While humanity has produced 33 zettabytes of data in 2018this volume could reach 181 zettabytes in 2025. This increase is explained among other things by the democratization ofInternet of things (IoT) for several years: an increase in the number of devices capable of retrieving information (micro, motion sensors, heart, etc.) also allow for greater monitoring of user interactions. Among this huge amount of data, we find what is called personal datai.e. information relating to a natural or identifiable person.
The processing of personal data is therefore currently a central issue in the digital environment. While the GDPR provides an answer to many questions on this topic, there are still gray areas. Starting from this assumption, he therefore invites us to position ourselves now on the question of the processing of personal data within the (so-called) digital world of tomorrow: metaverse.
Billions of dollars have been invested in the technologies of the “Metaverse”, more and more organizations (private or public) are interested in them and Meta has made it its forte. Despite everything, there is still no clear definition of the metaverse. Some define this concept as the unification of the real and virtual world through, in particular, virtual reality. One of the key points of this concept is based oninteroperabilitythe ability to transfer digital assets from one application to another.
A user arrives in the metaverse via an avatar having a virtual identity. Although most of today’s systems allow you to create an avatar without asking for personal information, this does not mean that this creation remains anonymous. The avatar is linked to an account, an account that performs data-generating actions.
To start with, data protection laws were created for “physical” use cases.. When the exploitation of large amounts of data was made possible, these laws were updated. Applying them to tomorrow’s metaverse by providing a persistent, live, synchronous, and interoperable experience could be challenging. Indeed, we still find it difficult to measure the impact on data management that the metaverse can have because, being this phenomenon very young, we do not have concrete examples of it.
New risks to be identified
As Micaela Mantegna, professor of artificial intelligence (AI) ethics at Harvard University puts it: “The metaverse is the convergence point of the Internet, social networks and video games. It therefore focuses on the ethical issues that already existed with social networks, Internet governance and artificial intelligence.. Consequently, the user experience would be completely distorted, the field of possibilities would be practically infinite. This would inevitably result from new data types to be acquired for providers of access to a metaverse. This would in particular be the case with biometric data, which are essential for the proper functioning of a virtual reality world. All these data can be recorded and used without anyone guaranteeing that they will not be used for commercial purposes. They would most likely supplement the massive amount of data that already feeds marketing targeting algorithms. The collection of this numerous personal data would take place without the user’s knowledge, the latter not knowing at any time the number of data collected during his virtual experience.
New tools available in the metaverses could help track this new data and improve its accuracy. Constant monitoring would allow, definitely, a more precise definition of the way of life of the person and his environment. This would allow the different sensations and reactions of users to be analysed, to a level never achieved before, sufficient to better understand human behaviour. But let’s remember that 20 minutes spent in a virtual world equals over 2 million body language recordings.
Despite everything, the risks are still very present and are identical to those we know today (scam, data breaches, phishing, etc.). Currently, the GDPR prohibits the collection of biometric data unless consent is provided in advance. It is certainly on this nuance that GAFAM and other providers of the metaverse could play to collect freely user biometric data. In truth, the choice here probably won’t be one, as biometric data collection could be a prerequisite for accessing a metaverse. It may therefore be impossible to access these virtual spaces without our personal data being collected.
The number of companies (not to mention legal entities) involved in running a metaverse could also be unprecedented. Indeed, the user experience will require extensive personalization based on your profile, interests and behaviors. Users will be able to move between different metaverses, which could allow many datasets to be collected and exchanged between these different companies. Such use raises a number of privacy concerns. The main thing is to determine how to manage the exchange of this personal data by establishing the contractual liability and confidentiality obligations necessary to ensure its use.
A second level of complexity arises from the fact that in many countries there are additional contractual requirements if personal data is transferred outside specific jurisdictions. Extra-EU transfers have been the object of particular attention, requiring further investigation. How will the metaverse take (or disregard) these considerations? Will regulators be able to provide templates and guidelines for striking the right balance between efficiency, pragmatism and individual privacy rights?
Furthermore, the GDPR is only applicable to companies and users based within the European Union. How would this translate to a virtual world like a metaverse? Should it be based on users’ actual location? Depending on a company’s or individual’s country of residence, the regulations will not necessarily be the same.
Enforcing this set of rules for the Internet is already cumbersome. It’s unclear how companies will handle legal compliance in a metaverse-like digital world. Won’t the latter make it even more difficult for organisations, outside the UK and Europe, to know when they are targeting products or services originating in the EU and therefore subject to the GDPR?
Today we have no idea what form regulation within these metaverses will take. We can easily imagine it being run by individual organizations (similar to today’s social media platforms, which it looms with A half). It is also possible that governments take care of it themselves through the development of their own metaverse, as in China with the Yuan Universe. Instead, it will be possible to find decentralized metaverses that will allow users to have full control over their data.
The question of an actor who can manage privacy within a (non-decentralized) metaverse is an issue that is important to address today. It is imperative that the concept of the metaverse is considered as a specific case and that appropriate regulations are presented in the coming years.
Quentin Thiebault, Tom Carpenter And Yacine Loualitene for the Data Intelligence Club ofEG extension
For further :