Growing public awareness of data privacy issues has pressured countries to introduce more stringent privacy laws. However, in the future, emerging technologies such as the metaverse, virtual reality (VR), and augmented reality (AR) will make the enforcement of data privacy regulations more challenging.
A history of data privacy regulation
At its inception, the internet was designed to be free, open, and innovative. At first, most governments adopted a light regulatory touch, allowing companies to grow with little intervention. As a result, companies like Facebook flourished with business models based on targeted advertising. Targeted advertising refers to advertisements that are served to a specific audience. The target of that advert is determined using user data sold by companies like Facebook to advertising agencies.
Public awareness of data privacy issues eventually pressured countries to enact more stringent data privacy laws, with the EU’s General Data Protection Regulation (GDPR) being the gold standard of data privacy regulation. The GDPR sets out a legal framework for keeping citizens’ personal data safe by requiring companies to have robust processes in place for handling and storing personal information. The GDPR has cumulatively fined tech companies over $2.9 billion between 2018 and 2022. Although this is a large sum, enforcement frameworks remain extremely underfunded and short-staffed, and these fines remain a slap on the wrist for most Big Tech companies.
The GDPR promotes a ‘privacy by design’ approach in which companies are encouraged to adhere to data protection policies as an integral feature of data processing technologies. While European regulators have confirmed that the GDPR will apply to the metaverse and other related technologies operating within the EU, the enforcement of data privacy regulations will be incredibly challenging.
Data privacy in the metaverse
The metaverse is a virtual world where users share experiences and interact in real-time within simulated scenarios. It has been marketed as a revolutionary technology that will change how we shop, work, learn, socialize, and consume media content. Companies like Meta, Epic Games, and Microsoft have poured billions of dollars of investment into metaverse technologies and content. Nevertheless, the metaverse remains in its infancy.
GlobalData’s TMT Predictions 2023 report predicts that there will be a metaverse winter in 2023. Tech giants will continue to invest, but there will be less venture capital activity and fewer deals in the space. The year will not produce substantial returns instead, it will give an opportunity for underlying technologies, like AR and VR, to mature.
It is not yet clear how much this ‘winter’ will hamper the metaverse’s long-term potential. However, one of its biggest obstacles will be public concern regarding data privacy. Multi-sensory experiences in the metaverse will expand the scope of data privacy beyond the normal data points to include emotional, biometric, and physiological data, meaning users will be monitored at an almost forensic level. This will make enforcement of data privacy regulation far more challenging. Firstly, it is unclear whether current data privacy regulations, aside from the GDPR, are legally applicable to new technologies. Secondly, while current regulations address billions of data points shared between users and tech companies, the metaverse and related technologies will give companies access to trillions of more invasive data points. There is already a lack of resources when it comes to enforcing data privacy laws, which will only worsen as we embark on an immersive future in the metaverse if regulators are not adequately prepared.
Looking forward
Regulators must draft legal frameworks with robust compliance processes that consider the potential dangers of the emergence of more invasive technologies with access to biometric data. Government resources will always be limited when it comes to data privacy enforcement, however, regulators can improve efficiency by using artificial intelligence and other technologies to track Big Tech activity in the data privacy space.
When the GDPR and other legal frameworks are expanded to cover the metaverse, the metaverse may see its functionality challenged. For instance, how can Meta render real-time avatars of people in the metaverse if it is not allowed to capture the biometric data needed to mimic the movement of people? Therefore, developers must collaborate with government entities to develop the technology with data privacy regulation in mind.
