WH Insights: Data Privacy in the Metaverse


04 Aug 2022

In today's WH Insights video, senior associate Patrick Massa discusses some of the key data privacy issues in the metaverse. WH Insights is a video series discussing key legal concepts, trending legal topics, news and legal updates. 

What is the metaverse?

It is a digital environment which through innovative technologies such as virtual reality, augmented reality and blockchain, challenges the boundaries of our physical world and creates a new, unique digital universe.

Users can participate in this immersive universe by means of avatars which mimic our physical movements through wearable sensors. The combination of physical and virtual elements enables the performance of our everyday activities in the metaverse and therefore has the potential to change the way we interact, how we use services, and the way we do business.

The Metaverse and Data Protection

As with all other revolutionary technologies, there are various legal concerns surrounding the metaverse. In particular, many question the protection of users’ personal data.

The operation of the metaverse requires the processing of unprecedented volumes of personal data, including biometric data such as user movements, physiological responses, and even brainwave patterns, resulting in a much deeper level of user profiling. This however will surely require careful legal analysis, since the processing of biometric data is only exceptionally allowed under the General Data Protection Regulation.

Another concern relates to the sharing of user data between different entities in the metaverse. The interoperable and seamless nature of the metaverse requires a continuous flow of data between different entities. However, the GDPR establishes strict rules on personal data transfers, especially those involving entities located outside of the EU. Naturally, compliance with these rules is particularly challenging in the context of the metaverse, since the entities involved may be numerous and located all over the world.

Finally, there are cybersecurity incidents and personal data breaches, which may take a more complex form in the metaverse, such as through the hacking of avatars. Apart from being harder to detect and manage, it might also be difficult to determine which entities are responsible to fulfil the legal obligations resulting from a data breach, such as notification to the affected data subjects and to relevant authorities.

While the metaverse is in its infancy, data privacy is already proving to be a challenging obstacle. Considering the notable efforts on the part of Data Protection Authorities to increase GDPR enforcement, it is key for businesses interested in using the metaverse to carefully consider how to reconcile data privacy with a metaverse business model.