Existing policies inadequate for metaverse regulation

Existing data protection policies adopted by governments across the globe are not adequate to govern the metaverse environment.

Policy-makers and regulators need to develop specific regulations that will be conducive to the governing of data privacy, safety and security of users of the immersive technology.

This was the word from Drudeisha Madhub, data protection commissioner of Mauritius, speaking at the 2022 Data Protection Africa Summit, which took place this week in Illovo, Johannesburg.

Madhub discussed the approach, guidelines and key considerations that policy-makers have to grapple with, in developing a framework for the uncharted territory of the metaverse, as boundaries between the physical and virtual worlds continue to blur.

Dubbed the next evolution of social connection, a “metaverse” is a virtual reality space where users in different parts of the globe can interact with each other and virtual beings in a computer-generated environment.

Experts believe the metaverse will unlock infinite business opportunities and revenue streams.

There are already over 500 companies globally building metaverse universes – where they host 3D office spaces, shops, produce resources, rent virtual services and develop games or service offerings for clients, according to VentureBeat.

According to Madhub, anonymity on the internet is a myth, and the contractual agreement between a user and a service provider operating in the metaverse will have to be a strong one – governed by regulatory requirements.

“In 2022, we are still struggling to protect privacy online and being unsuccessful in combating the sheer volume of data breaches happening every day,” she noted.

“Indeed, privacy rules relevant to the current internet have to be respected in order to meet the new metaverse requirements. In the metaverse we have property owners, platform owners and many other collaborators involved, and a viable privacy policy should answer questions like: what type of user data is being used? And it should spell out users’ rights to protect, access, download and purge their personal data.”

Prior to her current role, Madhub was data protection and human rights expert at Interpol, and a member of the Commission for the Control of Interpol’s Files from 2011 to 2018.

According to Madhub, regulators will have to take a number of important issues into consideration when drafting compliance requirements for the metavese. This includes taking the right approach to user privacy regulation; intrusive and extensive data collection by platform owners; users’ data rights and ownership; how to adequately adapt current data regulations to the metaverse environment; user-to-user privacy; and minors’ and children’s rights in the metaverse.

“I am very keen to see the inclusion in data privacy policies, catered for the metaverse. What are going to be the important elements in metaverse data protection laws?

“When mitigating risk there is a need for data aggregation to be carried out by platform owners and property owners in the metaverse. We can argue that it’s not feasible from a practicality point of view and also from a cost perspective to do all this work, but because the risk is higher, they will have to do it.”

Providing an example, she explained that a European Union (EU) citizen using a US-based online platform owned by an Australian company would have to adhere to legislation from all three privacy regions and not only the EU’s General Data Protection Regulation.

“Unlike the real world, users need to be forced to use privacy controls, because recording and sharing data in the metaverse without the participant’s knowledge is very easy, and lack of regulations without penalties should not happen.

“Cyber security specialists, governments and regulatory bodies need to work together to be able to − at the very least − monitor what is going to be happening in the metaverse,” she concluded.