While humanity has produced 33 zettabytes of data in 2018this volume may reach 181 zettabytes in 2025. This growth is explained, among other things, by the democratization ofThe Internet of Things (IoT) for several years: an increase in the number of devices that can receive information (micro, motion sensors, heart, etc.) also enable increased monitoring of user interactions. Among this large amount of data, we find what are called personal datathat is, information about a natural or identifiable person.
Therefore, the processing of personal data is currently a central issue in the digital field. Although GDPR provides an answer to many questions on the subject, there are still gray areas. Therefore, starting from this premise invites us to position ourselves now on the issue of personal data processing within the (so-called) digital world of tomorrow: metaverse.
Billions of dollars have been invested in Metaverse technologies, more and more organizations (private or public) are interested in it, and Meta has become its hobby horse. Despite everything, there is still no clear definition of the metaverse. Some define this concept as the unification of the real and virtual worlds through, in particular, virtual reality. One of the main points of this concept is based onINTEROPERABILITYthe ability to transfer digital assets from one application to another.
A user reaches the metaverse through an avatar that has a virtual identity. Although most systems today allow you to create an avatar without asking for personal information, this does not mean that this creation remains anonymous. The avatar is associated with an account, an account that performs actions that may generate data.
To begin with, Data protection laws are designed for “physical” use cases.. When it became possible to exploit large amounts of data, these laws were updated. Implementing them in tomorrow’s metaverse while providing a continuous, live, synchronous and interoperable experience can be complex. Indeed, we still have difficulty measuring the impact on data management that the metaverse may have because, since this phenomenon is very new, we have no concrete examples of it.
New risks to identify
As Micaela Mantegna, professor of artificial intelligence (AI) ethics at Harvard University, said: “Metaverse is the convergence point of the Internet, social networks and video games. Therefore, it focuses on the ethical issues that existed with social networks, internet governance and AI.. As a result, the user experience would be completely turned upside down, the field of possibilities would be practically endless. This would inevitably result from new data types to be purchased for providers of access to a metaverse. This would be especially the case for biometric data, essential for the proper functioning of a virtual reality world. All this data can be recorded and used without anyone guaranteeing that it will not be used for commercial purposes. They will most likely complement the vast amount of data that already feeds marketing targeting algorithms. The collection of this much personal data would be done without the knowledge of the user, the latter not knowing at any moment the amount of data collected during his virtual experience.
New tools available in the metaverse can help track this new data and improve its accuracy. Continuous monitoring would enable, after all, a more accurate definition of the person’s lifestyle and environment. This would make it possible to analyze, at a previously unattainable level, the different sensations and reactions of users, enough to learn more about human behavior. Let us remember, however, that 20 minutes spent in a virtual world equals over 2 million body language recordings.
Despite everything, the dangers are still very present and are identical to those we know today (Lies, data breaches, phishing, etc.). Currently, the GDPR prohibits the collection of biometric data unless consent is given in advance. It is surely in this nuance that GAFAM and other metaverse suppliers can play to collect freely biometric data of the user. Indeed, the choice here will probably not be one, since the collection of biometric data may be a prerequisite for entering a metaverse. Therefore, it may be impossible to access these virtual spaces without collecting our personal data.
The number of companies (not to mention legal entities) involved in running a metaverse may also be unprecedented. Indeed, the user experience will require extensive customization based on their profile, interests and behaviors. Users will be able to move between different metaverses, which could allow the collection and exchange of many data sets between these different companies. Such use raises a number of privacy issues. The key is to determine how to manage the sharing of this personal data by establishing the contractual liability and confidentiality obligations necessary to ensure its use.
A second layer of complexity stems from the fact that additional contractual requirements exist in many countries if personal data is transferred outside of specific jurisdictions. Transfers outside the EU have been the subject of particular attention, requiring in-depth scrutiny. How will the metaverse take (or not) these considerations into account? Will regulators be able to provide models and guidance to strike the right balance between efficiency, pragmatism and individual privacy rights?
Furthermore, the GDPR is only applicable to companies and users based within the European Union. How would this translate to a virtual world like a metaverse? Should it be based on the users current location? Depending on where a company or a person resides, the regulations will not necessarily be the same.
Enforcing this set of internet rules is already cumbersome. It is unclear how companies will manage legal compliance in a metaverse-like digital world. Won’t the latter make it even more difficult for organizations, outside the UK and Europe, to know when they are targeting products or services originating in the EU and therefore under the GDPR?
Today, we have no idea what form regulation will take within these metaverses. We can easily imagine it being run by single organizations (similar to today’s social media platforms, which are approaching Meta). It is also possible for governments to take care of this themselves through the development of their own metaverse, as in China with The Yuan Universe. Instead, it will be possible to find decentralized metaverses that will allow users to have full control over their data.
The issue of an actor who can manage confidentiality within a (non-decentralized) metaverse is an issue that is important to address today. It is imperative that the concept of the metaverse be considered as a specific case and appropriate regulations be introduced in the years to come.
Quentin Thiebault, Tom Carpenter AND Yacine Loualitene for Data Intelligence Club ofAEGEE