The Metaverse is currently being traded as the next iteration of the Internet. A precise definition of what the term “metaverse” actually means and how it will be technically designed has not yet been determined. However, the consensus is that the metaverse will be a decentralized, virtual, highly interactive and transaction-driven space with fluid links to the real world. New technologies in the field of “Extended Reality” as well as the introduction of “Digital Twins” – digital representations of real assets – offer completely new forms of interaction and evaluation of accruing data. Even a 20-minute use of a VR headset can capture up to two million data points; many of them biometric and thus worthy of special protection. In this context, one of the major legal challenges is to bring the Metaverse in line with existing data protection regulations, in particular those of the General Data Protection Regulation (GDPR).
Responsibility under data protection law
The GDPR is also applicable in the Metaverse. Their obligations affect controllers established in the EU or processing personal data obtained in the EU. But the uncertainties already begin with the answer to the fundamental question of responsibility under data protection law. According to Article 4 No. 7 of the GDPR, a controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. The way the Internet is currently designed, responsibility can be determined relatively easily by assigning a website to an operator. When a new website is called up, the responsibility of the operator of the old site is left and that of the operator of the next site is entered. However, such clear demarcations will hardly be conceivable in the metaverse and are not compatible with the idea of an immersive virtual world with seamless transitions between the most diverse offerings. A connection to the “owners” of virtual spaces, in which the avatars of users reside, is a possible approach. However, there will also be “public” areas in the metaverse, such as squares and paths, which cannot be assigned to any individual provider:in and to which the virtual stores and presences are adjacent. How will these need to be addressed? Are the adjacent provider:s jointly responsible? Or is there a virtual “infrastructure provider” who is responsible for data processing in these areas? The decentralized and seamless design of the metaverse will still lead to some headaches when determining data protection roles under the GDPR.
Information requirements under data protection law
A question of a more practical nature concerns the fulfillment of information obligations under Articles 13 and 14 of the GDPR. Accordingly, data controllers must provide information about the details of data processing in advance. If the current practice of detailed privacy statements were to be transferred to the metaverse, this would literally lead to “walls of text” that would have an extremely disruptive effect on immersion and have a lasting negative impact on the user experience. Here, the hitherto hardly observed Article 12 para. 7 of the GDPR come into play. This provides for the use of standardized image symbols. This can reduce the amount of text required. By interacting with the respective icon, users can obtain additional information about the identified data processing.
Marketing, sensitive data & consents
The integration of extended reality devices – i.e., devices such as headsets and other sensors that are capable, among other things, of transmitting the user’s facial expressions, gestures, and other movements to his or her avatar – processes vast amounts of biometric data in real time, which can even indicate medical indications. Optical sensors detect the user’s surroundings – usually his or her own home – and microphones transmit every spoken word. The collection of this data will provide entirely new opportunities for profiling and tracking technologies. For example, pupil dilation indicates that the user likes the ads or products he or she is looking at without being able to consciously control this. While the use of biometric and other sensitive data regularly requires explicit consent anyway, the question arises as to whether extensive evaluation and use of other data that users unknowingly disclose may be carried out for marketing purposes on the basis of a legitimate interest or likewise only on the basis of consent. And how should consent be structured? An implied consent in the online area cannot be assumed without further ado. An express declaration of intent by the user is required. Simply continuing to use a website despite the cookie notice or accepting pre-filled checkboxes is not sufficient. Accordingly, merely entering a metaverse presence that triggers processing requiring consent is not likely to have any corresponding explanatory content. But is a nod of the avatar’s head sufficient as consent?
Third country transfer
While the difficulties outlined above can largely be solved through designs of a technical nature and, as in the area of cookie banners, an increasingly clear line of jurisprudence on the exact requirements is likely to emerge, the much bigger problem is the third-country transfer of the data. Due to the multiple increase in the number of data collected and the constant transfer of data when using the Metaverse, recourse to the existing transfer instruments does not always appear to be expedient. In particular, the standard contractual clauses on international data transfer are still subject to the basic idea of the current design of the Internet, i.e., that there are data exporters and data importers as well as data processing operations that can be defined in advance in each case. But if the Metaverse is indeed a decentralized platform, part of its appeal is that users are constantly in spontaneous exchange of their data with third parties in their virtual environment. It is difficult to determine in advance which data will be transmitted by whom and to whom for which purposes – except in a controlled environment in which the user’s options are reduced to a predictable level. But this would be contrary to the idea of a true virtual world.
Even considering this small selection of obvious data protection law issues shows that the law in its current form is not yet designed for use in decentralized virtual worlds. It will be a challenge for all parties involved to find an appropriate balance between user-friendliness and immersion on the one hand and compliance with data protection requirements on the other. However, newly developed smart technical and legal methods make it conceivable to reconcile a virtual world that rivals the diversity of our reality with current data protection law – even if future regulatory adjustments will be unavoidable.
© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.
KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.