‘- Article written by Aurora Agostini and Jessica Giussani
We can already recognize the revolutionary role that the Metaverse plays in relational and social dynamics. However, this is an evolving topic. Talking about the law applicable to the Metaverse in 2022 may be comparable to discussing the law applicable to the Internet in the 1960s (in the days of ARPANET, to be clear).
As we watch this new reality shape up, we begin to question what it might mean to apply a relevant and comprehensive legal framework.
Thoughts on the definition of the Metaverse
There is no single definition of Metaverse. The evolution of the technology involved is so rapid that it is not possible to imagine all the features that future Metaverses may have.
However, we can identify one central concept that unites all of them: Web 3.0. It represents a collection of emerging technologies including:
- Virtual Reality (VR), Augmented Reality (AR) and Mixed Reality (MR) or overall Extended Reality (XR) technologies.
- Virtual currencies, cryptocurrencies and tokens, with an enabling ecosystem.
- Digital identity techniques.
- Digital entity or avatar and their realistic interaction, projecting users’ movements and facial expressions.
- NFTs (non-fungible tokens), which are digital assets: stocks, art, games, tickets to digital events, property, land, etc.
- The Internet of Things, IoT, wearables (goggles, helmets, haptic gloves, joysticks, smart watches, sensors, etc.) and neural interfaces (Brain-Computer
- Interfaces, BCI), as sources of information for physical-virtual interaction, enabling the processing of biometric features.
- Artificial Intelligence (AI), essential for responding to real-world behavior, enabling intelligent interaction between users and avatars, and for decision-making and profiling.
- Distributed and decentralized data network infrastructure such as blockchain, 5G, cloud or edge computing.
These technologies make the Metaverse a fluid experience in a hybrid environment, where the boundaries between physical and virtual reality are almost nonexistent. The direction is consistent with the digital revolution already underway, geared toward an integration of both our online and offline experiences.
The theme of the conjunction of real and virtual has a relevant consequence for users: actions performed in the Metaverse will have repercussions in real life. Working online for a company in the Metaverse, as well as building interpersonal relationships, will be traceable to one’s identity. Together with the actions performed in the real world, therefore, they will help build one’s reputation.
The Metaverse, as well as the Internet, is accessible to everyone for free (as long as one possesses the necessary technology to access it), and everyone has the opportunity to create virtual spaces and avatars, giving rise to an ever-expanding universe.
Multinational corporations and content creators, as is the case with social networks, will acquire and control larger portions of space where to allocate the businesses. Consequently, it will consistently affect user perception and experience.
Privacy in the Metaverse: risks and protections for users
The first aspect to consider is the concept of identity. The avatars that populate digital reality are not fictional creations, but represent to all intents and purposes a person’s identity. They are therefore subject to the same responsibilities and enjoy the same rights as a human being in real life.
Moreover, any virtual environment is, for definition, fully data-driven. Therefore it enables the processing of a wide range of information related to human activities.
The issue of privacy is therefore of central importance, considering the enormous amount of personal data that can circulate and the value to companies. For this reason, it is crucial to regulate this new digital dimension as soon as possible.
The European Union is taking steps to formulate a regulation that will govern its use and, above all, protect user data. Four proposed regulations are currently being evaluated:
- the Digital Services Act,
- the Data Law,
- the Digital Markets Law,
- the Data Governance Law,
- the proposed AI Regulation.
It is on the latter, i.e., the Artificial Intelligence Act, that the main expectations converge for striking the right balance between technological, security a,nd data protection aspects.
All the technologies that form the Metaverse environment (social networks, AI, IoT, neural interfaces, etc.) pose privacy risks that must be managed. Moreover, the combined application of all these technologies can lead to individual and social effects that generate risks on a scale that is difficult to estimate ahead of time.
In the Metaverse, the user experiences events in the virtual world that are the same as in the real world. People face all kinds of risks related to privacy: mass surveillance, discrimination, loss of autonomy, fraud, or identity theft. Even the use of personal data, through vulnerabilities in wearable devices or in the virtual environment itself, could pose real physical risks to the health of users handling them.
Privacy compliance for companies in the Metaverse
For companies that intend to establish within the Metaverse, massive data processing must comply with the provisions of the GDPR. Therefore, it is necessary to assess the following aspects:
- mechanisms for minimizing data collected by wearable devices,
- governance mechanisms of the Metaverse and establishment of transparent rules for the protection of rights, clearly establishing the roles of those involved and their submission to supervisory bodies,
- audits and transparency, especially in automated decisions, to avoid abuse, bias, profiling and discrimination,
- appropriate management of wearables and devices to protect data transmitted and stored, including taking into account the possibility of collecting biometric data from which even more personal information can be inferred,
- data protection impact assessments, given the number of technologies (some of them new) competing in the Metaverse and amplifying risks to rights and freedoms,
- protection of data subjects’ rights, including the right to erasure and deletion,
- specific safeguards for privacy, design and default setting, which can be applied, for example, to preserve the privacy of avatars and their digital footprint in the Metaverse,
- security, especially in terms of the availability, resilience and confidentiality of personal data that are part of the processing carried out in the Metaverse.
Such assessments often require involving professionals with extensive experience in the areas of Blockchain and Web 3.0, as well as privacy and intellectual property.
