Insights Data Protection and the metaverse


I have no doubt many of you feel the UK GDPR comes up constantly. Appointing a new supplier? Article 28 of the UK GDPR. Transferring data to the US? Chapter V of the UK GDPR and a Transfer Impact Assessment. Updating your T&Cs? Don’t forget about your privacy policy. Sitting around feeling content? You never know when a data breach might strike!

While it’s true that the UK GDPR has a wide scope affecting many businesses, there are many scenarios where it doesn’t apply. Let’s look at some real-world examples.

I need to purchase a new t-shirt – I make my way to a retail store, browse various items, speak to the shop assistant and try on a couple of t-shirts. I also try on a colourful, loose-weave jumper I secretly want but fear I can’t pull off. My reservations on said jumper were correct so I wonder up to the counter, purchase a new t-shirt with cash and leave.

Putting aside the issue of CCTV, this entire situation was a UK GDPR-free experience. There was no processing of my personal data, as nothing was captured digitally.

Similarly, a discussion about the weekend in the kitchen at work is a UK GDPR-free experience.

People sometimes ask me to what degree data protection will apply in the metaverse and my most casual response tends to be “IT WILL APPLY TO EVERYTHING!”.

The metaverse at its crudest, is permitting people to live out their lives, or aspects of their lives, in a digital world. This means everything that’s happening is happening digitally – and if it relates to an identifiable person, it will be considered processing, which is the trigger for UK GDPR to apply. Let’s look again at the examples given above.

In the metaverse I decide to purchase a new ‘t-shirt’ for my avatar. I pop to my friendly metaverse retail store, look at various items of ‘clothing’ and try some on. I go for the natty loose-weave ‘jumper’ this time, as my digital persona is cooler and bolder than I am. I purchase the ‘t-shirt’ and ‘jumper’ for my avatar with some ‘metaverse-coins’, and I leave. Everything that happened here has been recorded: the items I looked at and tried on, the route I took and the purchases I made. And there will have been more: the time I arrived, how long I took, what I was ‘wearing’ etc. Everything that related to an identifiable individual (my avatar connected to my metaverse account), would have been recorded as it would be considered processing.

Similarly, in the work-place kitchen example, everything discussed will be processed: who was there, what time the conversation took place, who said what, and much more will be processed.

I say all of this not to scare you or warn people off the metaverse. Technology enriches our lives in many ways. But there are numerous significant data protection aspects to consider when thinking about setting up a metaverse (or even setting up in a metaverse) – such as privacy notices, lawful bases, specified purposes, retention, processors, data transfers, security, DPIAs and LIAs.

The good news is that that these issues are unlikely to be insurmountable and considering them earlier will make life a lot easier than trying to retroactively become UK GDPR-compliant – some may have bad memories of doing just that in Spring 2018.

It’s also likely that we’ll have more guidance from the ICO on how the metaverse interacts with UK GDPR – both say they aim to ensure that data protection keeps up with new technology.

For now, the key message to take away is that data protection absolutely will apply in the metaverse – in fact even more there than it does in our existing world.