NEURAL DATA UNDER THE DPDP ACT: RETHINKING PROTECTION UNDER INDIA’S DATA PROTECTION REGIME

I. Introduction

On 5^th November 2025, UNESCO adopted the world’s first standard on neurotechnology ethics. It defined neural data as qualitative and quantitative information about the structure, activity, and function of the nervous system gathered through neurotechnology. This data consists of direct measures, such as electroencephalography signals, as well as indirect indicators that help infer mental states, including eye tracking, voice analysis, typing patterns, and physiological signals. While such data used to be limited to labs and clinical research, it is now commonplace for consumer neurotechnology aimed at wellness, focus, productivity, and self-tracking to also generate it. 

The global brain-computer interface market is expected to grow from $2.94 billion in 2025 to $12.40 billion by 2034, which will significantly facilitate the deployment of such technologies in daily life. This progress also unveils an important regulatory failure at the core of India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”). The DPDP Act adopts a uniform personal data protection model that does not distinguish data categories based on their ability to disclose mental states, cognitive patterns, or behavioural tendencies. Neural data, albeit being a form of personal data, is not given any heightened protection, specialised consent standard, or limitations on inference and secondary use, despite its sensitive nature. 

Against this backdrop, this article examines the regulation of neural data under the DPDP Act by, firstly, identifying the Act’s structural and conceptual limitations in governing neural data; secondly, drawing comparative lessons from international approaches to neural data protection; and lastly, proposing targeted reforms to address these gaps.

II. Structural Gaps In The DPDP Act

The DPDP Act has certain structural gaps regarding the regulation of neural data. It treats all personal data uniformly and applies the same general compliance tools to all data types. Neural data, consisting of continuous and inference-rich signals that are directly correlated with mental states, does not fit into this framework, premised on static and purpose-specific data. Therefore, even a good-faith application of the DPDP Act fails to provide it adequate protection for the following reasons:

Firstly, the DPDP Act does not explicitly recognise neural data as a distinct category of data. Section 2 of the Act broadly defines personal data, but does not mention neural or brain data, neurotechnology, or brain-computer interfaces. Without a statutory definition, neural data is automatically reduced to ordinary personal data despite its depth of intimacy and greater sensitivity than even genetic data. This is in stark contrast to the UNESCO Recommendation on the Ethics of Neurotechnology, which recognises neural data as a separate, highly sensitive category of data.

Secondly, the DPDP Act eliminates the “Sensitive Personal Data” category that was present in earlier drafts, which allows only baseline safeguards to neural data. This approach, thus, overlooks the fact that neural data can reveal cognitive states, predict future outcomes (even criminal propensity), and has a greater risk of cognitive manipulation. By refusing to differentiate data based on their intrinsic sensitivity, the Act does not provide any legal basis for the heightened protection of neural data, which could include enhanced consent thresholds, stricter purpose limitation or mandatory risk assessments for neural processing, and thus leaves the most intimate data under the weakest safeguards.

Thirdly, broad state exemption powers under Section 17 allow for long-term retention and opaque processing of data. In the case of neural data, this means that the brain-derived data can be accessed in an intrusive manner without the heightened safeguards that such data requires. The DPDP Act treats personal data as if it were static and context-bound. Neural data is not. Therein results the structural discrepancy.

III. Why DPDP Compliance Still Fails

The DPDP Act is based on the idea that individual consent and technical measures can ensure appropriate control over personal data processing. This idea collapses when considering neural data. Even if data fiduciaries fully comply with the Act’s notice, consent, and security obligations, individuals may still suffer serious harms after lawful collection. In this respect, neural data reveals the following limitations:

Firstly, the key source of harm in the use of neural data is inference and not collection. Neural signals tend to reveal such information that people never intend to reveal, such as their emotional states, cognitive traits, or psychological vulnerabilities. The DPDP Act governs data collection and purpose specification, but it does not mention processing based on inferences. Therefore, even lawfully collected data may become harmful later on as a result of model training, cross-contextual analysis, secondary use, such as profiling or inferring employability or insurability. This loophole allows for a serious invasion of privacy without technically violating any statutory obligations.

Secondly, consent under Sections 6 and 7 is based on a one-time, static agreement, while neural data processing is continuous and evolving. The Act assumes that purposes can be clearly defined at the time of collection and that consent can cover all future uses. However, neural data does not work like that. As analytical models improve, the same data can lead to new inferences that are unrelated to the original purpose. Broad purposes and bundled consent allow repurposing and third-party sharing of neural data without consent having to be renewed. In that case, static consent risks legitimising downstream uses, such as AI training and mental state-inference, that were not foreseeable at the time of consent. The DPDP Act does not provide any means for obtaining re-consent or dynamic consent when purposes change or when new mental-state inferences become possible.

Thirdly, anonymisation does not substantially reduce these risks. Neuroscience research reveals that neural data serves as a long-term and unique identifier, thus allowing re-identification even from so-called de-identified datasets. It should also be noted that machine learning methods can associate brain signals with individuals, infer sensitive attributes, such as facial features or even imagined handwriting. The DPDP Act does not address the issue of residual risk identification and goes on with the assumption that anonymisation completely eliminates the risk of harm. 

IV. Comparative Approaches To Neural Data Protection

The European Union provides an indirect model, but one that is structurally insightful. Although the GDPR does not explicitly recognise neural data itself, its “special-category data” system recognises it as “health data” or “biometric data” and requires explicit consent and stricter safeguards under Article 9.

Recent reforms in Colorado and California illustrate the significance of statutory recognition. Both states have amended their general privacy laws (Colorado Privacy Act and California Consumer Privacy Act) to explicitly define neural data and identify it as sensitive data. This classification then sets off higher consent thresholds, stricter purpose limitation, and enhanced enforcement duties. Such a treatment of neural data recognises that it is not just another subtype, but a risk-bearing category that deserves automatic heightened protection. If neural data is not named and elevated within the statutory structure, DPDP will still be unable to address its inferential and reidentification risks.

Minnesota’s Neurodata Bill is an example of how to confront the issue of static consent. Under Section 325E.85, it requires per-use and per-connection consent for brain-computer interfaces, as well as disclosures with regards to inference, data sharing and downstream use. It illustrates that neural data processing needs to be continuous and granular, not one-time authorisation. This model is a direct response to the dynamic and re-interpretable nature of neural signals, which is the reality that DPDP does not acknowledge.

Recently, UNESCO adopted the first global Recommendation on the Ethics of Neurotechnology, which recontextualises neural data as inherently sensitive and thus needing to require ongoing, capacity-sensitive consent, adequate withdrawal rights, and special protections in commercial and workplace contexts. The OECD, similarly, has been advocating anticipatory governance and increased safeguards for neurotechnology for a long time, in recognition that harm is mostly caused after lawful collection by inference and secondary use. These instruments point to one core idea that the governance of neural data should be risk-based and continuous, and not consent-based and exhaustive.

Chile illustrates a different, but cautionary, route of dealing with neural data. Its 2021 constitutional amendment recognises “neurorights” as fundamental rights, including mental privacy, free will, and protection against neurotechnological misuse. This recognition was made functional in Girardi v. Emotiv Inc., where the Chilean Supreme Court not only ordered the deletion of the brain data of a former senator but also described neurodata as the data of the most intimate aspects of human personality. Nevertheless, this measure is at the level of fundamental rights and does not address issues such as granular consent and secondary use in detail.

Across models, the comparative lesson remains consistent. Neural data calls for explicit recognition, stronger classification, granular consent and accountability for inferences. These lessons have a direct bearing on the DPDP Act, which, while structurally consent-centric, is conceptually ill-equipped to handle continuous and inferential harms. The next section explores in detail the implications of these global learnings for the Indian regime.

V. The Way Forward

In order to adequately take into account the distinctive features of neural data as well as the structural gaps in the DPDP Act, the following measures are proposed:

Firstly, the DPDP Act should reestablish a “Sensitive Personal Data” category and explicitly authorise the Central Government to notify the classes of data within it through rules. Neural data should be categorised under this category, along with genetic data. The definition may be based on different statutory approaches and the UNESCO Recommendation. This provides neural data with statutory recognition and prevents its automatic dilution into ordinary personal data. Moreover, it revives risk-based differentiation within the Act, which makes it possible to have higher obligations such as stricter purpose limitation, higher consent thresholds, limits on profiling and surveillance, and increased penalties for misuse.

Secondly, the standards for consent in Sections 6 and 7 should be adjusted for neural data. The Act needs to create a higher consent standard for Sensitive Personal Data, which requires detailed, use-specific, and inference-specific consent instead of a single general consent at the time of collection. Such consent should be dynamic and revocable, and re-consent should be mandatory whenever there is a significant change in purpose, processing method, or inference capability. There must be a clear opt-in for model training, profiling, and cross-context reuse.

Thirdly, the DPDP framework should require accountability for inferences drawn from neural data. Data fiduciaries should be required to disclose the categories of inferences generated from neural data and restricted from engaging in undisclosed psychological or behavioural profiling. Where such inferences affect individuals materially, chiefly in employment, insurance, education, or access to services, data principals should have the right to a clear and plain language explanation of how the inference was made.

Fourthly, neural data should be removed from the blanket exemptions under Section 17 and should be allowed to be processed by the State only subject to: necessity, proportionality, time-bound retention, mandatory safeguards, and post-purpose deletion to prevent opaque and indefinite access.

Finally, the law must recognise that anonymisation does not revoke responsibility for neural data. Fiduciaries should be accountable for foreseeable re-identification and harm that occurs downstream to correct the misconception that de-identification equals safety. 

VI. Conclusion

Neural data reveals that a uniform, consent-centric data protection model, such as the DPDP Act, has serious limitations. The Act, in its current form, is based on the idea that personal data is discrete, predictable, and can be exhaustively governed at the point of collection. However, neural data challenges each of these assumptions. Its continuous nature, inferential capacity, and vulnerability to re-identification make it necessary to have accordingly revised regulations. The changes proposed intend to bring DPDP more in line with the technological reality. The way India handles neural data will be a litmus test of its commitment to data governance and privacy protection.