The metaverse: privacy and data protection challenges

Lyndal Sivell, Betty Fei
18 Aug 2022
Time to read: 3 minutes

The metaverse presents incredible opportunities for businesses, communities and individuals, but it needs an up-to-date and dynamic privacy and data protection regime that protects all interests and allows for further technological advances.

Mainstream adoption of the metaverse is potentially not that far away. We can see movement towards fully immersive digital experiences through augmented and virtual reality advancements, the increased use of cryptocurrency and its underpinning blockchain infrastructure, as well as the prevalence of virtual gaming worlds like Roblox, Minecraft and Fortnite. While there is palpable buzz and excitement about the future of the metaverse, what does this mean for privacy and data protection? The very nature of the metaverse throws up a range of complex (but not insoluble) data privacy considerations for business and governments alike. Solving those will allow us all to unlock the value the metaverse promises.

Intimate, voluminous data sets

The way in which the metaverse works requires the collection, processing and disclosure of unprecedented volumes of personal data. This includes a swathe of what may comprise biometric or health information, such as user movements, physiological responses, and even brain wave patterns.

While the collection, processing and disclosure of biometric and health information are not completely at odds with privacy and data protection regulation, they present particular challenges and necessitate heightened protection.

Under the Privacy Act 1988 (Cth) biometric information that can be used for the purpose of automated biometric verification or identification, biometric templates and health information comprise sensitive information which, with some exceptions, requires the relevant individual's express consent before it can be collected, processed and disclosed. The EU General Data Protection Regulation (EU GDPR) considers biometric data (which is broadly defined, seemingly with a view to respond to and capture future permutations) and data concerning health to be special categories of sensitive personal data. In most cases the individual's explicit consent will be needed, as well as the satisfaction of other requirements including the conduct of privacy impact assessments and any other additional conditions and limitations imposed by member states.

Interoperability of the metaverse

Where does all of that data go? The metaverse necessitates the continuous flow of data between and amongst individuals and entities. Without data-sharing, in many cases the metaverse just simply will not work. These individuals and entities can be numerous and located all over the world.

This is an area that will need some further thought and refinement. As the Office of the Australian Information Commissioner (OAIC) notes, data flows do not recognise geographical borders. Instead, certain jurisdictions have privacy and data protection frameworks, with some extending out to create a bridge to others. For instance, an entity under the Privacy Act generally must ensure that an overseas recipient will handle an individual's personal information in accordance with the Australian Privacy Principles, and is accountable if the overseas recipient mishandles the information. Under the EU GDPR, personal information can only be transferred outside of the European Economic Area to countries or international organisations that provide an adequate level of data protection (whether via an adequacy decision of the European Commission or by ensuring that appropriate safeguards and other conditions are met).

Cyber security incidents and data breach complexities

Cyber security and data breaches may take a more complex form in the metaverse. Phishing attacks, malware invasions of augmented and virtual reality devices, as well as hacked avatars and accounts in the metaverse will likely be harder to detect and manage.

This also raises critical questions about who is responsible for what. For instance, in a data breach scenario, under the Notifiable Data Breaches (NDB) scheme, any organisation or agency that the Privacy Act covers must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. The NDB scheme already contemplates scenarios where more than one entity will have obligations under the NDB scheme as they are jointly responsible for the personal information. However, this is likely to take a more complicated and nuanced form for personal information collected, processed and disclosed in the metaverse.

Business and regulation working together

The metaverse presents incredible opportunities for businesses, communities and individuals – such as remote working and better collaboration, improved learning and training, enhanced customer engagement, branding and marketing opportunities and immersive customer engagement.

Privacy and data protection are not a barrier to the metaverse. Rather, the metaverse needs to be developed and played-out in an environment informed by, and which prioritises, privacy and data protection. We need up-to-date and dynamic privacy and data protection laws that tackle the metaverse and allow for further technological advances. There needs to be ways to ensure that metaverse developers are aware of and promote privacy and data protection compliance. Individuals should also be fully informed of their privacy and data protection rights and given tools to proactively protect their personal information in the metaverse.

Get in touch

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.