AHMORE BURGER-SMIDT: The metaverse and data privacy: will regulation keep up?

On October 28 Facebook CEO Mark Zuckerberg announced the rebranding of his company to Meta, a new vision for Facebook that will see the metaverse succeed the so-called mobile internet.

The metaverse is a set of interconnected, always-on virtual environments that allow a person to effectively transcend the physical world. It is the convergence of physical, augmented and virtual reality in a live virtual world that is shared among users, just as our existing physical world is shared among all of us.

The metaverse encompasses three key aspects:

• Presence. This is the feeling of actually being in the metaverse, which is achieved through virtual reality technologies such as head-mounted displays. This means a person, through the use of their avatar, can experience the feeling of being in the virtual space along with other people irrespective of where they might be in the physical world.

• Interoperability. This is the ability to seamlessly travel between virtual environments using the same virtual tools or assets such as avatars. In other words it is the ability of the individual to exchange and make use of information through the metaverse. For example, individuals will be able make use of blockchain technologies such as cryptocurrencies and non fungible tokens to facilitate commerce in the metaverse.
• Standardisation. This is the use of common technological standards for widespread adoption. Meta aims to position the metaverse as the go-to place for various online activities including work, entertainment, education, commerce, and social interactions.

However, from a privacy perspective there are a number of concerns. Facebook currently offers its services, mostly for free, to roughly 2.91-billion active users. In turn it makes money by allowing businesses to advertise on its various platforms. It is well established that Facebook makes the majority of its income from marketing (98% of its revenue). This business model has not been without major privacy and security concerns, the most notable being the Cambridge Analytica scandal, which resulted in a $5bn penalty (about R79.3bn) from the Federal Trade Commission in 2019.

The reason so many businesses, political parties and governments go to Facebook for advertising is the fact that it knows a lot about individuals/data subjects, whether it be through Facebook itself, Messenger, Instagram or WhatsApp. Data subject activity on these apps reveal a lot about behaviour, such as who data subjects communicate with, what content a data subject prefers and reacts to, and more. Facebook’s algorithms can then build a profile of each user and categorise the users which creates a lot of value for a business seeking to advertise its products or services.

Consequently, the question beckons what that commercial exchange is going to look like in the metaverse and to what extent national regulators are going to be able to intervene on potential privacy issues. Users connected to the metaverse will present a ripe opportunity for an even broader range of personal information to be continuously collected. It also presents an opportunity for more nuanced sets of information to be collected in comparison to what can be drawn from a user’s interaction with a social media app. For example, the metaverse can reveal a lot about one’s biometric data, movements and gestures, reactions to certain situations and environments and other sensory data points.

The Protection of Personal Information Act (Popia) has openness as one of its fundamental conditions. Openness requires that the data subject whose information a responsible party collects must be aware that the responsible party is collecting such personal information and the purposes thereof. The data subject must be afforded a reasonably transparent view into how, why, with whom, where and when a responsible party processes their personal information. This is meant to satisfy the data subject as to whether the responsible party is engaging in lawful processing. If not, then the data subject has enough information to exercise their rights in terms of Popia.

An example of how important the openness condition is can be gleaned from WhatsApp’s recent revision of its privacy policy. This came as a result of a significant data protection fine earlier this year. Following an investigation the Irish data protection supervisory authority issued a €225m (about R4bn) penalty to WhatsApp for General Data Protection Regulation transparency infringements. This was the largest penalty handed down by the Irish Data Protection Commission and second-largest under the EU.

It remains to be seen how open and transparent companies like Meta will be when it comes to informing data subjects about the information being collected and use thereof. It also remains to be seen how issues such as the lawfulness of processing will be worked around. Considering the unprecedented volume of personal information that will be opened up to processing through the metaverse, it will be interesting to see how further issues such as the reasonableness and minimality of processing will be satisfied.

Further, the metaverse can and probably will present cybercrime issues such as illicit data mining and identity theft. Consequently, the question will be whether national regulators and governments are well equipped and prepared to deal with these concerns. Though the issues themselves aren’t new, the playing field is. 

It will be interesting to see whether governments will be able to demonstrate the necessary digital resources and understanding to resolve the governance, content moderation and huge implications for privacy and data protection that new technologies such as the metaverse will inevitably present. But more importantly, it raises the question how individual users of Meta will demand protection of their privacy and personal information. 

• Burger-Smidt is director and head of data privacy & cybercrime at Werksmans Attorneys.