The Metaverse: A Universal Digital Platform’s Evolution
The Metaverse is only an idea. What’s the concept as well as what will be the
fundamental foundations for it? The Metaverse is the result from the convergence
of a wide range of both extant and nascent technological and online technologies.
It could begin as a platform on virtual reality, gaming and digital spaces for
meeting Digital assets (such as non-fungible tokens , read our article, Anatomy of
an NFT) as well as even brain-to-machine interaction; however, it won’t end there.
Its impact and scope could grow as Artificial Intelligence is added, as well as when
data from physical objects is transferred to the Internet of Things (integrating
humans and companies in ever-growing physical and digital interaction).
The true value of the Metaverse is, however, not in ever increasing connectivity for
its own sake rather in the results of the process. It is likely to evolve into an all-
encompassing digital platform for commercial and personal interactions. The
platform could replace the present technology stack of the internet that runs on the
Internet and become the primary source of important information about the
consumer that is available to business.
- What are the main characteristics of the Metaverse?
- What makes the Metaverse be different to that of the World Wide Web?
- What are the possible legal concerns?
- Who is accountable for compliance with the law on data protection applicable to them?
- What do regulators not find appealing about catch-all methods?
What are the main characteristics of the Metaverse?
The Metaverse will be there regardless of the time or place.
The participants in the metaverse are able interact with each other and the world
of digital in real-time, responding to their virtual surroundings and each other as
they do in the real world.
Everyone can connect at the same time and there is no limit on the number of
Participants – which includes companies – can supply products and services to be
recognized as value by others. This value could start with (or be a part of) the type
of value video game players currently use (for instance the exchange of fiat
currency to virtual gold as well as in-game objects). It could also encompass
tokens that are non-fungible, cryptocurrency, and e-money as well as traditional
fiat currencies. These exchanges of value could depend on technologies like
distributed ledger technology or smart contracts as well as technologies that aren’t
even considered yet.
The Metaverse allows a user to use their virtual objects across multiple
experiences within the Metaverse. For example the user experience could have
cross-platform capabilities, which allows for a car which is locked in a racing game
, to be utilised in another adventure game or clothes purchased from in the
Metaverse can get “worn” and used in music, games, and any other virtual
environment that are available.
As the Metaverse is able to go beyond gaming, the businesses that participate
could need to look beyond the existing methods that are proprietary to bolster up
their brand positioning Controls over formats for data exchange and verification of
ID such as ID verification they will have to change.
What makes the Metaverse be different to that of the World Wide Web?
An Internet interaction today relies on a particular server connecting to another
server or an end-user device on an as-needed basis. It is true that the Internet
simulates simultaneous interaction, however they are distinct events separated by
fractions seconds that in the majority of cases we aren’t aware of. The Metaverse
is more similar to video calls that are simultaneous in terms of interaction and user
experience. In other words, it will be asynchronous multiple-to-many
In order to achieve this, a different infrastructure is needed in the near future,
possibly on a decentralised as well as decentralised base. While based on
Internet infrastructure, there are already successful distributed/decentralised
computing models (for example, distributed ledger technology and cloud
computing) that might point to the future of what the infrastructure might be like.
“The Metaverse will require countless technological advancements, protocols,
businesses, breakthroughs, and discoveries in order to function. It will not be
brought directly into being; there won’t exist no distinct “Before Metaverse” or
‘After Metaverse’. It will instead gradually appear as the various services, products
and capabilities blend and blend together.
What are the possible legal concerns?
The radical aspect of the Metaverse will likely cause a variety of complicated legal
and regulatory questions. We will look at some of the major ones below. As time
passes it is inevitable that new ones will come up.
The participation in the Metaverse will require the collection of unimaginable
amounts and kinds of personal information. Nowadays, smartphones and
websites let companies analyse how users use the internet or use an app. In the
future, in the Metaverse organisations can collect information on people’s physical
responses, their movements and possibly even brainwave patterns, thus gaining
an even greater understanding of their clients’ thought patterns and behaviours.
Users who are part of The Metaverse can also get “logged in” for extended
periods of time. This means that behaviour patterns will be monitored continuously
and will enable the Metaverse as well as the companies (vendors of products and
services) that are members of the Metaverse to determine the best way to serve
the users in a precise manner.
A hungry Metaverse participant
What actors could in the Metaverse target people who are who are part of the
Metaverse? Let’s say that one woman is hungry while taking part in. The
Metaverse could be able to observe a woman regularly looking at restaurant and
cafe windows and stopping to admire cakes displayed in the bakery’s window. It
will then conclude that she’s hungry and present her food advertisements
according to her hunger.
Contrast this with the present technology, in which a website or app will generally
determine this kind of information if a woman was actively searching for
restaurants or similar information on her device.
In the Metaverse, people won’t have to provide their personal information by
opening their smartphone and then accessing their website or application of
choice. Instead, their information will be collected in the background as they are
living their online lives.
This kind of chance comes with significant responsibility for data protection.
Companies that are developing, or taking part in the Metaverse must adhere to
the laws on data protection when handling personal data in this new context. The
Metaverse’s nature creates a myriad of challenges regarding how compliance can
be met in the real world.
Who is accountable for compliance with the law on data protection
applicable to them?
In a variety of jurisdictions law enforcement agencies impose different
requirements on organisations based on the extent to which an entity decides the
reason and method of processing personal information (referred to as”controller”
or “controller” under the EU General Data Protection Regulation (GDPR)) or
merely handles personal information on behalf of another (referred to
as”processor” under the GDPR) “processor” under the GDPR).
Within the Metaverse, determining which entity or entities are responsible in
determining the manner and purpose personal data is processed, and also who is
responsible for processing personal data on behalf of another isn’t always easy. It
is likely to require tearing off a complex web of relationships. There aren’t any
obvious or easy answers, such as:
Will there be a single person in charge of managing the Metaverse who is
responsible for any personal information that is provided to it and decides on how
personal information will be used and exchanged?
Virtual virtual reality headsets and glasses will be prevalent in the metaverse
(unless they’re replaced by something more advanced in the interim, like direct
brain-computer interfaces). These devices are able to gather a range of highly
sensitive information about the wearer (for instance eye or body movement,
physiological reactions as well as brainwave patterns etc.)
If the data is utilised by the actors of the Metaverse to gain knowledge about the
user’s preferences or make decisions on them, it would become a special
category data in the GDPR.
That means that additional requirements would have to be fulfilled. The most
important thing is that users would likely have to provide their explicit consent to
each use that the data will be employed. Let’s look at the woman who is hungry in
the instance from earlier. In the event that she was targeted by ads for food with
gaze analysis technology to make this legal, she’d have to have granted her
A generic consent to marketing is not enough. Quite how this consent would be
sought and given is a question that goes to the issue of whether the Metaverse
can operate on a decentralised/distributed model, discussed below (see
Decentralised / distributed models).
Consent to market
One of the main drivers in the growth of Metaverse is its ability to allow new ways
of marketing that are effortlessly integrated in the overall structure of Metaverse.
For instance, someone who is visiting a store within the Metaverse could receive
deals on his/her favourite products in real time while browsing the shelves, based
on prior behaviour.
This could constitute direct marketing in many nations’ laws protecting data that
may require consent from Metaverse users.
The exact nature of the obligation would likely be contingent on the brand’s
involvement in the marketing, and also how they present the message, and
whether the way in which the marketing is presented is more similar to online
behavioural marketing or social media (where the participants are able to display
In all instances it is important to think about the manner and when the required
consent will be obtained and, more specifically, how “real world” consent can be
relied upon by companies in the Metaverse, and in reverse.
It’s one thing to handle personal information of adults within the metaverse
however it’s quite different when children are involved. The data protection laws of
many countries’ laws provide a special level of protection for children’s personal
data and the data protection authorities and similar regulators frequently take a
stern stance on companies that fail to adhere to the regulations.
In many cases the parental consent of a parent is required when a child wants to
take part within an online service. The GDPR clearly states that special protection
is required when children’s personal information is utilised for marketing purposes
or for creating profiles of users or personalities.
sophisticated age verification techniques, the enforcement of age limits and
implementing measures that deter children from revealing their personal
information will therefore prove to be vital components in improving data
protection compliance throughout the Metaverse.
Sharing of data
To allow interoperability, data that is collected by one organisation within the
Metaverse could need to flow smoothly between different operators , and even
between platforms. As interoperability increases and users are able to transfer
avatars and digital assets between different platforms as well as across
Metaverses, developers of software and companies will have to create multilateral
or bilateral agreements for data sharing to improve the efficiency of the user
It’s not that different from the present scenario in which databases are sold or
bought but there are some prerequisites that must be fulfilled first.
For instance, one of the requirements in many laws governing data protection is
that the recipient’s privacy notice has to be made available to the person shortly
after receiving the data in order to inform the person how their personal
information is processed. These rules will be increasingly difficult to achieve when
we enter the metaverse where data transfer is swift and involves a variety of
One possible solution could be the central administrator of the Metaverse to
provide users with an explanation of how their information will be used, and (if
required) the option to grant permission for different applications. However, the
data protection regulators have expressed their displeasure with this kind of
“catch-all”, bundled approach.
What do regulators not find appealing about catch-all methods?
The CNIL (the French data protection authority, also known as the “Commission
nationale de l’informatique et des libertés”) has imposed a EUR50 million fine on
Google at the beginning of January for failing to meet its legal obligations to
with a clear understanding of the nature of the processing activities that are
carried out by Google in the past, the magnitude and intrusiveness as well as the
volume and nature of the data collected and processed.