28 Sep Personal data protection in the Metaverse: operational challenges and regulatory uncertainties
Authors: Eleonora Margherita Auletta, Francesca Tugnoli, Giada Iovane
The term “Metaverse” is borrowed from science fiction and cyberpunk literature. It is used to identify the technological project introduced in 2021 by Meta Platforms Inc. The Metaverse was created through augmented virtual reality and powered by the massive convergence of data and metadata.
Personal data within the Metaverse: Focus on users’ psychophysical data
Within the Metaverse there is a strong connection between ordinary physical reality and augmented virtual reality. This leads to the duplication of identities when individuals join the Metaverse and create their own avatars. This inevitably entails the processing of a wide range of personal data, such as:
- Identification details which are required for creating the avatar;
- Location data;
- Data relating to habits, interests, preferences, and opinions; and
- Data relating to users’ psychophysical sphere, including behavioral data (e.g., emotional responses and social interactions) and body movement data (e.g., users’ posture, gaze, gestures, facial expressions, and interpersonal distancing).
Data relating to users’ psychophysical sphere take on key importance in the Metaverse in two specific ways. On the one hand, there is the (i) univocal identification of individuals, and on the other hand, with the previously acquired users’ psychophysical dataset, there is (ii) the possibility of considering such data as a source of “further” inferable information relating to users.
With respect to the first point, i.e., the univocal identification of individuals, emotional reactions and body movements are externalized by the avatar through the use of special technologies. This facilitates the individual’s identification within ordinary reality. It entails behavioral and body movement-related elements which, in virtual reality, become an information asset univocally referred to as the human being. What this concretely implies is that, in the Metaverse, such informational heritage gains unusual meanings, triggering the application of the EU Data Protection Regulation No. 2016/679 (hereafter, referred to as “GDPR“). In fact, unlike what happens with physical reality, movements and gestures may fall under the concept of personal data as defined in Article 4(1) of the GDPR and be processed (Article 4(2) of the GDPR) by the data controller.
Regarding the possibility to consider data processed in the context of the Metaverse as a source of “further” inferable information relating to users, once translated into the Metaverse, specific movements and/or behaviours may easily “reveal” sensitive details about the individual, such as medical diseases, physical disabilities or previously experienced traumas. Furthermore, data which may be further obtained by analyzing human characteristics is known as “inferred data” as per the GDPR provisions. Should these data reveal sensitive information, including data concerning health, the applicable legal framework would be the one set out in Article 9 of the GDPR with the relevant restrictions and conditions of processing.
Regulating the Metaverse despite the European regulatory gap
The numerosity and diversity of personal data involved in the processing operations put in place in today’s digital reality seem to necessitate an ad hoc regulatory framework. Such a framework should be aimed at punctually regulating data flows within the Metaverse and the interconnected relationship which is increasingly ubiquitous between the virtual and physical worlds.
Despite this need, to date, there is an apparent lack of a European intervention setting out adequate and specific legislation in the field.
The European Commission, without prejudice to the ongoing monitoring of technological and market developments, has, until recently, denied, even in the context of Parliamentary Questioning, its intentions to launch a study on the functioning of the Metaverse and to propose political measures and/or sector-specific legislation.
However, next year, 2023, could represent a real turning point in the history of this virtual space. The European Commission, in fact, announced, only a few days ago, that it plans to present a proposal for the regulation of the Metaverse. This is aimed at clarifying rules and expectations concerning this virtual reality.
The data protection requirements and the principle of accountability
In response to the current absence of any specific ex-ante European regulation governing the activities of users and companies in the Metaverse, it is possible, from the data protection perspective, to rely on the extraterritorial application – to a parallel virtual reality – of the GDPR thereby implementing one of its core principles, i.e., accountability.
This is due to the above-mentioned processing activities carried out in this context and which cannot be excluded from regulation. In accordance with this principle, companies operating in the Metaverse will have to be considered as data controllers, given their decision on both the purposes and means of the personal data processing. Consequently, several requirements shall be met to ensure an adequate level of protection of personal data referable to users and, at the same time, to mitigate the risk of possible security incidents and/or personal data breaches.
From a practical point of view, the data controller is required to:
- Provide information notices detailing the processing activity and the legal basis for the processing and flow of personal data within the virtual reality. This is done to increase users’ awareness and allow them to provide informed consent, where necessary and required as a legal basis for carrying out the processing;
- When carrying out new processing activities for a different purpose (so-called “secondary use”) and/or further processing based on the original purpose, provide for a systematic framing of those activities to ensure consistency of what was initially communicated to the user given the dynamic nature of virtual reality;
- Consider the requirements set forth in data protection legislation when designing systems and tools, in accordance with the principles of privacy by design and by default;
- Carry out a DPIA (Data Protection Impact Assessment) to obtain an adequate understanding of the increased threats and risks associated with the management of the information assets conferred to the Metaverse reality; and
- Comply with the processing and circulation limits established by Article 9 of the GDPR with respect to special categories of personal data, including data concerning health.
Until the intervention of the European institutions in the field of the Metaverse, the regulatory gap would appear to be temporarily and partially fillable by combining the provisions set forth in the GDPR, as far as data protection is concerned, and the contents of the proposals and new regulations constituting the recent European legislative projects for the digital transformation of society and the economy, including the AI Regulation, the E-Privacy Regulation, the Data Act, the Digital Markets Act (DMA), the Digital Services Act (DSA), and the Data Governance Act (DGA).
 The term was originally used by writer Neal Stephenson in the novel Snow crash (1992) to refer to a three-dimensional space within which individuals can move, share, and interact through digital human reproductions (the so-called avatars). See https://www.investopedia.com/metaverse-definition-5206578.
 Augmented reality (AR) is an enhanced version of the real physical world that is achieved through the use of digital visual elements, sound, or other sensory stimuli and delivered via technology. See https://www.investopedia.com/terms/a/augmented-reality.asp.
 Bailenson J.N., Protecting Nonverbal Data Tracked in Virtual Reality, in JAMA Pediatrics, August 6, 2018. https://stanfordvr.com/mm/2018/08/bailenson-jamap-protecting-nonverbal.pdf.
 Miller M.R., Herrera F., Jun H. et al., Personal identifiability of user tracking data during observation of 360-degree VR video, Sci Rep 10, 17404 (2020), October 15, 2020. https://www.nature.com/articles/s41598-020-74486-y.
 Bolognini L., Carpenelli M.E., The future of personal data in the Metaverse, Istituto Italiano per la Privacy e la Valorizzazione dei Dati, April 5, 2022. https://www.academia.edu/75598264/The_future_of_personal_data_in_the_Metaverse.
 Parliamentary Question – E-000656/2022(ASW) – Answer given by Thierry Breton on behalf of the European Commission (June 1, 2022): “At this stage, the Commission has no intention to launch a specific study into the functioning of the metaverse, but such a study is not excluded at a later stage. The Commission has also no immediate intention to propose specific policy or regulatory measures concerning the metaverse, in particular since the existing regulatory framework also applies to metaverse. For example, the Digital Markets Act and the Digital Services Act on which the political agreement was recently reached provide the appropriate framework and the necessary tools to tackle issues concerning metaverse“. https://www.europarl.europa.eu/doceo/document/E-9-2022-000656-ASW_EN.html.
 ART – Analysis and Research Team of the Councill of the European Union, Metaverse – Virtual world, real challenges, ART Paper, March 9, 2022. https://www.consilium.europa.eu/media/54987/metaverse-paper-9-march-2022.pdf.
 European Commission, statement, Brussels, September 14, 2022. https://ec.europa.eu/commission/presscorner/detail/en/STATEMENT_22_5525.
 Article 3 of the Regulation (EU 2016/679) of the European Parliament and of the Council of April 27, 2016 (GDPR). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.
 The term “accountability” provided for in Article 24(1) of the Regulation (EU 2016/679) of the European Parliament and of the Council of April 27, 2016 (GDPR) refers to the proactive behavior that the Data Controller has to adopt to demonstrate the concrete implementation of measures aimed at ensuring the application of the Regulation. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.
 Ibid ut supra, note 5.
 These are principles laid down in Article 25 of the Regulation (EU 2016/679) of the European Parliament and of the Council of April 27, 2016 (GDPR), which establish, on the one hand, the need to protect data from the design phase of the systems that contemplate their collection and use (privacy by design) and, on the other hand, the need to design processing systems that collect and process personal data only to the extent necessary to achieve the intended purposes and for the strictly necessary time period. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.
 Proposal for a regulation on Artificial Intelligence, aimed at regulating AI systems that are considered high-risk, through the identification of obligations and responsibilities to AI system providers. https://eur-lex.europa.eu/resource.html?uri=cellar:e0649735-a372-11eb-9585-01aa75ed71a1.0001.02/DOC_1&format=PDF.
 Proposal for E-Privacy Regulation, aimed at regulating electronic communications, which will replace the E-Privacy Directive of 2002. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52017PC0010&from=IT.
 Proposal for a regulation, aimed at promoting full interoperability of systems and increasing data portability, while protecting competition in different economic sectors. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022PC0068&from=EN.
 A new regulation, which defines a set of rules addressed to platforms that have, in the digital market, a strategic role in the relationship between companies and consumers (so-called gatekeepers). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0842&from=en.
 A new regulation on digital services that defines new ways to prevent systemic risks and establishes certain obligations to online platforms depending on their size. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0825&from=IT.
 New Regulation on data (not just personal data) aimed at creating a European digital ecosystem in which promoting the availability and sharing of data belonging to the most strategic sectors. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0767&from=EN.