Web 3 data protection: already a reality?

If web3 (short for web 3.0) is causing a lot of ink to flow, it’s because it’s inextricably linked to the notion of the metaverse, an immersive 3D environment where individuals can interact using avatars. And yet, web3 is a very distinct concept. Indeed, considered the next evolution of the Internet, it revolves around technologies such as blockchain, NFTs and wallets, which are not essential ingredients for the metaverse. Although based on the idea of ​​returning power to Internet users by creating a “decentralized” web that aims to suppress the tech giants, web3 poses a certain risk of cyberattacks to users because it involves various digital assets. But if its contours remain relatively unclear, there is already a legal environment that must be adopted to protect personal data.

No legal “no man’s land”, but a legal framework that exists

of web3 consists of a multitude of aspects – or rather metaverses (with and without blockchain, with and without virtual reality headsets, etc.) – which can already provide information on the challenges of data collection according to the accompanying technologies to be supported. regulations other than GDPR. There is in particular the DSA (Digital Service Act), otherwise known as the regulation of digital services, which protects a secure European Internet with an international vocation by creating transparency through the appointment of compliance managers in France for foreign players. Meanwhile, the DMA (Digital Market Act), aims to fight against the abuse of dominant position. Organizations such as the CNIL (Commission Nationale de l’Informatique et des Libertés) that aims to protect the data of vulnerable people will carry out a monitoring and control mission to apply sanctions in case of violation or excess. On the other hand, we note that existing metaverses depend on different applicable laws, but that they are all subject to European regulations and therefore must comply with the GDPR. However, it is necessary to refer to the privacy policies and general conditions of all these metaverses that are closed universes to verify the presence of the mention. Finally, to protect against possible attacks related to the wallet (a solution that makes it possible to secure funds and track transactions), it is possible to operate with exchange platforms that have received PSAN approval issued by the authority. the control of the Banque de France (the system created under Pact law, the purpose of which is to regulate the market related to digital currencies).

Being web3 compliant is possible

Launching into the metaverse often requires contracting and overseeing it by first performing a security audit. The first step is to ask the DSI for the transmission of the IS security policy of the service provider in order to know the measures taken for data protection (infrastructure and architecture, location of data, authorization policy, procedures , data security and certificates). This process must be followed by a contract signed by both parties (obligation deriving from Article 28 of the GDPR) including a certain amount of information dictated by the GDPR and the instructions dictated by the data controller (as determined by the data collected up to the retention period, including the categories of data subjects, the minimization principle and the framework for subsequent subcontracting). To maintain control of transfers outside the EU, there are a number of legal tools such as the adequacy decision or the appropriate safeguards listed by the GDPR. Since the standard contractual clause is not sufficient, the implementation of additional technical and organizational security measures may be appropriate, as well as stronger data anonymization. It is absolutely necessary to educate its users by providing them with an information notice about the privacy policy and by broadcasting a disclaimer on metaverse. It will also be a matter of making them aware of the risks they may be exposed to (hacking, phishing, etc.) and checking their data, reminding them of the good reflexes they should adopt (communicating sensitive information as little as possible, etc.). The internal compliance registry will centralize and keep all information up to date, including data recipients and all ecosystem players.

In the dawn of big data we are experiencing, data protection has become a major topic. Laws already exist and are being enforced, even if they are not sufficient and an adaptation to the characteristics of the metaverse is necessary. It is important above all to limit risks and comply with regulations if one intends to operate on Web3.

Tribune written by Julie Jacob, Founder of Jacob Avocats

<<< Also read: Meeting Morgan Pezzo, CEO of CarFT: when automotive passion takes over the web3 >>>

Leave a Comment