Data Protection Report - Norton Rose Fulbright

For many years, the immersive three-dimensional digital world has been left to the cinematic experience. However, the emergence of the metaverse presents an opportunity to translate everyday activities – working, attending a concert, travelling, shopping, socializing – into a parallel digital universe.

The metaverse is an abstract concept that uses a digital environment to permeate the boundaries of our physical world. Instead of reading this article, you could be immersed in it. By utilizing technologies such as virtual reality, augmented reality, and blockchain, the metaverse is able to provide elements such as 3D avatars, digital assets, and various events to support a virtual economy and facilitate social relationships.

While this concept may seem futuristic, certain aspects of the metaverse are already here. Popular examples include a 3D virtual world platform and 3D open world game. We are also seeing major gaming companies developing their own versions of the metaverse.

Legal Considerations in the Metaverse

Just as with social media platforms, privacy issues will be at the forefront of the metaverse as it develops and begins to gain widespread traction by users. In an earlier article, the privacy issues surrounding the metaverse were discussed from a European standpoint. Here, we look at the metaverse from a Canadian perspective.

One aspect of the metaverse that raises privacy concerns is the vast amount of personal data that may be collected on participating individuals. Compared to traditional social media, metaverse platforms can track individuals in a much more intimate manner. Companies can monitor physiological responses and biometric data such as facial expressions, vocal inflections, and vital signs in real time while participants are in their metaverse. This depth of information allows companies to gain a deeper understanding of users’ behaviour, which in turn can be used to tailor advertising campaigns in an exceptionally targeted way.

Additionally, the legal implications on using artificial intelligence (“AI”) will be another aspect to consider given its prevalence in biometric technologies. In recent years, companies utilizing AI technologies have attracted the scrutiny of Canada’s privacy commissioners for the unlawful mass surveillance and collection of biometric data. Currently, Quebec is the only jurisdiction in Canada that specifically regulates the collection of biometric data.

As the Metaverse Expands, So Will Privacy Laws

In Canada, we anticipate regulatory developments surrounding individual consent and the collection and transfer of data to properly protect personal information in an evolving digital space.

The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) governs the collection, use and disclosure of personal data of social media users. PIPEDA requires organizations to obtain consent and inform individuals of the purpose of collecting, using, or disclosing such information. Although PIPEDA does not differentiate between adults and youth, the Office of the Privacy Commissioner of Canada has consistently viewed personal information of youth and children as being particularly sensitive and has recommended to limit, or avoid altogether its collection, where possible. Should the metaverse be accessible to children (which is likely), further guidance will likely be provided by privacy regulators to ensure meaningful consent is obtained.

While PIPEDA also contains guidelines suggesting how collected data should be securely stored, disposed of, and transferred, the guidelines are less prescriptive compared to other jurisdictions such as the European Union (“EU”). For example, PIPEDA only requires a “comparable level of protection” (term undefined) when transferring data to third parties, whereas the EU’s General Data Protection Regulation requires organizations to include legally binding rules or obtain clear consent. The transfer of sensitive biometric data and virtual payments across platforms opens up the possibility of malware attacks and data breaches. As result, the “industry standards” of today will likely need to be revamped and defined more clearly to ensure applicability and consistency in the metaverse context.

Although Canada has started making efforts to modernize its digital privacy laws, current regulations will require ongoing updated guidelines as the digital landscape rapidly evolves. We anticipate that limits will be set on the type and amount of personal data collected and how it is shared with third parties. Having clearer guidelines in place will further ensure adequate consent is obtained prior to using the collected data. As the social media experience becomes more immersive, concerns surrounding data collection and use will inevitably put pressure on legislative reform.

Key Takeaways

We anticipate that the development of the metaverse will accelerate in the coming years with commercial applications driving many advertising and crypto-currency enabled initiatives (among others). Businesses looking at the metaverse will need to be mindful of the privacy considerations and ensure that best-in-class practices are employed, both in the development of and participation in the metaverse.

The authors would like to thank articling student Marisa Kwan for her assistance in preparing this update.