Mind Protection: Data Privacy Legislation in the Age of Brain-Machine Interfaces

Contributed by Dr. Anastasia Greenberg

Brain-machine interfaces (BMIs) are a class of devices that allow for direct communication between a human brain and a device such as a computer, a prosthetic limb, or a robot. This technology works by having the user wear an electroencephalography (EEG) cap that extracts brain activity, in the form of brain waves. These waves are then processed and interpreted by advanced software to “decode” the brain’s intended actions. These intended actions are translated into a command sent either to a computer or a mechanical device – the gadget options are seemingly infinite. With the growth of big data analytics and artificial intelligence (read an MJLH article on this issue), the proliferation of BMIs pose a unique legal and ethical risk for personal data privacy and security given the highly intimate nature of the information that BMIs gather.

Recent Advances in BMIs

The major limiting factor of the widespread application of BMIs is the ability to accurately interpret a person’s thoughts from their recorded brain activity. Major headway has been made in the last decade. A highly publicized example includes a quadriplegic patient with an implanted brain chip (instead of a non-invasive EEG cap) who was able to check emails, turn lights on and off, and play video games using his thoughts alone. A newer version of this chip, developed by a company called Braingate, is currently undergoing clinical trials. Similarly, such developments have potentially life-changing heath care implications for locked-in syndrome patients who have lost ability to communicate due to muscle paralysis. BMIs allow locked-in patients to communicate using their thoughts.

BMI1 Brain-machine interfaces allow for control of computers and mechanical objects using thoughts || (Source: Flickr // Ars Electronica )

The applications of BMIs extend beyond health care into the consumer context. A company called Emotiv Lifesciences created a sophisticated driving simulator that allows for thought-controlled navigation through a virtual course. Another company called Muse offers an enhanced meditation experience by providing feedback to allow users to modulate their own brain waves.

BMI technology can also be used for direct brain-to-brain communication. In 2013, researcher Dr. Rajesh Rao sat in his laboratory at the University of Washington wearing an EEG cap and faced a computer screen displaying a simple video game. The object of the game was to fire a canon at a target by pressing a key on a keyboard at the right moment. Rao did not touch the keyboard and instead used his thoughts to imagine moving his right hand to press the key. On the other end of the university campus, Dr. Andrea Stocco sat in his own laboratory with a Magnetoencephalography (MEG) stimulation coil (which is used to activate specific areas of the brain) placed over the part of his motor cortex that controls hand movements. Stocco did not have access to the video game display in front of him. Every time that Rao imagined firing the canon, a command would be sent via the internet to trigger the MEG stimulation over Stocco’s head, forcing his finger to press a keyboard key which would then fire the canon at the target on Rao’s computer screen. Therefore, Rao was able to control Stocco’s movements through the web with his thoughts.

Data Privacy in Canada

In the age of big data, personal information in the form of search engine entries, online shopping activity, and website visits, when aggregated, can reveal highly accurate details about a person’s life. This reality has raised public concerns over data privacy in Canada. As BMIs increasingly enter the market and join the “internet of things”, organizations will for the first time, have access to the most personal information yet – information obtained directly from the brain.

In Canada, the protection of personal data, such as brain data, can be captured by a complex web of privacy legislation. Although the Canadian Charter of Rights and Freedoms does not explicitly mention a right to privacy, it is protected to some degree by sections 7 (liberty) and 8 (unreasonable search and seizure). The Privacy Act governs the handling of personal information by the federal government, while the Personal Information and Electronic Documents Act (PIPEDA) is a federal statute that applies to businesses in Canada that collect, use, and disclose personal data for commercial purposes. PIPEDA was enacted in 2000 in attempt to harmonize data privacy standards across the country and to strike a balance between economic benefits stemming from private data use and respect for individual privacy. To add extra complexity, provinces and territories can enact their own data privacy legislation which supersede PIPEDA if the federal government considers the legislation to be “substantially similar” to PIPEDA.

BMI2.jpg Privacy legislation in Canada and abroad aims to protect personal information, such as health-related data || (Source: Flickr // luckey_sun )

PIPEDA has been criticized heavily since coming into force for its feeble enforcement mechanisms. As a result, in 2015, amendments to PIPEDA introduced a requirement to notify the Privacy Commissioner of any data privacy breach creating significant harm to an individual, including bodily harm, reputational harm, and identity theft. Failure to notify can result in fines up to $100,000. Furthermore, the Office of the Privacy Commissioner provided guidance on section 5(3) of PIPEDA which prohibits inappropriate collection, use, and disclosure of personal data. The so called “No-Go Zones” under section 5(3) prohibit activities such as: the processing of data in a way that would lead to unethical or discriminatory treatment, and data uses that are likely to cause significant harm. Significant harm means, “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on one’s credit record and damage to or loss of property”. These changes can bolster privacy protection of brain data.

What remains intact following the amendments is an insidious provision that leaves the door ajar for government surveillance. Section 7(3)(c.1) is a blanket provision that mandates private entities to disclose personal information at the request of the government in the name of national security and law enforcement. Given the rich information that brain data contains, it is not evident how the government may decide to use such unfettered access in its activities.

Data Privacy Internationally

Europe is known to have the world’s highest data privacy standards. The European Union Data Protection Directive (Directive 95/46) is interpreted in light of the Charter of Fundamental Rights of the European Union, which specifically recognizes personal data protection as a human right. Article 8(1) of the directive provides that member states adopt prohibitions on processing sensitive data including health-related data, which brain data may indeed fall under. However, much like PIPEDA, the desire to balance organizational interests with privacy protection is reflected in exceptions to this prohibition if consent is obtained from the data subject, if the data processing is in the public interest, or for certain medical and health care purposes.

In May of 2018, the General Data Protection Regulation (GDPR) will officially replace Directive 95/46. One of the prominent changes from Directive 95/46 relates to the widening of jurisdiction, as the GDRP will apply to all companies processing the personal data of individuals located within the EU, irrespective of where a company is located. The effect of this change will likely force non-EU companies, including Canadian companies, to comply with the GDPR to allow for cross-border data transfers. The strategy behind this new approach is to ensure that Europe lays the ground rules for the international data privacy game.

As BMIs increasingly enter the market and join the “internet of things”, organizations will for the first time, have access to the most personal information yet – information obtained directly from the brain.

Other major changes that will be introduced with the GDRP are the inclusion of the “right to access”, in which a data subject will be able to request copies of their personal data, and the “right to be forgotten” in which the data subject can request for their personal data to be permanently erased. Just as BMIs are introducing highly intimate data into the mix, the GDRP may offset some of the increased privacy risks by putting more control in the hands of the data subject and by attempting to coerce international privacy standards.

The Future of Privacy

The promise of brain-machine interfaces is hard to overstate. BMIs can already restore lost abilities such as vision, hearing, movement, and communication.  Beyond restoration, BMIs allow for super-human enhancement in the form of control over virtual environments, manipulation of robots, and even transmitting linguistic messages without vocalizing speech. The effective implementation of BMIs speaks directly to the effectiveness of neural decoding: the technology’s ability to “mind read” – albeit currently in crude form. Organizations that create BMIs and control its software will have access to rich brain data. Governments will desire access to that data. The EEG data in question are as unique as one’s fingerprints, providing biomarkers for the prediction of individual intelligence, and predispositions to neurological disorders such as depression, Alzheimer’s disease, and autism. The ongoing development of data privacy legislation in Canada and abroad will shape future control of the mind’s personal bits.

 

Anastasia Greenberg is a second-year student in the B.C.L/LL.B. program at McGill University’s Faculty of Law and is the Executive Online Editor of the McGill Journal of Law and Health. Anastasia holds a PhD in Neuroscience from the University of Alberta.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s