In a Nutshell…
As we move into 2022 and beyond, the metaverse continues to permeate societal consciousness in a way we predict will soon become a topic of interest for many.
For those unfamiliar, the metaverse is a 3D, digitally-simulated environment, enabling virtual experiences where users can play games, socialize with friends, fulfill work obligations, and traverse virtual open worlds using their personalized avatars.
Previously reserved for the pages of science fiction novels, the metaverse is steadily transitioning from fantasy into a highly tangible reality with many real-world applications.
With a market value estimated to reach between $8 trillion and $13 trillion by 2030, it’s no surprise people are jumping on the metaverse wave. The burgeoning metaverse space includes investments from technology firms and savvy developers to fashion houses and financial institutions such as HSBC and JP Morgan.
It's important to note that the metaverse remains a theoretical and aspirational concept yet to be fully actualized. If the metaverse does become the technological marvel many predict, it will rely on the collection of untold personal data to deliver a truly immersive and tailored user experience.
This raises an important question: Are the existing data privacy and protection laws adequately applicable to a live, synchronous environment such as the metaverse? After all, data privacy and protection parameters in the metaverse are yet to be explicitly defined. For instance, who will be responsible for safeguarding user data in a persistent virtual space?
The materialization of the metaverse and its future success continues to generate intense debate among tech enthusiasts. With so many potential avenues for runaway data abuse, and with the knowledge that Web2 social media platforms so often display a willingness to violate user privacy, we're attempting to define the rules of data privacy and protection in the metaverse.
Through immersive technologies such as augmented (AR) and virtual reality headsets (VR), users can engross themselves in the metaverse's vast 3D experiences via their avatar—also known as a digital representation. In order to create a truly personalized user experience and gain a deeper understanding of consumer demand, affiliated third parties in the metaverse will be able to monitor and process data from a user's activities, behaviors, and preferences–which can include online and offline sources.
This includes the sites you visit, the ads you stare at, the search engines you use, and the videos you watch. If regulators consider data collected from a digital representation to be personal (including information that could identify a person in the real world), that data will be subject to existing data regulation practices.
The cross-section of applicable data privacy and protection laws may complicate compliance in a live, synchronous environment such as the metaverse. Data protection law varies across regulatory bodies worldwide—and there's a lot, with stats from the United Nations Conference on Trade and Development (UNCTAD) revealing "137 out of 194 countries had put in place legislation to secure the protection of data and privacy."
To process user data, regulatory bodies could consider the user type, their geo-location, the kind of data collected, and the purpose for collecting it. This could result in different applications of legal procedures for data regulation based on if the user is a child or an adult, whether the data is sensitive or non-sensitive, or if the data will be used for profiling users or marketing campaigns.
Moreover, we can assume regulatory issues arising from the use of extended reality (XR) wearables and other new data collection types will prompt lawmakers to introduce updated legal parameters for processing special categories of personal data, e.g., biometric privacy laws that regulate sensitive personal data derived from artificial intelligence (AI).
The EU's General Data Protection Regulation (GDPR) is a world-class data privacy and protection act mandating the lawful transfer of user data of residents located exclusively within the European Economic Area (EEA). The GDPR is notable for pioneering comprehensive data protection standards that have helped shape other global data regulatory frameworks.
For example, the GDPR's rigid rules make it essential for organizations transferring data to third-party entities to gain explicit consent from the user beforehand and provide users with legally binding privacy policies that make them unequivocally aware of how their data is being used. Article 7 of the GDPR stipulates that "the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used, and the purpose of the processing operations."
In the case of a child, many data protection laws specify that parental consent must be obtained to process the data of a person under the age of thirteen. The GDPR requires that any processing of a child's data must be lawful, fair, and transparent and that the appropriate policies and procedures are in place to protect their privacy. In countries like Canada, Australia, and India, however, regulatory bodies do not have distinct security parameters informing the personal data protection and privacy of children.
The inconsistencies across global privacy and data protection laws mean that within the metaverse, the collection, use, and disclosure of user data may fall under the jurisdiction of countless geo-specific laws. As more people enter the metaverse, data controllers, developers, and stakeholders, along with third-party affiliates, will have to run the fine line of complying with numerous shifting data laws, or atleast make sure to follow the strictest ones—such as the GDPR's requirement of stringent consent mentioned above.
How will companies operating in the metaverse's live, virtual worlds ensure they're not in breach of the GDPR when inadvertently processing the data of EU citizens and targeting them with ads? Legal issues could easily dismantle the ambitions of a truly global metaverse. Further, adherence to one set of data and privacy laws of a particular jurisdiction does not protect organizations from breaching that of another.
While the data privacy and protection laws of two countries may appear to serve the same purpose, there's a chance that they contain unique and novel clauses that call for different processing modes. This would likely require the engagement of unique processes for a potentially innumerable number of cases. Countries may enter joint agreements that unanimously provide a blanket of protective laws governing collective data of individual member states—such as the EU's GDPR. Though in most countries, political and national motivations ultimately inform the legislative landscape.
What happens when conflicting data laws make it so a user's avatar cannot escape the confines of a geo-digital silo? In a synchronous metaverse, you wouldn't expect to be met with blackout viewing restrictions because you're trying to watch the Superbowl outside of the US. This could significantly limit the reach of metaverse platforms and lead to the creation of monopolized walled gardens that fail to capture fully-realized interoperable experiences.
In the USA, specifically California, the CCPA (California Consumer Privacy Act) governs top dogs like Meta, Microsoft, and Apple with legal provisions, most notably from the California Privacy Rights Act (CPRA). Enacted in 2018, the CPRA safeguards data of those solely in California—the rest of the United States remains without comprehensive data privacy standards that adequately protect the digital privacy of its citizens on a federal level. This has no doubt enabled instances of data surveillance from the US government that continue to be a cause for concern.
Schrems II was the EU-US Data Protection Shield that gave companies—pertaining to the data of European and U.S citizens—the ability to easily transfer data between the EU and U.S. without pursuing otherwise lengthy formal permissions. In July 2020, the Court of Justice of the European Union ended the free data flow agreement between the two blocs, declaring Schrems II invalid due to surveillance concerns coming out of the US and its law enforcement agencies.
Do legislative suspensions like these foreshadow the increased legal hardships of data security within the metaverse? With cases of unethical surveillance from nation states already a reality, regulatory bodies may enact legislation that stipulates user data remain within the geographic region from which it originated. This could lead to the introduction of data localization laws that see companies endure lengthy permission requests to transfer user data externally.
It's unclear who will be responsible for ensuring adequate data protection in the metaverse—if anyone. Each respective metaverse, to some degree, will be expected to self-regulate. On a centralized platform, responsibility will likely fall onto a proprietary data controller(s). In the case of an open-source platform or decentralized autonomous organization (DAO), responsibility may fall onto multiple controllers across different access points. Identifying who the data controller is at each end-point is a way for users to know who is responsible for handling their data.
A data controller's job is to ensure a user’s data privacy, protection, and rights while also working to implement transparent consent and usage mechanisms. In the metaverse and Web3 world, it will be even more critical that data controllers are identified and made accountable. A metaverse built on a public blockchain adds an extra layer of complexity in regulating user data due to the wide-reaching requirements needed to govern disparate interactions across distributed ledgers.
Imagine a user purchases an NFT or other digital assets at a virtual store. The crypto wallet providers will have access to data on your transaction. The brand you bought the item from is now in possession of your purchasing data, and the metaverse in which you explore has data on where you've been, where you are, and where you'll likely go next. With data collected from all these different avenues, the responsibilities of the data controller could fall onto multiple parties.
This only represents the tip of the proverbial iceberg regarding what little we know about data security and potential privacy implications in the metaverse's persistent digital state. With multiple metaverses on the horizon—centralized and decentralized—defining data privacy rules in such an uncharted virtual environment will prove complex and unwieldy.
Will the GDPR and other regulatory entities with similarly robust data security legislation lead the charge for data and privacy reformation? Will new laws be agile enough to govern the metaverse while evolving as quickly as the technology they govern? After all, The General Data Protection Regulation (GDPR) is responsible for pioneering the most progressive and complete legal standards for the privacy and protection of personal data and broader data security worldwide.
At this point, most jurisdictions' current antitrust and data security practices seem wholly outmoded to govern and encompass an evolving interoperable space such as the metaverse. However, there's ample room for creating new legislation, and compliance mechanisms that allow the metaverse to deliver on its potential.
The metaverse presents both universal and novel modes of operation. Safeguarding data privacy will require compliance with external global privacy laws, balanced with adherence to strict self-governance. Updated data privacy legislation and blueprints for self-regulatory internal compliance programs are needed. Currently, there isn't a single universal data privacy and protection law that can govern the rights of all users operating within a global metaverse.
To comply with laws such as the GDPR, it'll be up to metaverse providers to implement transparent user policies and privacy notices that define the parameters around the collection, use, and transfer of user data within the metaverse.
With data security arguably the Achilles heel in metaverse stature, solutions in the form of updated consent models, contractual accountability, and legislation reform may act as a safety net for users, third parties, and developers alike. Additionally, actionable guidance from data regulators will demonstrate to platform providers and third parties ways to effectively enact safe security measures around user data.
In the future, users should prepare for a ride far more intensive than the consumer experience on major Web 2.0 platforms. The loosely defined parameters around the collection, use, and transfer of personal data in the metaverse need addressing, or users risk entering the uncharted wild west of a new cyber-realm.
For ways to solve the many issues of data privacy and protection in the metaverse, some have suggested the creation of a virtual Interpol, transitioning to a subscription-based platform model, and building VR infrastructure with privacy by design embedded. Data governance enforced via a decentralized autonomous organization (DAO) has also been raised as a way to allocate accountability effectively.
With all these rudimentary ideas in the ethos, we thought we'd address a few other potential ways to remedy the legal issues and shortcomings of data security in the metaverse in our upcoming article, 'Ensuring Safe Data Privacy & Protection in the Metaverse.'
Stay tuned to find out how platform providers and third parties can navigate compliance to ensure digital experiences in evolving metaverse spaces are safeguarded with agile data security practices.
This is the first article in a three-part series on Data Privacy & Protection in the Metaverse.