Data collection and processing within the Metaverse

Users’ activities within the Metaverse aka Web 3.0 by nature entail the collection and processing of considerable amounts of data. This includes a variety of personal data, (a) starting from master data, such as names, (b) via usage data, such as payment data or data on users’ emotional or physiological responses, (c) up to sensitive data, such as biometric data or other health-related data. There seem to be hardly any factual or technical limits to the amount and variety of personal data that could be collected and processed within the Metaverse in the medium or long term.

Apart from that, the Metaverse’s imminent aspect of so-called immersion likely has the effect to reduce the users’ ability and perception to make decisions avoiding the collection and processing of personal data.

The need for appropriate data protection rules

Within this mixture, it should be beyond question that such data processing within the Metaverse needs to be subject to regulation in order to appropriately safeguard the privacy rights of data subjects. In this context, it is quite controversial at the moment if the GDPR is, in fact, capable to adequately address the enormous challenges that the Metaverse poses to data protection. Especially since the GDPR – even though being relatively young – dates back to a time where the European legislator certainly did not focus on Web 3.0 aspects and implications. It is therefore not surprising that there are some voices calling for an update and amendment of the GDPR to better address and meet such new challenges ahead.

It remains to be seen how the European legislator will position itself with regard to such emerging challenges of the Metaverse, which inter alia include the challenges laid out below concerning (a) the attribution of entities operating within the Metaverse to specific data protection roles defined by the GDPR, (b) information duties in order to provide users with sufficient information on the data processing in question and (c) obtaining consent for data processing, where required.

Fuzzy roles

The large and continuously growing number of entities operating within the Metaverse and their increasing interaction with each other will in all likelihood create a network of complex relationships that – at some point – will make it extremely difficult to attribute each of them to the given data protection roles defined by the GDPR, i.e.

• sole data controller in the sense of Art. 4 no. 7 GDPR,
• joint data controller in the sense of Art. 4 no. 7 in conjunction with Art. 26 GDPR or
• data processor in the sense of Art. 4 no. 8 GDPR,

and, thus, to determine who is ultimately responsible for the data processing in question.

In particular, the demarcation between the roles of data controller (Art. 4 no. 7 GDPR) and data processor (Art. 4 no. 8 GDPR) could become quite challenging, when the activities of various entities become more and more interwoven, making it difficult to determine who does what on whose behalf. Due to the CJEU’s very broad interpretation of joint data controllership, there are already considerable challenges in demarcating the data protection roles in complex networks outside the Metaverse. This probably gives a good indication how challenging such qualification may become with the increasing complexity of networks within the Metaverse.

Impact on information duties and obtaining consent

Such potential challenges in defining the relevant data protection roles also have significant impact on applicable information duties (Art. 13 and 14 GDPR) that data controllers need to fulfil, inter alia requiring the designation of the data controller, the specification of the data processing in question (such as affected personal data, purpose and legal grounds) and at least the categories of involved data processors.

The same potential challenges apply to obtaining consent, where required due to the processing of sensitive data (Art. 9 para. 2 lit. a GDPR), in cases of automated decision-making (Art. 22 GDPR) or for certain marketing measures. In this context, the situation is aggravated by the circumstance that the GDPR requires consent to be given for each purpose of data processing, whereby – at the same time – the information provided needs to be sufficiently comprehensible to meet the transparency requirement of the GDPR. This is already a high-wire act nowadays in complex cases/networks and will certainly not become easier with the increasing complexity of the Metaverse.

In view of the above, there are already ongoing discussions on how to obtain consent and/or fulfil information duties most efficiently and in a legally secure manner, whereby two approaches are conceivable: One approach is to implement this uniformly for a particular Metaverse in its entirety. The other approach is to implement this for each individual entity in a particular Metaverse. Both approaches have their pros and cons. Unfortunately, neither approach seems to have the ability to convincingly and conclusively meet all challenges ahead without a remaining risk of being considered as non-transparent.

Therefore, it remains very interesting to see how this situation will further develop and which answers the European legislator or case law will provide to address such challenges ahead.