McKinsey predicts a market value of $5 trillion by 2030, Citi predicts up to $13 trillion, however Canalys disagrees and claims the metaverse is a B2B problem seeking for a solution that will eventually fail.
Investors in the platform include Microsoft, Meta, Google, Nvidia, Apple, Autodesk, and others. McKinsey consultants estimate that since 2021, a staggering $177 billion has been invested in the metaverse. By 2030, the market, according to this estimate, may be worth $5 trillion. Even more optimistic than before, the soothsayers at Citi predict that by the same year, the metaverse economy would be valued between $8 trillion and $13 trillion.
According to Gartner, by 2026, a quarter of us will spend at least an hour each day online, whether it be for work, play, socializing, or education. A third of businesses will have offerings prepared for the digital sphere. Most business-related initiatives are anticipated to be finished by 2025.
The Metaverse of interconnected spaces might become a reality at any time. After all, it’s all about the internet and the web. We are proficient in linking. The reason this isn’t occurring isn’t due to technical difficulties; rather, businesses aren’t trying to make this happen.
Operational concerns and contradictory regulations might be one reason.
Operational concerns and contradictory regulations regarding personal data protection in the metaverse
In the Metaverse, data about users’ psychophysical characteristics assumes a crucial role in two ways. On the one hand, there is the explicit user identification, and on the other, there is the potential to use the previously collected users’ psychophysical dataset as a source of to duplicate ”additional” inferable user information.
Putting the emphasis on users’ psychophysical data in the Metaverse
The link between regular physical reality and augmented virtual reality is strong within the Metaverse. As a result, when you sign up for the Metaverse and make you own avatar, your identity is duplicated. This necessarily involves processing a variety of personal data, including:
- Personal data needed to create the avatar
- information about a location
- information about routines, passions, tastes, and views; and
- Information on users’ psychophysical state, such as behavioral information (such as emotional reactions and social interactions) and information about how they move their bodies (such as their posture, gaze, gestures, facial expressions, and interpersonal proximity).
Regarding the first aspect, avatars use specialized technology to externalize people’s emotions and bodily movements. It includes aspects of behavior and physical movement that, in virtual reality, are collectively referred to as the ”human being.” Meaning that the GDPR is applicable in the Metaverse. In fact, unlike what occurs in physical reality, motions and gestures may qualify as personal data under Article 4(1) of the GDPR and be processed by the data controller in accordance with Article 4(2) of the GDPR.
When translated into the Metaverse, certain movements and/or behaviors may ”reveal” sensitive information about the person, such as medical conditions and physical impairments. This is in relation to the possibility of considering data processed in the context of the Metaverse as a source of ”further” inferable information relating to users. In the GDPR, ”inferred data” refers to data that can be further collected by examining human characteristics. Should this data disclose sensitive information, such as health information, the legal framework outlined in Article 9 of the GDPR with the associated processing limits and requirements would apply.
The standards for data protection and the accountability principle
It is possible, from the perspective of data protection, to rely on extraterritorial application – to a parallel virtual reality – of the GDPR in response to the current absence of any specific ex-ante European regulation governing the activities of users and businesses in the Metaverse, thereby implementing one of its core principles, namely, accountability.
This is a result of the processing operations stated above, which are being done in this context and cannot be exempt from regulation.
This principle states that organizations involved in the Metaverse must be regarded as data controllers since they choose the methods and objectives for processing personal data.
To maintain a sufficient degree of user-related personal data protection and, concurrently, to reduce the risk of potential security incidents and/or personal data breaches, a number of standards must be completed.
Practically speaking, the data controller is obligated to:
- Information notifications that describe the processing activity and the legal justification for processing and transferring personal data within virtual reality should be made available. When necessary and needed as a legal foundation for carrying out the processing, this is done to raise users’ knowledge and enable them to give informed permission
- Given the dynamic nature of virtual reality, when performing new processing activities for a different purpose (referred to as ”secondary use”) and/or additional processing based on the original purpose, allow for a systematic framing of those activities to ensure consistency of what was initially communicated to the user
- When developing systems and tools, consider the standards outlined in data protection laws in accordance with the concepts of privacy by design and by default
- Performing a DPIA (Data Protection Impact Assessment) will help you better understand the increased threats and risks related to managing the information assets granted to the Metaverse reality
- You’ll also be able to comply with the processing and distribution restrictions outlined in Article 9 of the GDPR with regard to special categories of personal data, such as health-related information.
Europe, regulating the Metaverse in a regulatory vacuum
An ad hoc legal framework appears to be required due to the quantity and variety of personal data involved in the processing operations implemented in today’s digital world. Such a framework should be designed to precisely control data flows inside the Metaverse and the increasingly pervasive interconnectedness between the virtual and real worlds.
However, there does not appear to have been any European involvement to date to establish suitable and specialized law in the area. The European Commission has up until recently denied any plans to investigate the Metaverse and to propose political measures and/or industry-specific legislation.
2023 might be a significant turning point in the development of this virtual world.
Swede in Paris - Svenska i Paris 