The future of personal data in the Metaverse

As we witness the Metaverse slowly and gradually unfolding before us as a new virtual world, bringing to life a continuous flow of information and images, including personal data such as human characteristics and inferred data, we will keep reflecting and asking many questions regarding its implementation, functioning and role in our everyday life, particularly from the perspective of the possible impact to our rights and freedoms. With regard to the protection of personal data, we have attempted to describe some of the key questions surrounding the applicability of certain conceptual categories provided for by the GDPR, and how some of its principles and safeguards could be implemented.  

While no one disputes the fact that the Metaverse will need to operate with information and personal data, we intuitively regard the data required for the Metaverse as being capable of revealing the most intrinsic, innate and distinctive features relating to human characteristics. The processing of these human characteristics, meaning physical, physiological and behavioural characteristics like human actions, gestures, movements and jolts, which can be involuntary and instinctive, will likely lead to the identification of an individual. Furthermore, human characteristics represent the inexhaustible fuel which the Metaverse will draw on to function effectively and thus vibrate with vitality.  

As far as human characteristics are concerned, while they are substantially the physical, physiological or behavioural characteristics of a natural person, they are not, by far, systematically processed by specific technical means like measurements that allow or confirm the unique identification, i.e. for the purpose of uniquely identifying a natural person. In the logic of the GDPR, uniquely identifying means tracing with certainty a subject’s identity, distinguishing it from the mass of individuals by virtue of characteristics that have been handled, to unequivocally confirm that the said subject really is he or she. The univocal identification occurs when it is determined with absolute certainty that the subject does not identify with any other human being.  Thus, the principle is that human characteristics are not and should not be defined and classified as biometric data and/or special categories of data as per the meaning of the GDPR. While human characteristics can reflect our uniqueness, they are not necessarily used in order to uniquely confirm it.  

In addition to the regulatory and legal analysis and solution-building, we also mention the merit in fostering the development of industry standards by letting the market and its competitive dynamics produce the rules, technological practices and codes of conduct that are necessary and appropriate to modulate the novel and peculiar dynamics of the Metaverse. This approach will be particularly relevant since the Metaverse will not be the product of one single social platform or major tech brand, but will configure a new complex ecosystem of a variety of small, medium and large players from different sectors, which will be called to operate and collaborate with each other. To that extent, the most adequate guarantees and forms of protection for the rights and freedoms of the interested parties may well indeed develop from within the market, as a result of its competitive synergies that will shape, even perhaps through some necessary trial and error, the key policies destined to gradually settle into the general practice.