The concept behind immersive digital experiences is not new. For years, developers engineered immersive software’s that pull users into a new or augmented reality using technology. However, in large the concept was typically reserved for gaming platforms and was not as established in other trades and industries. Now the prospect of the metaverse has become mainstream amongst BigTech and other online platforms as they seek to become frontrunners in the race to establish a digital universe where all aspects of living can be simulated online.
What is Metaverse? In short, a Metaverse is a hyper-real alternative world. It combines various virtual environments and technology to enable users to interact digitally in parallel with their lives in the physical world. Its boundaries are still unexplored as technology constantly evolves and extends the possibilities of full digital immersion, but one thing is for sure, it will transform how we socialize and interact with each other, how we shop, conduct business and even consume information.
In terms of privacy and data protection, the Metaverse presents new risks and challenges, which are likely to give rise to a range of complex legal and regulatory issues. In this article we will glance over some of these privacy dilemmas, including how to achieve valid consent in the Metaverse, data responsibility and the sensitivity of data processed in the online universe.
One of the main issues of creating a boundless digital universe is the collection of unprecedented amounts of data that it will require as well as the nature of data it will depend on to facilitate the full immersive experience. Users are anticipated to be logged in for extended periods of time while using technology including virtual-reality glasses, headsets and similar budding technology that could collect information about individual’s physical and physiological attributes. The data collected on how users interact with their environment in the Metaverse could potentially even reveal medical conditions that users are unaware of.
Essentially, within the Metaverse, data will no longer be proactively given, but will be passively gathered as users go on with their digital lives.
Naturally, this presents a business opportunity for those looking to rely on this data for targeted advertising. For example, users who are constantly looking at food, might be served food adverts accordingly. However, those who are participating in or developing the Metaverse, must remain mindful of data protection legislation and comply even in this new environment.
2. DATA CONTROLLERSHIP
The interconnected environment of the Metaverse makes it hard to establish which entity or entities have responsibility of determining how and why personal data will be processed, and who processes personal data on behalf of another. Will there be one administrator who decides how data will be used, shared and collected or will multiple entities determine how data is to be processed within the Metaverse? Answering these questions in the future is necessary for understanding the legal obligations of entities participating or facilitating the Metaverse. Without untangling the web of relationships, it will remain difficult to establish data controllers and processors. However, as multiple platforms and tech-giants announce plans to develop multiple Metaverses it may be the case that each Metaverse will function differently and therefore data controllership will be assessed on a case-by-case basis. Nevertheless, organisations facilitating digital living will need to ensure that they remain transparent with their obligations and roles in the Metaverse, rather than depending on the complexity of relationships to evade any sort of responsibility for data breaches and cyber-attacks.
The General Data Protection Regulation requires consent to be freely given, specific, informed, unambiguous and revokable and user consent will be crucial in the Metaverse, where user’s biometrics information will be collected and used. However, as many platforms and brands will participate in facilitating the Metaverse, the question becomes whether each platform will require consent for processing of data or will a central administrator give users a clear description of how their data will be used and provide users with an opportunity to consent to various uses. The latter option may prove unfavourable among regulators as many have previously expressed dislike for catch-all consent mechanisms. Considering the nature and quantity of data processed in the Metaverse, the objections are likely to apply. But what is the alternative? Will each platform in the Metaverse have to provide information on their use of data and seek user consent? Essentially, as the Metaverse continues to develop, regulators will need to assess how this new digital environment can achieve data compliance, without inhibiting technological developments in digital immersion, including how to require administrators to achieve valid consent.
A key driver in the development of data protection laws has been technological improvements and consequently our increased ability to gather, use and abuse personal data. The Metaverse may be another motivator for legislative change, as a range of new privacy issues arise from its unique data environment. However, it is only when aspects of the Metaverse materialize, will other legal issues come to light.