For years, we have debated who controls our data. The next question is even more profound: who controls what happens inside your mind, and under what rules?
Headphones that measure your attention. Devices that detect your emotional state. Brain-computer interfaces capable of reading neural activity to personalise advertising, assess employees or diagnose medical conditions. Driven by the convergence of neuroscience, sensors and artificial intelligence (AI), neurotechnology is moving beyond hospitals and research laboratories into areas such as wellness, education, work and entertainment. The result is the emergence of a new category of highly sensitive information: neurodata. Unlike conventional personal data, neurodata can be used to access, infer and potentially influence thoughts, emotions and cognitive states. The market is already reflecting this shift. The global neurotechnology sector is expected to approach $20 billion in 2026, growing at an annual rate of around 14%.
What makes neurodata different is not only what it can reveal, but also what it may be able to change. On the one hand, the brain functions as a unique biometric identifier, as distinctive as a fingerprint or a genetic profile, with the potential to reveal information that individuals may not even know about themselves. On the other hand, neurotechnology is not a read-only technology: the same interface that collects data can also deliver stimuli that influence neural activity and shape behaviour. Combined with AI, these capabilities could become increasingly precise, adaptive and personalised, responding to each individual’s characteristics, reactions and mental states. There is little precedent for a technology capable of both observing and intervening in mental processes, raising novel questions about individual autonomy, technological governance and the protection of fundamental rights.
The regulatory debate revolves around three core objectives: protecting neurodata as a particularly sensitive category of information, preventing its use to manipulate decisions, and ensuring that no one can alter an individual’s cognitive identity without consent. Yet governance remains fragmented. While some jurisdictions are beginning to establish specific safeguards for neuro-rights, others continue to rely on existing privacy frameworks or voluntary standards. As neurotechnology becomes more widespread, the challenge will be whether regulatory systems can keep pace with technologies capable not only of reading the mind, but also of influencing it.
In Europe, the debate has focused less on creating new rights and more on adapting existing frameworks on data protection, artificial intelligence and fundamental rights to the challenges posed by neurotechnology. The AI Act already prohibits emotion recognition in workplaces and the use of subliminal manipulation techniques, while several European institutions are exploring how current regulatory frameworks could be extended to protect mental privacy. Spain has been particularly active in this area: its 2021 Digital Rights Charter was among the first institutional documents in Europe to address cognitive liberty, and in 2025 Cantabria introduced the first European legislative proposal to provide explicit legal protection for neurodata. In a context where global standards have yet to converge, shaping the governance of neurotechnology is also becoming a matter of strategic positioning.
The protection of personal data took decades to consolidate, eventually giving rise to frameworks such as the European GDPR, now regarded as a global benchmark. The challenge with neurodata will be to act earlier: developing governance mechanisms before technological capabilities spread faster than the rules designed to regulate them.
For more information, see:
Brazal, Arturo, Francesca Pesce, Marta Beltrán, y Xabier Lareo. Neurodatos. Agencia Española de Protección de Datos, 2024. https://www.aepd.es/guias/neurodatos-aepd-edps.pdf; Gobierno de España. Carta de Derechos Digitales. Ministerio para la Transformación Digital y de la Función Pública, y Ministerio de la Presidencia, Justicia y Relaciones con las Cortes, 2021. https://www.lamoncloa.gob.es/presidente/actividades/Documents/2021/140721-Carta_Derechos_Digitales_RedEs.pdf; Ienca, Marcello, y Roberto Andorno. «Towards new human rights in the age of neuroscience and neurotechnology». Life Sciences, Society and Policy 13, n.o 1 (2017): 5. https://doi.org/10.1186/s40504-017-0050-1; Oliveira Wood, Maia de, G. Berger, L. Jarke, et al. The protection of mental privacy in the area of neuroscience. Societal, legal and ethical challenges. European Parliament, 2024. https://doi.org/10.2861/869928; Szoszkiewicz, Łukasz, y Rafael Yuste. «Mental privacy: navigating risks, rights and regulation». EMBO Reports 26, n.o 14 (2025): 3469-73. https://doi.org/10.1038/s44319-025-00505-6; UNESCO. Recomendation on the Ethics of Neurotechnology. Samarkanda, 2026. https://unesdoc.unesco.org/ark:/48223/pf0000397812/PDF/397812eng.pdf.multi.page=62; and Yuste, Rafael. «Advocating for neurodata privacy and neurotechnology regulation». Nature Protocols 18, n.o 10 (2023): 2869-75. https://doi.org/10.1038/s41596-023-00873-0.