girardi’s constitutional right to physical and psychological integrity as well as the right to privacy. Relying on both Chilean domestic and international human rights law, the Court focused on the fact that Emotiv retained Girardi’s data for research purposes, even in anonymised form, without obtaining prior consent for this specific purpose.

Two bills are presently pending in Mexico which seek to amend Mexico's Constitution to protect personal data. Both of these bills seek to provide safeguards to the collection and use of neural data through establishment of fundamental rights, rather than changes to definitions of existing privacy concepts.

Furthermore, proposals to amend Brazil's Constitution and General Data Protection Law (LGPD) have been made. These are Bill 29/2023 and Bill 522/2022, respectively. Bill 522/2022 seeks to regulate neural data as a category of "sensitive data" under Brazil's LGPD.

Similarly, Costa Rica, Colombia, Argentina and Uruguay are also considering amending their laws to include neuroprivacy rights.

The position in Australia

Australia has privacy laws which operate at both the national and State/Territory level. The national Privacy Act 1988 (Cth) (Australia Privacy Act) applies to federal government and many private sector entities. There are also some state-based laws which apply to state government agencies and health records. However, neither Australia's Privacy Act, nor any of the State legislation specifically addresses "neural data" or brain activity.

Currently, the Australian Privacy Act does include additional protections for "sensitive information" which includes health information and biometric information. However, these categories may not be sufficient to encompass neural or biological data collected by neurotechnology in a commercial setting.

It remains to be seen whether Australia will follow in Colorado's footsteps and expand its definition of "sensitive information" under the Australian Privacy Act to include neural or brain data, or take a different approach to the regulation of neurotechnology. Amendments to the Australian Privacy Act are currently being developed, with some agreed and others agreed in principle. However, none of the proposed changes directly address the risks associated with neurotechnology.

Neural data is perhaps our most private data – giving those who can access it unprecedented insights into our innermost thoughts, feelings and health information. With recent advancements in technology, regulation in the area will be necessary to protect Australia's privacy rights and provide clear guidance to Australian and international businesses on their obligations.

The team at MinterEllison can assist you in developing a best practice approach to dealing with sensitive information, including information types that may not yet be captured by the privacy regime. MinterEllison provides full-service legal and consultancy services with extensive experience in privacy, data protection and software and IT service procurement. We remain at the forefront of developments by keeping across international developments, such as regulation of neural data. Please contact us if you would like our assistance.