The Metaverse and privacy: guidance by the spanish data protection authority


The Metaverse uses a variety of technologies such as AR and VR, DLTs (Blockchain), AI, IoT, IoRT, 5G, that enable the creation of immersive virtual environments and generate a multisensory experience for the user within the framework of web 3.0. Brands, firms and companies are entering the Metaverse with impetus. As the Spanish DPA (AEPD) in a recent article put it: “The current social and technical situation has created the ideal context for the Metaverse’s development and expansion, translating human experiences into digital data processing through simulations. However, the processing of this personal data is completely real”. This article analyzes its privacy and data protection implications.

The Metaverse is a network of different digital environments that, based on technologies such as augmented reality and virtual reality, DLT technologies (Blockchain), artificial intelligence, IoT, IoRT, 5G and other, make it possible to create immersive virtual environments and generate a multisensory experience for the user within the framework of web 3.0. Brands, firms and companies are already exploring these new fields of interaction: from gaming to art, fashion and advertising, the big commercial brands and all the big technology corporations and even the legal sector, are entering the Metaverse with impetus.

The Metaverse is developed as an alternative reality or parallel to the natural reality whose objective is to offer the user the possibility of immersing himself, on demand, in a virtual digital reality. The Metaverse will soon be able to facilitate all kinds of activities in the most diverse sectors: work, training, research, leisure, entertainment, culture, etc. It is about offering the same possibilities as in the natural reality, although in a different environment. Technologies such as Artificial Intelligence (AI), virtual/augmented reality, cryptography and haptic technology (to recreate the sense of touch) among others are used therefore.

Undoubtedly, the issues that the massive use, collection, processing and exploitation of data (both personal and non-personal) that the use of the Metaverse imply, will encompass an exponential growth of the risks for the processing of personal data.

The very design of a Metaverse environment –typically involving multiple parties- entails that it is not easy to establish, for example, which of the parties that intervene in the environment is the Data Controller – the party who has the means and decides the purpose of the processing-. In the same way, the Data Processor will be difficult to establish, as well as other roles or situations of joint-controllership. This is especially difficult in the presence of decentralized platforms. Ascertaining which participant(s) in the system play a certain role, with their corresponding rights and obligations, will entail a necessary, but complex, analysis.

On the other hand, the specific environment must carry out its compliance obligations in terms of Privacy Policies and information for the user. It must similarly obtain specific consents and the like, in order to demonstrate the principle of "accountability" that inspires the entire GDPR system.

In a Metaverse with virtually unlimited content and experiences, it is of the utmost importance to put in place effective mechanisms to obtain user consent. For example, to enter into certain contracts such as acquiring goods or services that may be of some relevance. Secondly, in order to access certain content, in a similar way to what is currently happening on the Internet and the obvious limitations that access control has in practice. For example, in relation to the participation of minors.

Even most importantly, the informed consent needed to provide all the personal data (behavior, health, among others) that the user will be making available to the platform.

AEPD has issued a recent article entitled “The Metaverse and Privacy”whereby it includes a number of further aspects to take into account: data minimization mechanisms for the data collected by the wearable devices themselves and by the Metaverse; governance mechanisms and the establishment of transparent rules for the protection of rights, clearly setting out the roles of the participants and their submission to the control bodies; audits and transparency, especially in automated decision-making in relation to avoiding abuse, bias, profiling and discrimination; proper management of wearables and devices to protect transmitted and stored data, taking into account the possibility of biometric data from which even more personal information can be inferred; impact assessments; rights of the data subjects, including the right to opposition and erasure.

Additionally, it mentions the need for specific privacy-by-design and default safeguards that may apply to, for example, preserve the privacy of avatars and their digital footprint.


Article provided by INPLP member: Belén Arribas (Belén Arribas, Abogada, Spain)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)




What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.