How neurotechnology could transform privacy law and the world around you

Neurotechnology seems to be a widely underdiscussed topic globally, despite its rapid and often mind-boggling advancements. One of the biggest drivers in the industry is the company known as Neuralink – a company dedicated to the development of implantable chips, or more specifically, brain-computer interfaces (BCI’s). Other companies also racing to develop brain implants include, Synchron (a New York–based company backed by funding from Bill Gates and Jeff Bezos), Paradromics, and Precision Neuroscience. About the size of a 10-cent coin, these BCI’s are cosmetically invisible and free of external wiring. The implanted chip records and transmits the user’s neural activity to external devices like phones, tablets and computers, essentially allowing the user to control those devices with their thoughts alone.

Current state of neurotechnology

Currently, Neuralink is only providing BCI capabilities through its patient registry to people with limited or no ability to use both hands due to quadriplegia, other cervical spinal cord injuries or amyotrophic lateral sclerosis. However, this may be soon to change as of 3 March 2025, Neuralink filed two U.S. trade mark applications for ‘telepathy’ (serial number 99063908) and ‘telekinesis’ (serial number 99063898). In combination with some of Neuralink’s founder’s recent comments alluding to an expanded application of BCI’s, and consistent with the general trend in the field (moving toward an adoption of the tech with healthy individuals), there is reason to believe that Neuralink could be preparing to develop and scale the tech at-large, with advancements including mind-to-mind communication.

Evidently, it seems the commercialisation of neurological data and the adoption of the technology will soon become mainstream, with other notable companies, like Apple, being granted patent protection over AirPods apparently capable of monitoring brain activity.

Privacy concerns with neurotechnology

The potential benefits of BCI capabilities are very easy to see, but equally, so are the concerns – especially in relation to privacy, as private companies will gain direct access to the most intimate thoughts and beliefs of its users (as opposed to inferring such information from external or behavioural patterns). Indeed, the Human Rights Commissioner of Australia has already expressed critical concerns with respect to neurotechnology – her view being that ‘Humanity always needs to be placed above technology’.

It appears most Australians agree with the Commissioner, with 62% holding the view that protecting personal information is a major concern, particularly regarding online privacy and the risk of data breaches. Since neurotechnology has the capacity to transform personal thoughts into collectable, analysable, and monetizable units of data, if left unchecked, we expect these concerns will only worsen with expected adoption of the technology.

With this in mind (pun intended), we believe it’s necessary to consider some of the potential legal and practical consequences across the community, with a particular focus on how the rapid development of these technologies could interact with the current privacy law framework in Australia.

Privacy laws around the world

Australia

Australia’s privacy laws are designed to protect individuals’ personal information and ensure data security. Naturally, our first question is: whether BCI’s would be captured under the current legislative schemes in Australia?

The first point to turn to is the Privacy Act 1988 (Cth) (the Privacy Act), which notably makes a distinction between personal information, and sensitive information. Respectively, personal information is any information that identifies, or can reasonably be identified with an individual. Sensitive information is a subset of personal information that includes specific details about an individual’s background (e.g. ethnicity), beliefs (political, religious etc.), health or genetic information, or biometric information used for verification or identification purposes.

Clearly, BCI’s collect various parcels of information which fall into both categories. However, it is likely that an additional definition will be required, as the current definitions do not appropriately capture how data is collected (in this case, directly capturing the exact opinions/beliefs of the user is vastly different to inferring such information from the user’s behaviour or outwardly expressed opinions).

This raises serious concerns because the user will not have appropriate control or be deemed to have given the requisite informed consent for the all the various kinds of data that are procured through use of the technology.

Chile

Chile has already seen its first Supreme Court case against U.S.-based company Emotiv for having recorded detailed information about Senator Girardi brain’s electrical activity, finding that Emotiv had violated Girardi’s constitutional right to physical and psychological integrity as well as the right to privacy.

Mexico

In Mexico, constitutional level protection has been implemented as opposed to amendments of subordinate legislation.

What could we see in Australia?

In Australia, amendments could be adopted which more closely imitate those coming into effect from 1 July 2025 in the state of Colorado, in the U.S., which create new obligations for entities that collect biometric data and identifiers.. In our view, it’s likely that Australia will protect the privacy of individuals’ biological data and neural data by either:

• expanding the definition of “sensitive data” to include “biological data” and “neural data”, or
• creating a separate definition altogether for information that is collected directly from a user’s neural activity.

Regardless of the approach, because biological and neural data contain our most private information of all, it seems appropriate to expect at least some sort of changes to Privacy regulation in Australia, which looks to ensure that individual’s neural activity remains truly private. Naturally, we also expect further guidance from the OAIC in relation to how businesses should navigate their obligations concerning these kinds of privacy rights.

Businesses need to be aware of privacy and consent

While advancements in BCI capabilities and other neurotechnology’s hold immense potential to revolutionise various aspects of life and business in Australia, it is quite unlikely that our existing laws will be enough to deal with its impacts. Moving forward, businesses will need to be alive to the concerns surrounding informed consent, namely that obtaining truly informed consent from individuals, especially those with cognitive impairments, presents significant challenges. Businesses will therefore need to ensure transparency about any collection of such data, and, if collected, appropriate protection against unauthorised access to neural data which could lead to severe breaches of personal privacy – as well as ensuring that their data systems are secure and protected against attempted hacking.

Privacy law and privacy policy legal advice

If your business is in need of a fresh privacy policy, whether in anticipation of changes to the privacy regime or not, are in need of comprehensive data protection plans, or wish to have your current policy polished, we recommend contacting our Privacy lawyers, who have the tools to help you comply with, and stay ahead of the complexities in this area.

No mind reading here at MK, just good thinking!

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.