On 11 November 2025 the UNESCO General Conference adopted the Recommendation on the Ethics of Neurotechnology, the first global normative instrument in the field: definitions of neurotechnology and neural data, mental privacy, a ban on manipulation, and the qualification of neural data as sensitive data. A significant step. But will a soft-law instrument be enough to protect the innermost sphere of the person — the mind?
We have dealt with neurorights on several occasions, wondering what new ethical rules hybrid societies need in the face of the advance of neurotechnologies. Today that debate has a global normative point of reference: at the 43rd session of its General Conference, meeting in Samarkand, UNESCO adopted the Recommendation on the Ethics of Neurotechnology (documentary reference SHS/BIO/REC-NEURO/2025), whose enacting terms bear the solemn formula “Adopts the present Recommendation on the Ethics of Neurotechnology on this eleventh day of November 2025”. The mandate dates back to Resolution 42 C/29 of November 2023; the drafting was entrusted to an ad hoc expert group chaired by Hervé Chneiweiss and Nita Farahany, with over eight thousand contributions received.
What “neurotechnology” is: the Recommendation’s definition
The definitional path was not easy even for UNESCO. The Recommendation defines neurotechnology as “devices, systems and procedures — encompassing both hardware and software — that directly measure, access, monitor, analyse, predict or modulate the nervous system to understand, influence, restore or anticipate its structure, activity and function”. As to neural data, “neural data include qualitative and quantitative data about the structure, activity and function of the nervous system gathered through neurotechnology […]. These are the most direct measurements or observations of nervous system states, many of which are correlated with mental states”. Here, however, is the most decisive specification: the Recommendation extends its attention also to indirect neural data and to non-neural data allowing inferences about mental states — “even if these technologies are not neurotechnology per se, their use to generate information that can interpret or predict mental states raises similar ethical and human rights issues”. In other words: a brain-computer interface is not needed to put mental privacy at risk; the correlated behavioural and biometric data — of which the digital ecosystem already overflows — may suffice.
Mental privacy, consent and the ban on manipulation
The axiological heart of the Recommendation is the protection of mental privacy. At point 49 we read that the collection and processing of neural data “as well as indirect neural data and non-neural data allowing mental states inferences require prior, free and informed consent of the person concerned, with the exception of life-threatening medical emergency situations”. Point 47 states that “neurotechnology should never be used to exert undue influence or manipulation […] that compromise autonomy and freedom of thought”. And point 85 invites States to consider “both neural data as well as indirect neural data and non-neural data allowing mental states inferences as sensitive personal data”: a clear-cut position that directly interpellates the European legislator.
The Chilean precedent: from the Constitution to the Supreme Court
The comparative picture offers a mandatory reference. Chile was the first legal order to constitutionalise the protection of brain activity: Ley N° 21.383 of 14 October 2021 amended Article 19(1) of the Constitution, providing that scientific and technological development “shall especially safeguard brain activity, as well as the information deriving from it”. On that basis, the Chilean Supreme Court, in the case Girardi v. Emotiv Inc. (decision of 9 August 2023), upheld the action brought in relation to brain data collected by a commercial device, ordering their erasure: the world’s first judicial precedent on neurorights.
Neural data and European law: the meshes of the GDPR and the AI Act
And Europe? The current framework offers important safeguards, but no dedicated regime. Article 9(1) of the GDPR prohibits processing “genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”. Neural data, however, do not appear there as an autonomous category: they fall within it only indirectly, as health data where they concern the psychophysical state, or as biometric data, but only if processed to uniquely identify a person. Inferential neural data and non-neural data allowing inferences about mental states fall under Article 9 only under certain conditions: hence a possible protection gap. On the AI Act side, Article 5(1)(a) prohibits AI systems using “subliminal techniques […] or purposefully manipulative or deceptive techniques” that materially distort behaviour and cause significant harm: a precious safeguard against manipulation, but built around the paradigm of significant harm, not around the inviolability of the mental sphere as such.
Critical issues: the strength (and weakness) of soft law
The first critical aspect is structural: the Recommendation is a standard-setting instrument devoid of binding force. It merely invites Member States to give it effect “by taking appropriate steps, including whatever legislative or other measures may be required”. The 2021 UNESCO Recommendation on the ethics of AI teaches that such instruments can orient legislators; but the distance between orientation and obligation remains. The second aspect concerns the qualification of neural data in the GDPR: as long as the protection of the mental sphere depends on mediated qualifications, the level of protection will remain exposed to interpretive fluctuations.
After Samarkand: developments in 2025-2026
Some months on, the picture confirms both the propulsive force and the limits of the instrument. On the implementation side, while the European Union has not yet equipped itself with a dedicated regime, it is a Spanish autonomous community that moves first: the Digital Health Law of Cantabria, presented as the first in Europe to expressly regulate neurorights and neural data, aims to fill precisely the gap left open by the GDPR, introducing among other things the so-called “right to technological oblivion” and safeguards against non-consensual cognitive manipulation. A signal that, absent a harmonised European intervention, the regulatory push risks fragmenting on a territorial basis. On the scholarly side, the Recommendation continues to fuel the international debate: among the most recent analyses, a Stanford Law School study (March 2026) highlights its limits when one tries to bring “digital thoughts” back to the traditional categories of property law, confirming that the protection of the mental sphere requires new tools and not mere adaptations. The underlying question therefore remains open: will the soft law of Samarkand manage to translate into binding rules before the neural-data market dictates its own?
Conclusions
With the Samarkand Recommendation the international community recognised, for the first time globally, that the human mind is a legal good to be protected as such: common definitions, mental privacy, a ban on manipulation, neural data as sensitive data. That is no small thing. But it is, precisely, a recommendation: its strength will be measured by the ability of States — and of the European Union first — to translate it into binding rules, filling the protection gap that still surrounds inferential neural data. In the light of the above, one wonders whether the European legislator will heed the warning of Samarkand, endowing inferential neural data with an autonomous protection no longer mediated by the existing categories of the GDPR, or whether the protection of the mental sphere will continue to depend on indirect qualifications, exposed to interpretive fluctuations, precisely where the freedom to think without being read is at stake.
