Mental Data Protection and the GDPR

Journal of Law and the Biosciences, forthcoming 2022

22 Pages Posted: 10 May 2021 Last revised: 8 Feb 2022

See all articles by Marcello Ienca

Marcello Ienca

EPFL, College of Humanities

Gianclaudio Malgieri

Universiteit Leiden, eLaw; Vrije Universiteit Brussel (VUB) - Faculty of Law

Date Written: May 5, 2021


Increasingly, digital technology can be used not only to measure relevant parameters of human anatomy and activity but also to gain exploratory information about mental faculties such as cognitive processes, personal preferences, and affective states. Although decoding the conceptual and non-conceptual content of mental states is unattainable at the current stand of technology development, several digital technologies such as neural interfaces, affective computing systems and digital behavioural technologies allow to establish increasingly reliable statistical associations between certain data patterns and mental activities such as memories, intensions and emotions. Furthermore, AI and big-data analytics potentially permit to explore these activities not just retrospectively but also in real-time and in a predictive manner. These converging technological developments are increasingly enabling what can be defined the digital mind—namely the moment-by-moment quantification of the individual-level human mind. In this article, we introduce the notion of ‘mental data’, which we define as any data that can be organized and processed to infer the mental states of a person, including their cognitive, affective and conative states. Further, we analyse the existing legal protection for this broad category of “mental data” by assessing meaningful risks for individuals’ rights and freedoms. Our analysis is focused on the EU GDPR, since it is one of the most advanced and comprehensive data protection laws in the world, having also an extraterritorial impact on other legal systems. In particular, we reflect on the nature of mental data, the lawfulness of their processing considering the different legal bases and purposes, and relevant compliance measures. We conclude that, although the contextual definition of “sensitive data” might appear inadequate to cover many examples of mental data (e.g., “emotions” or other “thoughts” not related to health status, sexuality or political/religious beliefs), the GDPR – through an extensive interpretation of “risk” indexes as the EDPB proposes – seems to be an adequate tool to prevent or mitigate risks related to mental data processing. In conclusion, we recommend that interpreters and stakeholders focus on the “processing” characteristics, rather than merely on the “category of data” at issue. To achieve this goal, we call for a “Mental Data Protection Impact Assessment” (MDPIA), i.e. a specific DPIA procedure that can help to better assess and mitigate risks that mental data processing can bring to fundamental rights and freedom of individuals.

Keywords: Mental Data; Digital Mind; GDPR; Mental Privacy; Data Protection; Data Protection Impact Assessment

Suggested Citation

Ienca, Marcello and Malgieri, Gianclaudio, Mental Data Protection and the GDPR (May 5, 2021). Journal of Law and the Biosciences, forthcoming 2022, Available at SSRN: or

Marcello Ienca

EPFL, College of Humanities ( email )

CDH- CM 2 275 Centre Midi
Station 10|
Lausanne, 1015
1015 (Fax)

Gianclaudio Malgieri (Contact Author)

Universiteit Leiden, eLaw ( email )

Steenschuur 25
Leiden, 2311

Vrije Universiteit Brussel (VUB) - Faculty of Law ( email )



Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics