Does the metaverse put personal data protection regulations in check?

Some people may be wondering what the metaverse is, or even that it goes unnoticed in their daily lives.

Avoiding technicalities, and in order to provide a simple explanation, we can say that the purpose of the metaverse is “the creation of an immersive digital world“.

That is, a world through which users, using convergent technology such as virtual reality glasses, haptic garments, etc. can perform the same activities they do in real life (going to the movies, meeting friends, studying, working, shopping, …) and that, in turn, what happens in this digital world has repercussions in their lives. For example, it could be the case of making a purchase of a product through this digital world and it arrives at your home as if you had ordered it “in the real world”.

Although the metaverse seems somewhat novel, it is a term that appeared in the 1992 play Snow Crash, where people could interact in a virtual world through avatars. This concept was also seen years later in the video game Second Life or, more recently, in the Decentreland platform where you can even buy virtual plots of land as if it were a reality.

However, although we are seeing great advances through virtual reality, we still cannot definitively state that we are facing an alternative digital world, although all this is yet to come and will affect us to a greater or lesser extent, just as the Internet or social networks did, for example.

Once we know at a high level the purpose of the metaverse, we can foresee that its use and application will bring with it numerous changes, both social and legal, and among others, the continuous creation of data will be a challenge to be addressed.

Therefore, based on the premise that the metaverse will generate an enormous amount of data, we must ask ourselves whether the General Data Protection Regulation (GDPR) will cover such an extensive model derived from the generation of data in a technological environment such as the one in question.

On the other hand, we must emphasize that the digital world of the metaverse is based on an intelligent infrastructure composed, among others, of structural, dynamic, ghost and orphan data, which are processed through Artificial Intelligence systems and associated with specific and individual users. But what do we mean by this type of data?

First, structural data is the set of data that contributes to the basic functioning of the metaverse. Within this set of data, we could differentiate between functional structural data, which does not contain personal data, and conformal structural data, which is used to provide personalized experiences and offers to the user, and therefore draws on the user’s personal data.

However, the most privacy-relevant data are ghost data and orphan data.

Ghost data is a kind of what we know as metadata. That is, data, for example, associated with social media posts and linked to the content generated by the user himself.

While metadata is transparent to the user, ghost data is characterized, as its name suggests, by not being visible and by displaying information that is unique, exclusive and complementary to the information contained in the main file. On this type of data, the author of the content has no control or ability to exercise the rights currently held by those interested in personal data protection.

Last but not least, we highlight orphan data, which will become relevant in the light of the development of this new technological paradigm called metaverse. These data are those found in cache memory systems and subsystems and will make it possible to temporarily unify all segregated information and identify all the preferences of a user, which poses a potential risk to the privacy of the interested party.

In summary, we could highlight that the technologies needed to intrude into a metaverse will capture a multitude of data, for example particularly sensitive data such as biometric data, the processing of which is already included in the GDPR.

But not only will this type of data be processed, but users will generate a high volume of data that can be used for different purposes, in which case, how will consent for the processing of such data be managed? Especially when such data is necessary for the metaverse to function properly, as is the case with technical cookies. In other words, in these cases, consent would be undermined and users would face the risk, as would the companies involved in this world, of collecting data without the user having control over it, although this does not exempt them from ensuring compliance with personal data protection right from the design and by default.

Therefore, based on the above, it would not be superfluous to review the concept of data and differentiate or particularize the existing types of data, in order to be in line with the current situation and ensure respect for data privacy with a user-centered approach.

See also in:


  1. very informational content