Data Privacy and the Metaverse

Data Privacy and the Metaverse

It seems that since Mark Zuckerberg announced the rebranding of the former Facebook to Meta, the world got in an urgent quest for understanding what metaverse truly means and how it is going to shape our future. In reality, the phrase metaverse is not that new. It appeared almost 30 years ago in the iconic Neal Stephenson science-fiction novel Snow Crash. The book presents the metaverse as virtual reality with user-controlled avatars

Metaverse at the forefront of the privacy debate? 

Even though the word metaverse is not new, most people are concerned with the outcome of this new paradigm. And this collective unsettling feeling can be explained by what is known as the Collingridge dilemma: it is hard to predict the various impacts of a technology until it is fully developed and widely used, but by then, it is almost impossible to control or change.

That said, albeit affirmed by Meta itself that no company will own or operate the metaverse alone. The company created by Mark Zuckerberg is taking the lead into this new virtual reality world, which considering the company’s erratic relationship with data privacy in the past, has raised the concern of many. 

To most people surprise, the social media giant has decided to establish the metaverse development in Europe, home of one of the world’s strictest data privacy regulations, the General Data Protection Regulation (GDPR), which points to a changing scenario and growing awareness by even the most controversial companies about the importance of being compliant even before a product launch (or, in this case, to a whole new reality).

Although Meta’s initial attitude is worthy of praise, many questions remain regarding the metaverse level of respect for privacy laws. The Oculus Quest 2, recently bought by Facebook, imposes the need for a Facebook account, which has displeased German antitrust regulators, but also, raised concerns regarding the data collection of the user, people whom the user interacts with, and surroundings. All of which contradicts the current data minimisation principles established by the GDPR.

Metaverse and its Data Protection Implications for Tech Companies

Also important to mention, Biometric Data is categorized as Personal Data because it constitutes information capable of identifying a natural person, and that means that all rights regarding the use of Personal Data are applicable: 

  • The right to be informed; 
  • The right of access; 
  • The right to erasure, 
  • The right to restrict processing;
  • The right to data portability; 
  • The right to object; 
  • The right to data rectification; 
  • And rights concerning automated decision making and profiling.

In other words, companies relying on data must be transparent about how the data will be used and when it is being collected. Also, it is critical that both opt-out and erase options are freely available.

All those measures were already points of discussion with the Facebook Ray-Ban Stories sunglasses, which include dual integrated 5MP cameras that allow for videos of up to 30 seconds by pressing a button at the temple or hands-free voice commands. In regards to that, what caused many to refer to the new product as “creepy”, is the lack of clear indication that the glasses are recording, except for a white LED light which has even led the Ireland Data Protection Commission to question Facebook about the effectiveness of the light in notifying bystanders.

Facebook has already faced the consequences of the lack of transparency and data use authorization on a class-action lawsuit filed by the American state of Illinois in 2015 motivated by the alleged use of photo face-tagging and other biometric data without the permission of its users. On such occasions, the tech giant settled.

In a positive light, Meta recently dropped the use of facial recognition in its apps. So, when it comes to such innovative world-changing technology, if the recent years have taught us anything, it is that as exciting as fiction is, reality imposes respect for legal rules. Therefore tech companies must be prepared to deal with clients’ growing data protection concerns. 

Book a free compliance consultation with us, and understand how to implement the data protection measures to safeguard your company and your client’s interests. 

Related Posts