Legal issues in the Metaverse
In the past months, we have been reading more and more about the Metaverse and about companies that are entering it one after the other. We learnt that Warner Music Group bought land in Sandbox(1) and prepares digital concerts and other events, or that Nike opened the Nikeland Showroom in Roblox(2) and sells digital shoes for as much as $ 130,000. Moreover, a few days before the elections in France, President Emmanuel Macron set up his own official digital world in the Metaverse, specifically on the Minecraft(3) Server , to reach out to potential voters.
But what is the Metaverse?
The Metaverse is considered to be the evolution of the internet as we know it today. Ιt is a 3D digital world where we can enter with the use of virtual reality glasses, we can create ourselves in the form of an avatar and thus live in this digital world, using augmented and virtual reality, along with our exitance in the physical world.
The Metaverse is considered the gradual evolution of web2 to web3. In this new digital world of web3, we can already buy “land” – space on a digital ground – and build a digital property; we can have business meetings, go with friends to virtual concerts and virtual fashion shows, visit the digital space of JP Morgan, even shop for digital products or visit virtual places, museums, monuments, and all of this from our home, wearing augmented reality glasses for the full experience.
And while this development seems exciting, as is often the case with the advancement of technology, various complex, legal and regulatory, issues arise that have either not been addressed or need to be taken into more consideration. Some of these issues concern the collection of personal data, the protection of minors, cybersecurity issues, the interaction of users, artificial intelligence, and it is expected that in the future many more will arise.
Personal Data
When accessing the Metaverse, just like when accessing a website, personal data is collected, but this data may differ in volume or in type from what is currently collected by the websites. As the Metaverse evolves and users stay connected, through their avatars, for longer periods of time, platforms or companies will be able to gather more information about the behavior and reactions, the movements and possibly even the brain wave patterns of users; gaining, this way, a deeper understanding of their thoughts and behavior.
And while, at least for the legal world, compliance of the data protection legislation from companies operating in the Metaverse, especially when processing such aforementioned data, is expected, there is serious concern, in the new digital environment, whether the existing legislation is sufficient in order for users to be protected from this collection and processing of data.
The EU General Data Protection Regulation (GDPR) seems to be applicable to the Metaverse, at least to some extent.
However, as this General Regulation applies: a) to any corporation which processes personal data and is established in the European Union (EU), irrespective of where the data is processed and / or b) to any corporation which is based outside the EU and offers goods / services (through payment or for free) or monitors the behavior of individuals in the EU, it remains to be seen whether this Regulation will be applicable outside the EU.
This Regulation provides for the appointment of a data controller, i.e. appointment of a natural or legal person who determines the purposes for which and the means by which personal data is processed. However, even within the EU, appointing a data controller may not be easy. Is there one main data controller for the Metaverse who collects all personal data in it and determines the purpose and means of processing? Or will each corporation / organization in the Metaverse collecting personal data appoint a different data controller and determine different purposes and means to process the data?
Furthermore, there are other questions that arise as well, such as: How should different corporations or organizations display their privacy policy to users? How and when should user consent be granted?
Protection of minors
Protecting minors on the internet is still a key issue, as minors remain its most vulnerable users. The new world of the Metaverse seems in need of a high level of protection for minors as they may be exposed to dangers such as child pornography, the exchange of content related to violence, access to goods and services which, under the law, are inappropriate for their age and many other risks that may lead them to traumatic experiences. A recent BBC News survey recorded a user posing as a 13-year-old girl who, without any age restrictions or verification, was able to visit virtual reality rooms where other avatars engaged in sexual activity, showed her sex toys and was approached by several adult men.
It is obvious that the existing protection is not sufficient. Advanced techniques, in particular age verification protocols, imperative age restrictions on certain areas of the Metaverse and possibly the implementation of new measures to prevent minors from providing their personal data and to protect them in general from risks in the Metaverse, should be seriously considered.
Of course, it is not enough to just increase the level of protection of the companies operating in the Metaverse, nor make their supervision by the Authorities stricter in the implementation of any legislation; what is required is a continuous and coordinated effort of all the stakeholders in order to protect all minors in the digital world.
Cybersecurity
Although technologies such as blockchain(4) provide protection against cyber-attacks, the use of augmented reality and virtual reality technologies in the Metaverse increases the likelihood of cyber-attacks and data breaches.
In addition to threats known today, attacks in the Metaverse can take many forms, such as hacking an audio / video call or accessing a platform, or even dealing with fake or hacked avatars!
Attacks of this kind may be difficult to detect or verify at first, leaving users unprotected.
Users interaction
User interaction in the Metaverse and especially through avatars can lead to actions that in the real world are considered crimes, but in the digital world have never been dealt with before. For example, an avatar could be attacked, verbally or physically, by another avatar or, as recently reported by a British user, an avatar could be sexually harassed. But what can an avatar do if it is attacked? Can the avatar request the perpetrator to be prosecuted? In which territory and in which legal system? And how can the perpetrator – human be identified behind the avatar?
In the Metaverse, users buy virtual movables and immovables assets [in the form of Non-Fungible Tokens (NFT’s)], for which they pay large amounts in cryptocurrencies. Can the provisions of common property law be applied in these cases to deal with possible issues of infringement of property? And the law of which state shall be applicable?
The Commission’s proposal for the Digital Service Act (DSA) in December 2020, which follows the principle “what is illegal offline, should be illegal online”, seems to be applicable to some extent in the Metaverse; but it remains to be seen how it will actually be implemented!
Artificial Intelligence
In the Metaverse, virtual 3D robots in the form of avatars or even virtual paintings and artwork that can interact and chat with users (chatbots) coexist with user-avatars. These robots and chatbots are characterized by the fact that their answers and actions are pre-determined by an automated script or set of rules, as opposed to the user-avatars which are controlled by a real human user.
In the Metaverse this user- robot interaction is activated through artificial intelligence. The proposal for a regulation on artificial intelligence, published by the EU, provides for the prohibition of certain artificial intelligence practices and obliges providers and users (among others) to comply with various obligations in relation to high-risk artificial intelligence systems in addition to transparency obligations.
The Metaverse is constantly evolving without necessarily resolving the issues that arise. Tools to address issues both individually and collectively are available, such as tools offered by foresight, trends detection, and creation of alternative scenarios for the future.
We must be prepared to address these issues and act immediately now that the Metaverse is being formed, before the current developments overtake us.
1.Sandbox is a digital world, a virtual reality game where players can buy virtual land, build virtual buildings, acquire and generate NFTs in-game and make money by “monetizing” the time they spend playing through a “play-to-earn” model.
2.Roblox is a digital world, a game development platform that allows its users to create their own games using the game environment.
3.Minecraft is a digital adventure game with no specific objectives to be completed by the player, giving them a great deal of freedom in how they choose to play the game. Players can also build or construct various 3D spaces and objects with cubes.
4.Blockchain: in Greek it is rendered in various ways as a block chain or array chain, distributed recording chain, etc., and is a new technology (distributed universal technology) which is presented as a public, unmodifiable in terms of its history, distributed data set, grouped in time numbered sections, arrays (blocks).
Virginia Kokiou – Attorney at law,