1. Types of personal data in the metaverse

The GDPR only applies to personal data. Personal data is any information that allows the identification of a natural person. In web 2.0, such data are mostly IP addresses, usernames and email addresses. This data will also be processed in the metaverse. But due to the additional devices used to connect to the metaverse (e.g., VR applications) additional personal data will be processed. Such data will be in particular physical activities of the user, e.g., to control the avatar or to have it appear more alive. This extends from simple motion sequences and body and hand posture to facial expression and gaze capture. The Quest Pro presented by Meta on October 11 2022, shows that this is no vision of the far future. The Quest Pro headset has body, facial expression and gaze detection installed. According to Meta, this should make avatars seem more alive and allows for new ways of interaction. This data, at the same time, makes it possible to process biometric data in the VR headset in accordance with Art. 9 of the GDPR. The GDPR places very strict requirements in this regard. For providers such as Meta, processing of this data will therefore only be possible on the basis of consent.

2. The principal of data minimisation in the metaverse

A basic principle of data privacy law is data minimisation. Only data that is necessary in relation to the purpose for which it is processed, may be processed. This principle will gain particular importance in the metaverse due to the sheer amount of data that will be generated in the metaverse. Is the full capture of all movement, facial expressions, and eyes necessary for the metaverse to work as desired? At least nowadays, avatars have not yet reached a resolution that would make it necessary to capture every single facial expression and have it displayed by the avatar. Furthermore, at least the users should ask themselves whether it is necessary to have every body movement captured by the avatar.

Like in our previous article, one asks himself what (data privacy) laws are applicable in the metaverse? Is the GDPR also applicable in the metaverse?

1. Application of the GDPR

The GDPR is technology-neutral and can therefore also be applied without restrictions to the metaverse. But the GDPR requires a certain connection to the European Union (Article 3 GDPR).

Such a connection results either from an establishment in the Union, the offering of goods and services or the monitoring of the behaviour of persons in the Union. In the case of companies that are established in the EU such as Meta, the GDPR will therefore be easily applicable. More interesting, however, well be the application of GDPR to decentralized services such as Decentraland. Decentraland is based on a DAO, a Decentralized Autonomous Organization. The DAO is a group of owners of certain NFTs who collectively have the power to make decisions about the DAO. A DAO does not have a registered office, branch or agent. Nevertheless, like any other website, Decentraland records the interactions in Decentraland. Using this as a basis, it analyses the usage of the website and helps to personalise the site and tools. Due to the behavioural monitoring of users from the EU that this involves, the GDPR should therefore also be applicable. Decentraland. Decentraland basiert auf einer DAO, also einer Decentralized Autonomous Organization. Dies ist eine Gruppe von Inhabern bestimmter NFTs, die gemeinschaftlich die Entscheidungsgewalt über die DAO haben. Eine DAO hat keinen Sitz, Niederlassung oder Vertreter. Allerdings erfasst Decentraland wie jede andere Website auch die Interaktionen im Decentraland. Auf Basis dessen analysiert es die Nutzung der Seite und hilft bei der Personalisierung der Seite und Tools. Aufgrund der damit einhergehenden Verhaltensbeobachtung von Nutzern aus der EU dürfte ebenfalls die DSGVO daher anwendbar sein.

2. Conflicting laws

If other privacy laws (e.g., the California CPPA) are applicable besides the GDPR, conflicts between these regulations and the legal systems behind them will arise. Already nowadays, such conflicts are highly controversial, as the data protection laws are mandatory law and do not account for a conflict between different data protection laws. Choice of law is therefore not an option. In web 2.0, differences between privacy laws are currently either ignored entirely (often by non-EU based controllers) or special provisions are included in the terms of use and the privacy policies for different jurisdictions. Whether this will change in the coming years remains to be seen. A solution through, e.g., international agreements is not in sight.

The GDPR is known by many for its distinctive information obligations. These and other obligations affect the so-called data controller. The previous question of the application of the GDPR is also related to the concept of the data controller. This is therefore a key term of the GDPR.

1. Data controllers in the metaverse

The controller is the person who determines the purposes and means of the data processing. In other words: Who has the power to decide on the how, whether, why and to what extent data is being processed. The controller is the main point of contact for the data subject as this “person” takes responsibility for the processing of personal data and must ensure the protection of the rights of the data subject. In web 2.0, this is typically the company running a website or online service. For example, Google decides what personal data is collected on YouTube and for what purposes, and how long it is stored.

At first, it appears that the concept of a controller would contradict the main principle of the metaverse “no one controls the metaverse” which was already mentioned in the last part of our series.
Yet any processing of personal data will be carried out by a controller. Therefore, there will be controllers in web 3.0 as well: If there is a provider like Meta, the company running the platform determines the purposes of the processing like in web 2.0 and will be the controller. In case of a service like Decentraland, this seems to be problematic because of the DAO. However, the term “data controller” in European data protection law is not tied to a specific legal form. A DAO can, therefore, also be the controller regardless of its unclear legal classification.

2. Joint control

On a metaverse platform, companies and artists who have already established a digital presence and sell items of their trademarks or offer corresponding “brand experiences” may be jointly responsible along with the operator of the platform. Such joint control occurs when multiple individuals jointly hold the power to make decisions on the purposes and means of the data processing. Facebook fan pages are a prominent example for joint control: On such fan pages Meta processes the visitor’s information and provides aggregated statistics to the company running the fan page. Although the company itself cannot see the individual data of a specific user, it provides the content for the fan page and is therefore enables visitors to visit the fan page.
Appearances of companies and artists in the metaverse can therefore, depending on their characteristics, be called “metaverse fan pages” and lead to a joint control. It would be conceivable that the reactions of users to the offers of companies (e.g., in terms of facial expressions) and the demographic data of the visitors could be processed by the provider of the platform and then be made available to the offering company in bundled form. This would allow a much more detailed evaluation of the visitors.

The legal consequence of joint controllership is, in particular, the obligation to be jointly liable for data privacy violations. For established companies, joint liability will be in particular harmful where the other party held liable is, e.g., a DAO. In such cases, the company which is easier “accessible” by the data subject will be held liable, the established company. Although one could then take recourse with the other joint controller, taking recourse with a DAO will be difficult.

Besides this, there could also be constellations where more than two parties are joint controllers. In a digital department store, for example, the operator of the platform and the respective store owner could be joined by the operator of the department store, who would then all be collectively responsible for the data processing.

Stay tuned for our journey through the Metaverse and feel free to take a look at the other legal topics we have highlighted in other posts in this blog series: