Clifford Chance

The Spanish Data Protection Agency (Agencia Española de Protección de Datos, the "AEPD") has published an interesting article on its blog under the title "Metaverse and privacy".

In this article, the AEPD analyses some of the implications that use of the metaverse could have for individuals' privacy seeking to flag key concerns and considerations relating to the very real processing of personal data that occurs in relation to virtual spaces, and cautioning that rational evaluations must balance any "FOMO" (fear of missing out) when businesses consider embarking on metaverse initiatives.

Personal data in the metaverse

While philosophical debates may be had on whether the metaverse forms part of "reality", it is an indisputable reality that personal data is processed in connection with metaverse projects.

In its blog entry, the AEPD makes two points on which there appears to be broad consensus among the experts:

• Use of the metaverse entails an exponential increase in data processing; and
• Biometric and other types of data that are not currently extensively used will be processed – including, for example, nonverbal information, such as changes in posture captured using smart devices, which in turn allow an emotional response to an event to be analysed.

In addition to data collected directly from the data subject through neural interfaces or wearables (such as smart glasses that capture information on dilations and contractions of the iris), data processed in this context is also likely to include analysis made by the data controller of such personal data and the conclusions drawn from this (which could in some cases be special categories of personal data, for example, data on health, political opinions or sexual orientation).

This will involve applying data protection regulations in an entirely new context, particularly certain obligations under the GDPR which should be habitually applied by data controllers that use or offer technologies that establish or interact with a virtual environment like the metaverse, including:

• The application of privacy by design and by default;
• Conduct of data protection impact assessments where required;
• Compliance with, among others, the principles of transparency and data minimisation;
• Adherence to requirements for certain types of automated decision-making, including to avoid bias and discrimination;
• Applying appropriate protections to the processing of special categories of personal data;
• Obtaining sufficiently granular, unbundled (and, in cases, explicit) consent of data subjects where necessary;
• The implementation of appropriate technical and organisational measures for the security, availability and resilience of personal data; and
• Appropriately managing interactions with minors.

The challenge here can be how best to respect and fulfil legal obligations and principles while maintaining a positive user experience.

Consulting on regulation of the metaverse

As the AEPD points out, the technologies that are enabling creation of the metaverse or virtual worlds (such as virtual reality or augmented reality technologies, digital identity systems, the Internet of Things, wearables, neural interfaces, artificial intelligence, and even cryptocurrency and NFTs) can each bring their own risks to privacy that have to be managed. However, the joint application of all (or several) of these technologies may entail risks to individual rights and liberties that are difficult to foresee even today.

As a technology-neutral regulation, the GDPR arguably contains a body of regulations that are sufficiently generic and broad to respond to all the risks to privacy generated by new technologies and types of processing, with each data controller being responsible for how to implement certain obligations and principles.  However, in the interests of ensuring that this argument holds true, the European Commission announced in September 2022 that it would open a consultation in the first quarter of 2023 to determine whether existing rules, including those on data flows and telecoms infrastructures, are fit for purpose in relation to the metaverse or should evolve. 

For more on data protection and other legal considerations in relation to the metaverse, see our articles:

• The metaverse: risks and opportunities for businesses;
• The metaverse: what are the legal implications?
• The metaverse – will it change the world and why should I care?
• The Metaverse: When is real estate no longer real?