Outlook: The Metaverse and Data Protection Compliance

One of the most discussed and controversial modern technology is the metaverse. Many big tech companies describe the metaverse as the next era of the mobile internet which is fully immersive and a constant 3D world. However, there is no agreed definition of the term metaverse.

During the last months, the metaverse has gone mainstream and major tech companies have strongly invested in this technology: Meta, Microsoft, NVIDA, Alibaba, ByteDance, The Sandbox Games and many more. Only to name a few. Recent research from Grant View predicts the metaverse market size to attain more than 678 billion USD in 2030.

The most common feature will be likely a digital identity also known as an avatar. Matthew Ball, venture capitalists and metaverse expert, describes the metaverse as an “…persistent and interconnected network of 3D virtual worlds that will eventually serve as the gateway to most online experiences, and also underpinmuch of the physical world.

Meta recently showed a futuristic looking headset for medical students practicing surgery using an input device on each fingerprint. These haptic gloves create a feeling of really holding an object – according to this video. This is just one example of many use cases within the metaverse. All of this leads to a massive amount of data collection and raises several data protection related questions and concerns.

The use of AR or VR glasses – which creates an immersive experience – means collecting new kinds of data such as biometrical, psychological & emotional response and eye-tracking data from users. According to the GDPR this means collecting and processing highly sensitive data. Additional measures need to be in place and explicit consent from users is needed when processing sensitive data.

Furthermore, it will be difficult to define data controller, data processor or joint controller roles. It is a major challenge to explain and define who does what on behalf of whom as the metaverse is highly interoperable and intermingle. It is not easy to collect consent from users for each metaverse application while not interrupting the experience.

The Metaverse experience will likely be a “no boarder” experience which means third party data transfer is something to look at. Currently, the privacy shield between EU and US is invalid and there is an agreement in principle about new transfer mechanisms to create a “Privacy Shield 2.0”. How exactly the new transatlantic data framework will look like remains unclear. This could be another legal implication for the metaverse.

One possible solution to address some of the data protection issues (like user consent) is developing data intermediaries acting on behalf of the user and serving as a trusted and neutral link between people and organizations. The EU has recently developed a framework for data sharing and consent management for people via data intermediaries in their Data Governance Act. ePrivacy is also working on research about data intermediaries for medical data (TreuMed).

There are many opportunities for the metaverse to have a positive impact on education and even on healthcare. The risks such as data protection and cybersecurity remain. Many risks have been identified but are not clear to their full extent yet and more research and testing are necessary.