The following sections describe some of the ways in which current privacy and data protection laws could potentially be applied to, or end up becoming obsolete in, the metaverse.
The datasets collected in the metaverse may be more numerous and extensive than ever
The technology, interactions, experiences, and interconnectivity of the metaverse could mean the collection of personal data on a scale we have never seen before. Although, inevitably, the actual data needed and collected will depend on the specific use cases that emerge.
While an avatar may likely be in a different form to its creator, the data collected in relation to and generated by it remains linked to the individual behind it and constitutes personal data. Such data may comprise information collected via familiar registration and payments to service interactions and systems data generated through log ins. However, what concerns many commentators, is the collection of new, even richer combined datasets in the metaverse including anything from gait, gaze, posture, emotion and haptic data involving sensations as well as interactions with other individuals, content and objects in real time. There is a potential that some such data may even constitute special category or sensitive data demanding higher protection under data protection laws.
The data sharing required for the metaverse to operate could be unprecedented
The sheer number of companies (not to mention legal entities) involved in making the metaverse tick could be on a scale never seen before. The intended experience for the user will require rich personalization, dependent on their profile, preferences, and actions.
Users will be able to move around between different metaverses so that multiple data sets can be collected or shared between different spaces of the metaverse.
Such mass personal data use brings various privacy challenges. A key problem is how to manage the sharing of such personal data and set up the contractual accountability and privacy obligations required to protect its use.
A further layered challenge sits in the fact that additional contractual requirements apply in many countries where personal data is transferred out of certain jurisdictions. Transfers out of the EU have been a particular focus area in the last year and now require careful assessment on a per transfer, per country basis. How will the metaverse take into account (or not) such requirements, given its all-encompassing, global reach and the aim to achieve freedom of movement within the metaverse? Will regulators be able to provide templates and guidance to allow the right balance between efficiency, pragmatism, and protection of privacy rights for individuals?
Furthermore, how can one determine any jurisdiction within the metaverse? This could ultimately be either the location of the user, the location of the avatar or the location of the relevant server.
The question of applicable privacy laws in the metaverse
The metaverse will connect the person to their “avatar” (or other digital representation(s)). Therefore, regulators around the world would likely consider information collected about a metaverse user’s activities to be personal data, subject to existing privacy and data protection laws.
As those who have practiced privacy and data protection law know, the cross-section of applicable laws, especially in the United States, is a constant challenge. Regulation of a digital interaction may involve the engagement of privacy rules in some countries based on physical location of the organization or the individual; the type of organization or individual (say, a health care organization or a child); the type of data collected (say, race or sexual orientation); and the purpose for collecting the data (for example, marketing or profiling). Applying this cross-section of laws is unwieldy even in a relatively static environment like the Internet. It is unclear how organizations could navigate legal compliance in a persistent, live, synchronous, interoperable digital environment. Organizations operating within the “one-stop-shop” privacy rules of the EU General Data Protection Regulation (GDPR) may fare better here, but this raises another issue – which privacy rules of which country apply in the metaverse? Does it still make sense to have privacy laws such as the California Consumer Privacy Act (CCPA), which focuses on Californian residents, and won’t the metaverse make it even harder for organizations outside of the UK and Europe to know when they are targeting products or services to or monitoring those in the UK and Europe and therefore caught by the GDPR?
Further, who will be held responsible for privacy in the metaverse? We don’t know what (if anything) will own or control some or all of it. Possibly, it will operate with single-organization ecosystems (similar to today’s social media platforms), centrally operated platforms hosting different organizations offering their goods and services, but alternatively, it will be characterized by interacting access points and multiple controllers. If governments hold organizations responsible for others’ activities in the metaverse, it is difficult to envision organizations building anything but a collection of proverbial “walled gardens” that will not fulfill the promise of the metaverse.
Determining who is responsible will be challenging
In a metaverse, diverse entities will be present and a web of relationships and encounters will emerge, making it difficult to determine who is responsible or liable within these different relationships. With regard to applicable data protection laws, it will also be particularly challenging to determine who can be considered a controller and who a processor in the context of processing personal data.
Some commentators about the metaverse state that one of its key features is that "no one controls the metaverse" (although others have different views and it is certainly the case that many walled garden private metaverses exist today). Ultimately, however, if no one is supposed to control the metaverse, can there be any data protection responsibility at all?
Even in a virtual life, relationships and encounters, both private and business-related, must be protected and regulated by a legal framework, especially in order to protect fundamental rights. Following on from the question of the applicable legal regime in the metaverse, the GDPR, for example, could be applied under certain circumstances. Under the GDPR, the data controller would then be the entity which alone or jointly with others decides on the purposes and means of the processing of personal data (Art. 4 No. 7 GDPR).
The definition of the extent of decision-making possibilities regarding the purposes and means of the processing of personal data in the metaverse for individual entities seems particularly problematic in this context. On the one hand, it is conceivable that responsibility may be determined for a respective space within the metaverse, similar to the case with platforms or individual companies. Responsibility could also be seen to sit with access point providers, i.e., individual service providers that enable users to access the metaverse, such as internet service providers. This could lead to almost intolerable provider liability for individual service providers.
Or is the metaverse a starting point to move controllership and responsibility to the data subjects – who carry their data in their wallets and give participants in the metaverse access? Such a vision of the metaverse would not sit well with the current framework for data protection control and responsibility that has been designed for digital platforms and services today and could demand a full rethink.
- Today’s privacy and data protection laws were not created for tomorrow’s metaverse.
- The lack of controls in the metaverse raises questions about whether there can be any data protection responsibility at all.
- Data minimization principles appear to clash with the notion that the metaverse should be a personalized experience.