Neural Data – What are the Legal and Ethical Considerations?

What happened

• Vast amounts of our personal information including names, addresses, medical records and spending habits, are now online and in some cases, widely accessible
• The last frontier of our privacy lies in the sanctity of our inner thoughts, emotions and feelings, but rapid advancements in neuro technology are poised to challenge this
• Neuro technologies, including wearable devices, non-invasive interfaces and even implanted devices, are beginning to process “neural data” – information derived directly from the brain and nervous system
• This can reveal our emotions, mental state of mind and even our intentions
• For example; EEG readings and MRI scans, provide insights into neural activity
• From healthcare to gaming, education and marketing, organisations are finding uses for this neural data. There are of course major ethical and legal concerns around this
• This data is very sensitive and unique, and therefore subject to a number of regulations, but organisations must also consider ethical issues

Why it matters

• Huge amounts of our personal information have become widely accessible over the past years but now, even information about feelings, thoughts and intentions might be included, due to the rise in neuro technologies
• Neural data; information derived directly from the brain and nervous system, is being used by medical, consumer, commercial and public safety applications
• Whilst these applications might be incredibly useful, strong safeguards will need to be in place, as neural data is vulnerable to misuse
• The rapid pace of neuro technologies has outpaced regulatory frameworks, but fortunately, the UK is addressing the unique privacy issues
• The ICO published a report in 2023 called ‘Tech Futures: Neuro technology’* which sets out the risks associated with neural data, in particular, its accuracy, the transparency challenges around it and the risk of discrimination, particularly in AI powered neuro technologies
• The ICO has urged a precautionary approach to avoid misuse of data and to ensure compliance with data protection laws

Next steps

Neurotech companies will need to take the following steps, to ensure compliance and build consumer trust;

• Conduct Data Protection Impact Assessments and adopt a data protection by design approach
• Keep up to date with regulatory developments
• Engage their stakeholders
• Educate their users

*The ICO’s report can be found at ICO tech futures: neurotechnology | ICO

What happened

• On March 18, 2025 the European Commission proposed to extend the two Adequacy Decisions that relate to the UK, for 6 months
• These Adequacy Decisions permit the transfer of personal data, subject to the EU GDPR and EU Law Enforcement Directive, to the UK without restriction
• Both adequacy decisions were granted for 4 years in 2021 but they expire on 27 June 2025
• The extensions are needed, to allow the UK enough time to finalise its legislative process for the new Data (Use and Access) Bill
• The draft extension decisions will now be transmitted to the European Data Protection Board for its opinion, as part of the adoption procedure
• If approved, the extensions will be valid until December 27, 2025

Why it matters

It is crucial that the UK has adequacy status from the European Commission because;

• Adequacy means that personal data can flow freely between the EU and the UK without the need for additional safeguards
• Many businesses rely on the free flow of data and need regular cross-border exchanges
• Adequacy provides legal certainty and stability for businesses in the UK and EU, ensuring they comply with data protection laws without facing legal challenges
• Adequacy facilitates trade and cooperation between the UK and the EU, which supports economic activities that depend on data processing
• Adequacy demonstrates that the UK has robust data protection measures in place that comply with EU data protection laws.
• Without adequacy, businesses would need to implement costly and complex measures to ensure data protection compliance

What happened

• The government’s Cyber Security Sectoral Analysis 2024 has again highlighted the significance of the UK cyber security sector
• It has shown that reviewing security and privilege settings that apply to important or sensitive data is crucial
• It has shown that document retention and destruction policies must also be reviewed regularly, to mitigate cyber risk and data loss
• Many organisations use cyber specific insurance as a key risk mitigator. This can mitigate business impact, but it is not a substitute for robust preventative measures
• The National Cyber Security Centre (NCSC) recommends a combination of technical and non-technical measures, including (i) multi factor authentication (ii) robust malware defences (iii) appropriate software patching strategies (iv) secure configuration through least privilege or zero trust (v) protecting data via encryption, anonymisation or pseudonymisation (vi) appropriate training in governance and (vii) supply chain management
• Although cyber risk continues to be a key business risk, Boards remain unprepared. The NCSC has identified a skills gap in how cyber security risks are managed at Board level
• The analysis has shown that often it is unclear where accountability for cyber lies within an organisation

Why it matters

• Over the past year, the UK’s cyber security sector has shown significant growth creating 2700 new jobs and showing strong economic performance despite other global challenges
• Despite cyber continuing to be a key risk, there are still gaps in how cyber security risk is managed at Board level
• Responsibility for key decisions around security posture and strategy must be taken at Board level
• Going forwards, regulators will expect to see active engagement from Boards, and legal teams will need to make sure Boards regularly receive cyber updates and are proactive in setting the strategic direction of the organisation

Further information

The government’s analysis can be found at

Cyber security sectoral analysis 2024 – GOV.UK