Search
Contact
13.09.2022 | KPMG Law Insights, KPMG Law Insights

Metaverse: Privacy in the digital world

The Metaverse is currently being traded as the next iteration of the Internet. A precise definition of what the term “metaverse” actually means and how it will be technically designed has not yet been determined. However, the consensus is that the metaverse will be a decentralized, virtual, highly interactive and transaction-driven space with fluid links to the real world. New technologies in the field of “Extended Reality” as well as the introduction of “Digital Twins” – digital representations of real assets – offer completely new forms of interaction and evaluation of accruing data. Even a 20-minute use of a VR headset can capture up to two million data points; many of them biometric and thus worthy of special protection. In this context, one of the major legal challenges is to bring the Metaverse in line with existing data protection regulations, in particular those of the General Data Protection Regulation (GDPR).

Responsibility under data protection law

The GDPR is also applicable in the Metaverse. Their obligations affect controllers established in the EU or processing personal data obtained in the EU. But the uncertainties already begin with the answer to the fundamental question of responsibility under data protection law. According to Article 4 No. 7 of the GDPR, a controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. The way the Internet is currently designed, responsibility can be determined relatively easily by assigning a website to an operator. When a new website is called up, the responsibility of the operator of the old site is left and that of the operator of the next site is entered. However, such clear demarcations will hardly be conceivable in the metaverse and are not compatible with the idea of an immersive virtual world with seamless transitions between the most diverse offerings. A connection to the “owners” of virtual spaces, in which the avatars of users reside, is a possible approach. However, there will also be “public” areas in the metaverse, such as squares and paths, which cannot be assigned to any individual provider:in and to which the virtual stores and presences are adjacent. How will these need to be addressed? Are the adjacent provider:s jointly responsible? Or is there a virtual “infrastructure provider” who is responsible for data processing in these areas? The decentralized and seamless design of the metaverse will still lead to some headaches when determining data protection roles under the GDPR.

Information requirements under data protection law

A question of a more practical nature concerns the fulfillment of information obligations under Articles 13 and 14 of the GDPR. Accordingly, data controllers must provide information about the details of data processing in advance. If the current practice of detailed privacy statements were to be transferred to the metaverse, this would literally lead to “walls of text” that would have an extremely disruptive effect on immersion and have a lasting negative impact on the user experience. Here, the hitherto hardly observed Article 12 para. 7 of the GDPR come into play. This provides for the use of standardized image symbols. This can reduce the amount of text required. By interacting with the respective icon, users can obtain additional information about the identified data processing.

Marketing, sensitive data & consents

The integration of extended reality devices – i.e., devices such as headsets and other sensors that are capable, among other things, of transmitting the user’s facial expressions, gestures, and other movements to his or her avatar – processes vast amounts of biometric data in real time, which can even indicate medical indications. Optical sensors detect the user’s surroundings – usually his or her own home – and microphones transmit every spoken word. The collection of this data will provide entirely new opportunities for profiling and tracking technologies. For example, pupil dilation indicates that the user likes the ads or products he or she is looking at without being able to consciously control this. While the use of biometric and other sensitive data regularly requires explicit consent anyway, the question arises as to whether extensive evaluation and use of other data that users unknowingly disclose may be carried out for marketing purposes on the basis of a legitimate interest or likewise only on the basis of consent. And how should consent be structured? An implied consent in the online area cannot be assumed without further ado. An express declaration of intent by the user is required. Simply continuing to use a website despite the cookie notice or accepting pre-filled checkboxes is not sufficient. Accordingly, merely entering a metaverse presence that triggers processing requiring consent is not likely to have any corresponding explanatory content. But is a nod of the avatar’s head sufficient as consent?

Third country transfer

While the difficulties outlined above can largely be solved through designs of a technical nature and, as in the area of cookie banners, an increasingly clear line of jurisprudence on the exact requirements is likely to emerge, the much bigger problem is the third-country transfer of the data. Due to the multiple increase in the number of data collected and the constant transfer of data when using the Metaverse, recourse to the existing transfer instruments does not always appear to be expedient. In particular, the standard contractual clauses on international data transfer are still subject to the basic idea of the current design of the Internet, i.e., that there are data exporters and data importers as well as data processing operations that can be defined in advance in each case. But if the Metaverse is indeed a decentralized platform, part of its appeal is that users are constantly in spontaneous exchange of their data with third parties in their virtual environment. It is difficult to determine in advance which data will be transmitted by whom and to whom for which purposes – except in a controlled environment in which the user’s options are reduced to a predictable level. But this would be contrary to the idea of a true virtual world.

Conclusion

Even considering this small selection of obvious data protection law issues shows that the law in its current form is not yet designed for use in decentralized virtual worlds. It will be a challenge for all parties involved to find an appropriate balance between user-friendliness and immersion on the one hand and compliance with data protection requirements on the other. However, newly developed smart technical and legal methods make it conceivable to reconcile a virtual world that rivals the diversity of our reality with current data protection law – even if future regulatory adjustments will be unavoidable.

Explore #more

14.11.2024 | KPMG Law Insights

EU deforestation regulation forces companies to act

Anyone who trades in or uses the raw materials soy, oil palm, cattle, coffee, cocoa, rubber and wood and certain products made from them should…

06.11.2024 | In the media

Interview in stores + stores magazine on the topic: “Companies need AI rules”

Evaluating application videos using AI, translating employment contracts via smartphone or using AI analyses for target agreements and salary discussions – all of this is…

31.10.2024 | In the media, Legal Financial Services

Statement by Ulrich Keunecke in the in-house counsel on the topic of capital market compliance

For private equity investors, going public is the most common exit strategy when investing in a company.
However, family businesses and SMEs can also gain…

30.10.2024 | In the media

Guest article in ZURe on the topic of reporting channels under the Whistleblower Protection Act and the Supply Chain Due Diligence Act

The dual obligation to implement reporting channels in accordance with the HinSchG and LkSG poses major personnel and administrative challenges for practitioners, especially in times…

25.10.2024 | In the media

Guest article in the Audit Committee Quarterly: New regulations on the remuneration of works councils

On June 28, 2024, the German Bundestag passed the Second Act Amending the Works Constitution Act (BetrVG). This amendment is intended to increase legal certainty…

23.10.2024 | In the media

Guest article in the Neue Zeitschrift für Gesellschaftsrecht: Update Gesellschafterdarlehen: Risks in M&A transactions

Christian Hensel and Daniel Dörstling have published a new article on the insolvency-proof handling of shareholder loans in the context of M&A transactions in the…

18.10.2024 | Deal Notifications

KPMG Law advises Adiuva Capital on the acquisition of a majority stake in Advellence Solutions AG and Sharedien AG

KPMG Law Rechtsanwaltsgesellschaft mbH and KPMG Law Switzerland (KPMG Law) advised the owner-managed investment company Adiuva Capital GmbH (Adiuva) on the due diligence, structuring and…

18.10.2024 | KPMG Law Insights

BAG: Showering can be working time

Can showering be working time? The Federal Labor Court had to decide on this question (BAG, judgment of April 23, 2024 – 5 AZR 212/23

11.10.2024 |

Deforestation regulation: The most common mistakes made by companies

The very name of the regulation is misleading. “Deforestation Ordinance” sounds more like a set of rules for agriculture or forestry. But it…

11.10.2024 | In the media

Guest article in the Asset Management Guide 2024: The Fund Market Strengthening Act – Flexibilization and Debt Fund reloaded

On August 5, 2024, the Federal Ministry of Finance published the draft bill for the Act to Strengthen the German Fund Market and Implement Directive…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll