Mainstream adoption of the metaverse is potentially not that far away. We can see movement towards fully immersive digital experiences through augmented and virtual reality advancements, the increased use of cryptocurrency and its underpinning blockchain infrastructure, as well as the prevalence of virtual gaming worlds like Roblox, Minecraft and Fortnite. While there is palpable buzz and excitement about the future of the metaverse, what does this mean for privacy and data protection? The very nature of the metaverse throws up a range of complex (but not insoluble) data privacy considerations for business and governments alike. Solving those will allow us all to unlock the value the metaverse promises.
Intimate, voluminous data sets
The way in which the metaverse works requires the collection, processing and disclosure of unprecedented volumes of personal data. This includes a swathe of what may comprise biometric or health information, such as user movements, physiological responses, and even brain wave patterns.
While the collection, processing and disclosure of biometric and health information are not completely at odds with privacy and data protection regulation, they present particular challenges and necessitate heightened protection.
Under the Privacy Act 1988 (Cth) biometric information that can be used for the purpose of automated biometric verification or identification, biometric templates and health information comprise sensitive information which, with some exceptions, requires the relevant individual's express consent before it can be collected, processed and disclosed. The EU General Data Protection Regulation (EU GDPR) considers biometric data (which is broadly defined, seemingly with a view to respond to and capture future permutations) and data concerning health to be special categories of sensitive personal data. In most cases the individual's explicit consent will be needed, as well as the satisfaction of other requirements including the conduct of privacy impact assessments and any other additional conditions and limitations imposed by member states.
Interoperability of the metaverse
Where does all of that data go? The metaverse necessitates the continuous flow of data between and amongst individuals and entities. Without data-sharing, in many cases the metaverse just simply will not work. These individuals and entities can be numerous and located all over the world.
This is an area that will need some further thought and refinement. As the Office of the Australian Information Commissioner (OAIC) notes, data flows do not recognise geographical borders. Instead, certain jurisdictions have privacy and data protection frameworks, with some extending out to create a bridge to others. For instance, an entity under the Privacy Act generally must ensure that an overseas recipient will handle an individual's personal information in accordance with the Australian Privacy Principles, and is accountable if the overseas recipient mishandles the information. Under the EU GDPR, personal information can only be transferred outside of the European Economic Area to countries or international organisations that provide an adequate level of data protection (whether via an adequacy decision of the European Commission or by ensuring that appropriate safeguards and other conditions are met).
Cyber security incidents and data breach complexities
Cyber security and data breaches may take a more complex form in the metaverse. Phishing attacks, malware invasions of augmented and virtual reality devices, as well as hacked avatars and accounts in the metaverse will likely be harder to detect and manage.
This also raises critical questions about who is responsible for what. For instance, in a data breach scenario, under the Notifiable Data Breaches (NDB) scheme, any organisation or agency that the Privacy Act covers must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. The NDB scheme already contemplates scenarios where more than one entity will have obligations under the NDB scheme as they are jointly responsible for the personal information. However, this is likely to take a more complicated and nuanced form for personal information collected, processed and disclosed in the metaverse.