The “Agencia Española Protection Datos” (AEPD) published, on June, 14th, 2022, a paper, titled “Metaverso y Privacidad,” where it wanted to draw a first picture of the critical aspects concerning the relationship between data protection legislation and the Metaverse, defined as a virtual environment by nature fully data-driven, aimed at engaging the user in multiple dimensions, such as the economic, political and social ones, to the point of virtualizing all aspects of it, and extending the data collected up to nonverbal and biometric information.
In this regard, the AEPD has, first and foremost, pointed out that the use of the Metaverse can be very intrusive, to the point of allowing the processing (often, unconscious and unintentional, from a user perspective) of a wide range of information related to human activity, with greater precision, including: biometric data collected through wearable devices (e.g. watches); body language (and subsequent emotional response), via remote controls that interface with the Metaverse; individuals’ reaction times and patterns. By increasing the surface area of connected devices, moreover, users are expanding the gateway to their most intimate personalities. In other words, they are adding more possible avenues of access for malicious people to their network, with greater possibilities to steal information.
The Spanish Data Protection Authority points out that the mass processing of personal data, carried out in the Metaverse, must comply with the EU Regulation No. 2016/679 (GDPR), of course, with specific, particular and delicate attention to the following aspects:
- audit and transparency, with specific focus on automated decisions, in order to avoid abuse, bias, and discrimination;
- redetermination of the roles, in a clear manner, in privacy matters of the actors involved in various capacities: this aspect raises, reflexively, the question of who will be in charge of collecting any consent from the data subject and of publishing, in addition, the appropriate notices pursuant to articles 13-14 of the GDPR;
- adequate security of the wearable devices (and others) used, in order to respect the confidentiality, availability and integrity of personal information collected therein;
- compliance with the principle of minimization pursuant to Article 5 (1) (c) of the GDPR, as well as with any additional (cardinal) principles prescribed by EU data protection legislation;
- safeguarding and (special) protection of vulnerable individuals;
- adequate protection (and management) of the related, consequent, even high (and amplified) risks on the rights and freedoms of the data subject.
