'It's the metaverse, stupid'

Kris Somers CIPP/E, CIPM

My nine year old daughter is, like many of her peers, a keen and apt digital native who spends (a lot of) time online in the digital environments of?Roblox?and?MineCraft. Anybody who has read the (highly recommended) book “The Metaverse: And How it Will Revolutionize Everything” by Matthew Ball will realise that these game environments are very likely to be the first real preludes to the often touted but so far elusive “metaverse” (if you do not count the Linden Research 2003?secondlife?experiment, that is).?

If Ball and others are to be believed, considerable practical challenges aside, we are on the threshold of a digital revolution that will soon emerge from its online gaming cradle to take the global economy by storm. Some household names have already shown keen interest to jump on?the “metaverse” bandwagon. The opportunities are vast, but so are the technical, financial and (yes) legal challenges – not to mention societal implications.

The European Commission’s?digital agenda, which we discussed in a number of earlier contributions, is at least in part meant to meet some (if not all) of these challenges head on. Thus, the Digital Markets Act (DMA) is hoped to keep in check the power of gatekeeper platforms over our lives and commerce, whereas the Digital Services Act (DSA) endeavors to foster accountability on what is shared online. Both legal instruments are now formally adopted and soon to be published in the EU Official Journal, which will start transition periods seeing them enter into force in the coming year (with some DMA aspects even coming into effect immediately). Also the still to be finalized Artificial Intelligence Act (AIA) will bring into legal focus certain foundational groundworks of the metaverse to be built, particularly in relation to the (yet to be properly defined) “high risk” AI. The recent proposal by the European Commission for an AI Liability Directive speaks to the lawmaker’s concern that victims of harm caused by AI technology can access reparation, in the same manner as if they were harmed under any other circumstances.?

Another interesting topic regarding the metaverse concerns data privacy. A recent?joint study?by the Universities of Berkeley and Munich reveals what the researchers consider to be the “unprecedented privacy risks of the metaverse”. Thirty study participants play-tested an innocent looking “escape room” game in virtual reality. Behind the scenes, an adversarial program had accurately inferred over 25 personal data attributes, from anthropometrics like height and wingspan to demographics like age and gender, within just a few minutes of gameplay. As notoriously data-hungry companies become increasingly involved in VR development, this experimental scenario may soon represent a typical VR user experience. In their study, the researchers illustrate how the potential scale and scope of metaverse data collection far exceed what is feasible within traditional mobile and web applications.?

Indeed, as the metaverse is data-driven, the development and further use thereof by definition implies the collection of an extensive amount of personal data, such as physiological responses, facial movements, gestures, brainwave patterns and behavioral patterns. In the metaverse, wearables and other smart devices and platforms will need to be connected. which brings security risks, but also risks with respect to the processing of personal data, especially in regards to the unique profiles of end users.

But applying privacy laws to the metaverse is easier said than done. Starting with territorial application: Article 3 GDPR states that its rules apply to controllers and processors offering products or services to data subjects located in the EU. But where are data subjects located in the metaverse? Do we refer to the physical location of the end-user controlling the avatar, or the avatar itself, or the location of the relevant server? And how do you define international data transfers in a virtual world without boundaries?

Moreover, the complexities of interactions in the metaverse may make it difficult to define who acts as (joint) data controller and who as a (sub)processor for a particular processing activity. Drafting a data processing agreement or a joint controllership agreement for this virtual reality may prove challenging indeed.

Likewise, questions arise regarding the rights of data subjects, first and foremost the right to information about which personal data are being processed and for wat purpose. Due to the different parties involved and the large amount of personal data that will likely be processed in the metaverse, properly informing the end-users about their data subject rights and determining the responsibilities in relation to the exercise of data subject rights might impose further challenges.

The flip coin of technical interoperability as a crucial condition to make any metaverse work is the right to data portability: data subjects should have the right to transfer their digital selves (and all that adheres to that notion) between platforms. But will that be evident to the big players governing the metaverse? It is here where the gatekeeper notion of the DMA (and the scrutiny of those who are thus labeled) will come into play.

Another key concern is the extensive amount of personal data that will be collected in the metaverse: for example real-time tracking of end-users by new technologies that collects eye tracking, emotional reaction, voice interaction, social interaction, touching, and hearing. As the abovementioned study illustrates, the combination of these data categories reveals specific personal characteristics and interactions that could create more unique profiles of end-users by means of an avatar. As such, the risks inherent to profiling and automated decision making (particularly in combination with the AI backbone of the platforms that ground the digital worlds) become poignant.

Last but not least, there is the security risk. Cybersecurity is already a key concern in safeguarding data integrity. The challenge of leveraging the appropriate technical and organizational measures in a global virtual environment thriving on interoperability and interconnection of networks and systems is at the heart of the revised Directive on Security of Network and Information Systems (NIS2).

It will be interesting to see how GDPR, the (still forthcoming) E-Privacy Regulation, the DSA, the Data Act and the AIA will interplay to meet these challenges… and whether regulators and supervisory authorities are up to the task of policing the virtual world.

As my daughter implicitly proves every time she makes a passionate plea for more “Robucks” (the digital currency of the Roblox environment), the virtual world is getting very real indeed. Time to dive in and catch up.