A hypothetical BCI device Photo: TUCHONG

The rapid development of neuroscience and neurotechnology has opened up unprecedented possibilities for accessing and utilizing information directly from the human brain. Brain-computer interfaces (BCIs) represent an advanced human brain engineering technology. Initial BCI development focused on assisting patients with intact cognitive functions but impaired motor output due to conditions such as spinal cord injuries and amyotrophic lateral sclerosis, individuals afflicted with complex brain diseases such as locked-in syndrome and Parkinson’s disease, and severe coma patients.

As BCIs gradually transition from the laboratory to the market, concerns about personal privacy have emerged, including targeted advertising, cognitive surveillance, and data breaches. It is therefore essential to establish a balanced regulatory framework to guide the steady development of BCI technology.

Legal risks

The legal risks associated with BCI manifest in three stages of its application process. First, prior to the installation of BCI devices, the legal risks primarily lie in the issue of informed consent. Given that the long-term effects of implanting BCI devices into human brains are not yet well established through clinical trials, doctors and researchers may struggle to provide clear and comprehensive information. As a result, individuals may find it difficult to provide fully informed consent regarding the potential risks, benefits, responsibilities and obligations associated with the implantation.

From a legal standpoint, many patients who need BCI devices may already suffer from cognitive impairments, raising doubts about their capacity to make legally valid declarations of intent. Moreover, whether the immediate family of individuals with diminished or no capacity to perform civil juristic acts should be allowed to give informed consent on their behalf is also an issue that needs to be addressed.

Second, once installed, BCI devices continuously collect, process, output, and decode brain signals. While this facilitates communication with the external world, it also increases the risk of privacy violations. Brain data contains a wealth of personal information, including subjective thoughts and mental processes, making brain privacy both a right and form of control. If the storage and use of this data are mishandled, an individual’s mental state could be vulnerable to exploitation.

Third, implanted BCI devices may require updating or removal in time. While implanted brain chips may need occasional patching akin to conventional software, they cannot be easily extracted or repaired. Since these devices directly affect brain function, individuals cannot simply opt for an upgrade or exit the program as they might with regular software. As BCI technology advances, its future applications may extend from healthcare to entertainment, education, and military affairs. For healthy individuals who install BCI devices, whether they can fully erase their brain data, akin to the “right to be forgotten” in the digital realm, is an important question that requires further exploration.

Legal regulatory framework

In February 2024, the Ministry of Science and Technology of the PRC released an ethical guideline for brain-computer interface research (hereinafter referred to as the “Guideline”), outlining basic principles including “safeguarding health and enhancing well-being,” “respect for subjects and appropriate application,” “risk management and ensuring safety,” “information disclosure and ensuring informed consent.” The Guideline offers a more comprehensive framework to address BCI-related risks and can be improved in three aspects.

Firstly, science and technology laws should be integrated. The promising medical applications of BCI technology hold significant potential for addressing the challenges of an aging society and building a “Healthy China.” Existing laws and regulations such as “Law of the PRC on Progress of Science and Technology,” “Law of the PRC on Promoting the Transformation of Scientific and Technological Achievements,” and “Regulations on State Science and Technology Awards” should be harmonized to encourage R&D investment, reward scientists, and promote responsible scientific and technological innovation. BCI technology should be incorporated into an effective and scientifically managed regulatory system from the initial R&D stage.

Secondly, data security and cybersecurity laws should be updated. In the information age, data is a critical asset for national modernization. Laws and regulations governing the detection, alteration, and transmission of brain data should be put in place. Individuals should have the right to halt any or all of these processes at any time if they occur without authorization.

Thirdly, privacy laws should be amended. New laws and regulations should strictly regulate the collection, storage, and utilization of user information by manufacturers via service-oriented BCI devices. The sale of user data and the unauthorized collection or analysis of user information should be stringently controlled. In cases where data leaks cause harm to users, manufacturers should be required to provide compensation and face civil or even criminal penalties.

Zhang Man is an associate professor from the Law School at Northwest University.

Edited by WANG YOURAN