DATA DEFENCE IN THE METAVERSE: IT’S NOT A GAME

DATA DEFENCE IN THE METAVERSE: IT’S NOT A GAME

The metaverse is an evolving concept that has been discussed for many years, but has recently gained a lot of attention due to advances in technology. The metaverse is essentially a virtual world where people can interact with each other and digital objects in a three-dimensional space. It is a complex and immersive experience that offers many opportunities but also presents new challenges from a data protection and privacy perspective. The use of avatars, data anonymity, data generation all present significant data protection challenges which this article explores.

Personal Data and Special Categories of Personal Data 

One of the biggest challenges of the metaverse is the collection and processing of personal data. In the metaverse, users create avatars that represent them in the virtual world. The creation of avatars will require the collection and processing of personal data, such as biometric data, behavioural data, and location data. This data is essential for interactions between users and functioning of the metaverse, but it also leads to heightened risks given the sensitivities of such data and the strict rules that apply to this type of data.

In certain situations, specific metaverse platforms may enable individuals to generate avatars featuring fictional characters that bear no resemblance to their actual physical appearance or personal information. Additionally, they can design various other objects or features that differ from their real-life counterparts, which is beneficial from an individual’s perspective as it enables individuals to ensure their anonymity when interacting with other users or vendors on the platform. Of course, this is only permissible as long as it’s deemed equitable and does not have any detrimental impact on others.

The use of avatars and pseudonyms in the virtual world also can make it challenging to attribute personal data to a specific individual. This in turn poses further data protection compliance issues such as cross border transfers, transparency and upholding the rights of data subjects as explained below.

Cross-border transfers of Personal Data 

Another challenge of data protection in the metaverse is the cross-border transfer of personal data. Users of the metaverse may be located in various countries, and their personal data may be transferred to servers located in other countries. This raises issues about compliance in multiple jurisdictions, each with varying data protection laws and regulations.

For example, the EU and UK GDPR provide a set of rules for the transfers of personal data to third countries. Third countries are countries which are considered to not have adequate levels of protection for personal data. These rules include putting in place one of the appropriate safeguards for such restricted transfers such as the UK’s International Data Transfer Agreement, EU Standard Contractual Clauses or binding corporate rules.

Transparency 

Another data protection issue in the metaverse is the lack of transparency in data collection and processing. Due to the nature of the metaverse, users interact with the virtual environment through avatars and other virtual representations, which can make it difficult for users to know when, where, and how their personal data is being collected and used. The provision of transparency information, often in the form of a privacy notice or user information, becomes challenging as individuals progress through this virtual environment.

Additionally, many metaverses rely heavily on algorithms to personalise user experiences and provide targeted advertising. However, the algorithms used in the metaverse are often complex and opaque, which makes it challenging for users to understand how their personal data is being processed and why they are being shown specific advertisements or recommendations (and when they consented to such processing).

Given the challenges in providing transparency information, providers of metaverses are often not  transparent about their data collection and processing practices, leading to invisible processing and leaving  users unable to make informed decisions about how their personal data is being used. This can erode trust in the metaverse ecosystem and ultimately its success.

Data subjects rights

A crucial issue arises regarding whom individuals can approach to assert their rights. Under the EU and UK GDPR, data subjects have a right to know what personal data is being collected, how it is being used, and who it is being shared with. They also have the right to access their personal data, rectify it, and erase it under certain circumstances.

This matter is complicated in the metaverse, as the operators in this virtual world, who usually act as data controllers, may not willingly reveal their identity or comply with requests from data subjects. They might conceal themselves behind email aliases or other proxies. This issue can be further complicated if one user’s privacy is violated by another user, where pseudonymity is no longer advantageous but instead becomes a liability, particularly when it comes to commercial entities such as advertisers.

Conclusion

As discussed above, there are some data protection challenges arising in the metaverse. To address these, metaverse companies should prioritise the following:  the provision of clear and concise explanations of their data collection and processing practices, ensuring that users have control over their personal data, developing mechanisms to comply with cross-border data protection requirements, and implementing robust privacy compliance programmes. As with any data collection, security is also fundamental and companies should work with their IT teams to ensure appropriate security is in place and plan for incidents if things go wrong.

Recent posts

Previous
Next
The UK's data protection regulator publishes a new code of conduct for UK private investigators and litigation services
Read more
Unable to row the distance: No copyright in a rowing machine as a work of artistic craftsmanship (WaterRower v Liking)
Read more
The wait is over – Sky v SkyKick decision handed down today
Read more
Autumn Budget 2024: Headlines
Read more
The Final Word
Read more
The UK's new Data (Use and Access) Bill has been introduced into Parliament
Read more
New reforms but a long wait for change: government publishes Employment Rights Bill draft
Read more
The UK's Data Protection Regulator begins its modernisation plans
Read more
A cautionary tale of lessons learnt in cases involving crypto fraud from D'Aloia v Persons Unknown Category A & Ors [2024]
Read more
‘This is a true story’: A lesson learnt from ‘Baby Reindeer’ for shows dramatising the lives of real people
Read more

More from this author

Previous
Next
The UK's data protection regulator publishes a new code of conduct for UK private investigators and litigation services
Read more
The UK's new Data (Use and Access) Bill has been introduced into Parliament
Read more
Facial Recognition Technology: skip the DPIA and face the consequences
Read more
The new UK government announce the Digital Information and Smart Data Bill
Read more
What businesses should consider before implementing monitoring
Read more
'Consent or pay’: the EDPB’s two cents on the right model
Read more
The Government moves to address unlawful immigration exemption under the Data Protection Act 2018
Read more
Byte by Byte: The progress of the UK Data Protection and Digital Information Bill
Read more
The UK Government bridges the gap for UK-US personal data transfers
Read more
The Culture, Media and Sport Committee’s recommendations on monitoring employees
Read more
The Government’s attempts to safeguard the immigration exemption under the Data Protection Act fails in the High Court
Read more
Navigating the grey areas of AI ethics: ICO's updated guidance provides clarity on utilising AI
Read more
EDPB releases lukewarm opinion on the EU-US Data Privacy Framework
Read more
ICO focusses on child protection in latest guidance to the games industry
Read more
Government to replace the UK GDPR
Read more

Share this page