Data protection in Metaverse: Ascertaining privacy in the ever-expanding virtual world

Contemporary digital era continues to unravel countless possibilities of transforming human civilization. Metaverse, being no exception to such tremendous possibilities, exists as a vivid apparatus to simulate and amplify the magnitude of real-world human interactions in a virtual space. In the simplest terms, metaverse is a virtual platform that offers opportunities to interact in an extended version of real-life simulations.

Users interact in the metaverse through digital characters, that can be customized to personalize their interactions. Such interactions are not limited to socialization and aim at augmenting the conventional human experience of multifarious areas including business, education, entertainment, healthcare and all the practices stemming from human interactions. In many ways, metaverse converges real and virtual worlds. It functions as a gigantic virtual platform hosting a multiplicity of interfaces that operate simultaneously, generating and accumulating large volumes of data every second .

Metaverse, as an industry, can be observed to find continued global acceptance, where its market size of US Dollars 22.79 billion (2021) is projected to reach US Dollars 996.42 billion by 2030 . The promising figures reflect that metaverse is here to stay. As metaverse is heavily reliant on large volumes data accumulation, privacy concerns surrounding metaverse are inevitable. Such concerns become particularly relevant amidst the complex data-hosting structure of metaverse.

Understanding the complexities of metaverse

Metaverse appears to be simplistic but is in-fact enveloped with complexities. Structurally, metaverse is a virtual reality to its users, and offers them opportunities to interact and collaborate through a multiplicity of interfaces that involve techniques aimed at simulating every dimension of real-world. Consequently, metaverse should not be perceived merely as a virtual world, but as a host of countless and ever-expanding virtual worlds that accumulate, store and exchange massive volumes of data every second.

Metaverse functionalizes itself either as a centralized model, or a decentralized one. While a centralized model operates as per the policies of the metaverse owner, a decentralized one is dependent on users’ decisions and offers autonomy concerning regulation and other user-centric features .

As mechanisms to augment user-experiences, metaverse employs extended reality techniques involving motion detection, data capturing and even biometric identification methods that intensify the metaverse experience, and provide countless avenues of data accumulation and exchange while users across the world shop, play, earn, learn, socialize or interact in the metaverse environment . Evidently, metaverse offers a global platform for data-oriented interactions that call for a concrete regulatory regime, in order to ensure privacy of users as they engage in the captivating metaverse experience.

Data protection challenges surrounding metaverse

While the vivid metaverse experience augments many facets of human life, it comes with numerous threats to users’ privacy. Metaverse appears to be the vanishing point of data protection laws, due to its underlying structural and functional complexities. As metaverse hosts innumerable avenues of interactions at a global stage, the magnitude of data accumulated is humungous. Such data might form a part of personal data of users , which might be detected and stored sooner than the users may realize.

Additionally, as metaverse offers innumerable possibilities of data accumulation, storage exchange, and transfer, the ideally expected practice necessitates obtaining consent of users prior to every interaction. However, as metaverse aims at simulating real-world experiences, pop-ups requesting consent before every additional operation are considered as unnecessary frictions in the seamless metaverse experience. Consequently, the compliances of providing notice and obtaining consent are substantially reduced as a cost to effectuate the metaverse experience . While such a practice is necessary to materialize the immersive experience which metaverse promises, avoiding compliances concerning consent might have serious ramifications translating to privacy infringement of users.

As another challenge, the applicable jurisdiction of data protection laws in metaverse is uncertain, as metaverse unravels the possibility of owners, hosts and users belonging to different jurisdictions . It appears logical for the metaverse owner to build its virtual world in compliance with the data protection regulations of its jurisdiction. However, there seems to be an ambiguity concerning the cases in which users and hosts belong to jurisdictions at variance with the jurisdiction of the metaverse owners. In such cases, there is absence of a legal force that could bind metaverse owners to comply with the conditions mandated by a foreign jurisdiction unlike the case with other platforms such as online gaming platforms where operation of a uniform privacy policy becomes relatively easier due to simplicity of structure and a centrally operated data collection mechanism.

Further, as metaverse thrives on data gathered from global interactions, data localization norms appear to wither away, in addition to the ambiguity surrounding the regulatory regime governing accumulation, storage, sharing and transfer of personal data in case the jurisdiction of the metaverse owner lacks a robust data protection regime.

The way forward

As metaverse evolves parallel to the evolution of the global data protection regime, there are numerous ambiguities and challenges surrounding the regulation of metaverse. Inclusion of a user-privacy clause in the metaverse service agreement, explicating the applicable data protection law appears to be a viable solution to the uncertainty around difference in jurisdictions. However, it has its own limitations as it falters in cases where laws concerning the jurisdiction of the metaverse owner do not extend to citizens of other states. Further, despite determination of a definite regulatory force through contracts, functional challenges in metaverse, such as unviability of the traditional consent obtaining procedure remain unresolved.

Gaurav.G.Arora
Partner, JSA

A universal regulatory design ensuring privacy of metaverse users seems apt response to the ambiguities and challenges concerning metaverse. As a concrete step to create such a framework, the World Economic Forum is in the process of framing a global metaverse governance policy. The policy is being developed under the initiative “Defining and Building the Metaverse”, which aims to “accelerate the development of metaverse governance” targeted towards ensuring safety of the metaverse environment globally, without stifling innovation. While the initiative aims to bring together global tech leaders, academicians and policy makers to resolve the concerns surrounding metaverse regulation, its viability would depend on the choice of sovereign states to accept the global metaverse governance policy.

As metaverse transcends domestic data protection regimes, it is expected that the policy would resolve the regulatory complexities of metaverse at an international pedestal by accommodating the globally accepted best practices concerning data protection including inter alia data minimalism, purpose limitation, notice and consent, thereby ensuring the privacy of users without obstructing their immersive metaverse experience.

Co-authored by: Aditi Richa Tiwary

Disclaimer: The views expressed in this article are those of the author and do not necessarily reflect the views of ET Edge Insights, its management, or its members

Scroll to Top