Metaverse and privacy
Early in the summer, the Spanish Data Protection Agency (Agencia Española de Protección de Datos, the "AEPD") again refuted the mistaken belief that sometimes public institutions exist apart from reality, publishing an interesting article on its blog under the title "Metaverse and privacy".
In this article, the AEPD analyses some of the implications that use of the metaverse1 could have for individuals' privacy. More importantly, it does so based on a rational assessment, seeking, as the AEPD itself acknowledges, to avoid "FOMO" (fear of missing out), which could easily lead to a rash embrace of the metaverse.
Personal data in the metaverse
While we could argue at length – and even enter into philosophical debates – as to whether or not the metaverse forms part of reality, it is an indisputable reality that personal data is processed in the metaverse.
In its blog entry, the AEPD makes two points on which there appears to be broad consensus among the experts:
- Use of the metaverse entails an exponential increase in data processing; and
- Biometric and other types of data not currently extensively used will be processed: nonverbal information, such as changes in posture captured using smart devices, which in turn allow an emotional response to an event to be analysed.
In fact, we will not only have to look at data collected directly from the data subject through neural interfaces or wearables (such as smart glasses that capture information on dilations and contractions of the iris), but also the analysis made by the data controller of such personal data and the conclusions that can thus be drawn (for example, data on health, political opinions or sexual orientation).
This will put data protection regulations to the test, particularly certain obligations and figures established in the GDPR, which should be habitually applied by data controllers that use or offer technologies that establish a virtual environment like the metaverse: the application of privacy by design and by default, data protection impact assessments, compliance with, among others, the principle of transparency, automated decision-making in the situations established by law, the processing of special categories of personal data, the explicit consent of data subjects when processing such special categories of personal data (which must be obtained for each separate purpose of the processing), the implementation of appropriate technical and organisational measures, and interactions with minors.
The challenge here is not strictly legal (that is to say, one of regulatory compliance), but also one of user experience: how do we marry strict respect for obligations and principles with an experience that is not tedious for the user?
As the AEPD points out, all the technologies that make up the metaverse (virtual reality, digital identity systems, the Internet of Things, wearables, neural interfaces, artificial intelligence, and even cryptocurrency and NFTs) bring their own risks to privacy that have to be managed. However, the joint application of all (or several) of these technologies may entail risks to individual rights and liberties that are difficult to foresee even today.
This author is of the opinion that the GDPR contains a body of regulations that are sufficiently generic and broad to respond to all the risks to privacy generated by the various types of processing, and that, in line with the accountability principle, it is each data controller's responsibility to decide how far they wish to take certain obligations and principles. Changing the rules of the game in view of the degree to which the metaverse could interfere in data subjects' lives, though, would be another matter entirely.
1 The term "metaverse" is a portmanteau of "meta" (a Greek term meaning "beyond" or "after") and "verse" (from "universe") used to refer to a virtual or alternative world, i.e. one that exists beyond the world we currently know.