homeviews NewsVIEW | Data privacy in the contours of the virtual world: Complexities of the metaverse

VIEW | Data privacy in the contours of the virtual world: Complexities of the metaverse

The current data protection law in India, enacted over two decades ago, is limited in its scope. Although there is a more comprehensive proposed law in the pipeline, many aspects are yet to be crystallised.

Profile image

By CNBCTV18.com Contributor Sept 14, 2022 11:12:35 AM IST (Updated)

Listen to the Article(6 Minutes)
8 Min Read
VIEW | Data privacy in the contours of the virtual world: Complexities of the metaverse
Stepping towards a digital revolution, the ‘metaverse’ brings a new world into existence through augmented or virtual reality technology. It creates a unique virtual experience for users to immerse themselves in the digital world through a myriad of services like virtual gaming, digital asset creation, real-time virtual markets, etc.

In this world of virtual realism, data fuels the eco-system as real-time data from the users (user behaviour and preferences, physiological responses, etc.) is collected to enable this experience. Since metaverse seeks to create this one-of-a-kind immersive digital world or virtual experience, processing of users’ data will be at the forefront to facilitate a seamless experience.
With the proliferation of 5G processing capabilities and Internet-of-Things (IoT) technologies, extensive data collection from one’s surroundings, and the planet at large, can be expected. As the law lags behind and tries to catch up, the entire concept of data protection might need to be reimagined in the context of the metaverse.
Re-imagining the concept of data protection in the metaverse
Metaverse’s extended reality aims to merge the boundaries of the physical world and digital world through data collection and processing at a tremendously granular level.
Such technologies depend upon not only just tangible data (whether personal or non-personal) fed by the users, but also the users’ surroundings, reflexes, responses, inhibitions, and other physiological indicators which may not even be visible to the user itself.
At present, although things like user profiling and targeted advertising are commonplace, user profiling contains less intrusive data such as digital content watch time, likes and dislikes, age, gender, name, activity across social media platforms, etc.
Thus, while entities can track behavioural patterns to create user profiles, the scope of profiling in the metaverse may multiply manifold with newer forms of personal data collected. However, the metaverse will lead to unprecedented amalgamation between individuals' data and technology, which will include novel methods of obtaining user profiling information such as iris, facial movement and audio response tracking.
Another interesting aspect is the creation of ‘avatars’ on metaverse and the profiling of such avatars. Analysis of users’ avatar activity may also reveal critical information about users’ behaviour.
Accordingly, the profiling of users will become more precise. This would certainly open new avenues for companies with increased adoption of metaverse-based services. In the metaverse, such new forms of data will be collected and processed in real time with the aid of smart machines and mixed reality (virtual reality or augmented reality) equipment.
This could give rise to new types of personal data collected by the industry in a way never done before and add new dimensions to the regulation of personal and non-personal data. Therefore, in an environment where tracking and profiling of users would become so effortless, ensuring the privacy of users will be paramount.
Separately, with regard to the identification of a user, metaverses based on certain technologies (such as blockchain) may give users the autonomy over their identity, i.e. to be a ‘self-sovereign identity’ as a distinct identifier for that user, which according to experts might supplant the reliance on any central entity for identity verification.
In addition to having a self-sovereign identity, users might also be in full control of their personal information and may create, sign and verify claims using their self-sovereign identities.
However, no policies surrounding creation, verification, authorization or authentication relating to self-sovereign identities in the metaverse exist at present. Thus, we will have to see how accountability relating to profiling, consent, and privacy is attributed to individuals and platforms in the metaverse.
With the amount of attention that the metaverse space has gained in the past few months, and with the kind of involvement by large players and capital that is flowing into metaverse projects, it is quite possible that cybercriminals are attracted to this space.
Thus, the personal data of individuals, virtual property, tokens, avatars, and other metaverse assets may be at risk due to meta-criminals. The issue becomes more complex as data in the metaverse may be stored on a decentralised blockchain. Due to lack of clarity on the regulation of blockchain-based systems (which may be located abroad), law enforcement becomes a challenge.
In addition to grave cybersecurity implications, there will also be crucial look-out areas in the domain of intellectual property (such as copyright concerns with avatars) and enforcement by judicial or regulatory authorities. The legal system at large (including criminal laws) will need to adapt to the unique and novel challenges posed by the metaverse.
With billions of monthly active users of the Meta platforms, it is a Herculean task to ensure that the cybersecurity practices and user rights (in respect of their personal data) are not diluted. Such mass extrapolation of data, intrusive data collection practices and large-scale data analytics yield new potential harms and threats, and the law must keep up with these perils.
The current data protection law in India, enacted over two decades ago, is limited in its scope. Although there is a more comprehensive proposed law in the pipeline, many aspects are yet to be crystallised.
This begs the burning question – can the current and forthcoming law adequately address the challenges and risks surrounding data protection in the metaverse?
Importantly, since the metaverse will depend on free flow of information across platforms and boundaries of the physical world, this dilemma is only enhanced with restrictions on cross-border data transfers under local data protection laws.
Current regime for cross-border data transfers and issues concerning data localisation
The metaverse seeks to bridge the gap between the real and the virtual. This will require seamless exchange of data across different platforms and across borders, e.g., users will be able to virtually visit, experience and transact at virtual shops located abroad through AR or VR devices, this would lead to transfer user information (including payment data, real-time physiological reactions, behavioural data, personal identifiers)
Transactions in the metaverse may also be carried out through cryptocurrencies and virtual digital assets (like NFTs). Further, to ensure easy access globally, it is speculated that the entire ecosystem of metaverse might run on the blockchain.
Thus, data may be stored on computers and nodes located across the globe (irrespective of national boundaries). Since data on the blockchain may be stored across nodes located abroad, it would be nearly impossible to expect entities that control such data to comply with data localisation requirements.
Stakeholders suggest that the government may carve out an exception to data localization for compatibility with blockchain-based models. The Indian government has also recognised data localisation as a challenge to adoption of blockchain technology.
The data localisation requirements in several jurisdictions like India, China, and effectively the EU, might create hindrances to cross-border data flows. Thus, there is a need for a global rethink to strike a balance between facilitating cross-border data flows and protecting national interests.
In India, although cross-border transfers of ‘sensitive personal data or information are regulated by the IT Act, there are no explicit restrictions. However, sectoral regulators like the Reserve Bank of India, impose data localisation for certain kinds of data.
The proposed law on data protection will require user consent for the transfer of ‘personal data’ and ‘sensitive personal data’ (the latter will have to be mirrored in India). Notably, ‘critical personal data’ (to be notified by the government) will have to be localised unless specific conditions are met.
Similarly, the recent Schrems II judgment (2020) in the EU, which struck down the EU-US privacy shield, effectively paves way for data localisation.
As per this judgment, GDPR-protected data may only be transferred abroad if certain stringent conditions are satisfied, this severely impacts the outsourcing industry, which may be detrimental to both European and other businesses. For instance, a European organisation may hesitate in onboarding an Indian metaverse-based HR service in light of Schrems II requirements.
Thus, free flow of data would become critical to ensure that cross-border communication and transactions in the metaverse are not restricted or delayed due to local storage norms or additional permissions required for such exchange.
There is a need to identify or recognize types of personal data to which no data localisation restrictions apply. The metaverse may add fuel to the ongoing debate between data localisation and the free flow of data. It will be interesting to see whether national interests will prevail over globalisation.
Way forward
In the absence of a global overarching framework for cross-border exchange of personal data and usage of user profiling information, stakeholders including developers, organisations, and industry bodies may come together to agree on a self-regulatory framework for ensuring protection of personal data in the metaverse and to facilitate the free flow of data. At the same time, an enabling regulatory framework may provide a fillip to the industry.
The article is authored by Abhinav Chandan, Harsh Walia and Supratim Chakraborty of Khaitan & Co. The views expressed are personal

Most Read

Share Market Live

View All
Top GainersTop Losers
CurrencyCommodities
CurrencyPriceChange%Change