The Privacy, Data Protection and Cybersecurity Law Review: Metaverse and the Law

This article is an extract from The Privacy, Data Protection and Cybersecurity Law Review, 9th Edition. Click here for the full guide. 

I The legal status of the metaverse

On 21 October 2021, the first news of Facebook Inc rebranding into Meta Platforms Inc emerged. The aim was to better reflect the core business: Mark Zuckerberg’s desire to realise the Metaverse,2 and his high ambitions to do so are reflected in the prominence of investors he locked in, such as the biggest asset manager of the world, BlackRock.3

The Metaverse that he has in mind is a complete and full virtual reality experience.4 In this sense, Meta is just the natural convergence of all the pieces of the puzzle that Zuckerberg has prepared: Instagram, WhatsApp, Oculus, Giphy, Mapillary and so on. While none of them is significant alone, together they form an evolution of the concept started on 4 February 2004, when Meta was just The Facebook.

However, while some key components of metaverse technologies have already been developed, an infrastructure to allow full access to the metaverse is not currently available and it will not probably be in the coming years, as a result of complex geopolitical situations. The metaverse, as it seems to be a quite complicated structure, must rely on a high-level infrastructure layered within and across different fields: high-level telecommunication, like 5G (and the problem related to the development of this technology as well as the competition between the United States and China), integration of man and machine, to give a decent experience, or the capacity of servers are the most basic problems that this concept needs to address if it wants to be the ‘next big thing’.5

Moreover, the technology itself does not exhaust the problems that metaverse is raising: that metaverse has the potential to be one of the many technologies that will change the law forever.

To analyse the impact of the metaverse on the law, it should be important to consider whether it has an autonomous legal status or, in any case, personality according to the common theory of international public law. If a modern state is a free and autonomous entity exercising control and administration of a population on a given territory, is the metaverse a state? Most likely not.

While the above traditional definition is broad enough to include a virtual space such as the metaverse, it is also true that it implies a certain materiality or reality principle. The territory would hardly include the cyberspace, which, physically, is the space on a hard drive. Moreover, the population is not an actual population, as the foundation of the sense of belonging is not given in a positive sense (what they have in common such as language or culture) or in a negative one (who the enemy is), but it is aggregated by consumerism: the terms accepted.6

Lastly, it is not clear whether an authority in the metaverse would be autonomous and freely able to exercise such sovereignty as it would completely depend on Meta Platforms, Zuckerberg’s mood and, in some cases, the shareholders.

iInternational law in the metaverse

Can a corporation create an entity that could be deemed state-like? Traditionally, states are the only actors in international law.

In the context of international law, the highest legal layer possible, there are three main areas of the law that may play a role to better specify the metaverse: space law, law of the Artic and the special regime of submarine cables.

Space law gives every state the possibility to exploit the space and resources included in it as well as the protection of space from military operation (although this is probably just a hope). However, those treaties were written before man even landed on the moon. While the notion that the metaverse could be a common achievement and commodity of the human race as a whole, the application of such theories would be limited: it is unlikely that the metaverse could be considered a place that the whole of mankind can use and exploit when in reality it is already only one man’s property.

Artic and Antarctica are special areas of the planet. Their unique and endangered spaces enjoy a particular framework for the protection of its environment and the duty to cooperate to minimise activities that may endanger those areas. However, the motive behind those doctrines are that of public interest and environmental protection duties. In this context, while a new marvellous world is awaiting users, we are always talking about something that will be exclusively owned and just ‘rented’ to users.

Lastly, the most appropriate theory would be the special regime for the submarine cables for the internet. This would perfectly connect to the essence of the metaverse as an information technology product: the metaverse would thrive exclusively thanks to the internet, otherwise it will be nothing more than an elaborate videogame. The above-mentioned framework outlines that states have a duty to leave the submarine cables alone; however, when telecommunications are in danger there is a duty to assist other states to rapidly repair them or guarantee their safety. These flexible obligations do not prevent a state from conducting activities that are legit, even when they may damage the cables; it just places an obligation to address and remedy the damage. For these reasons, the versatile positive and negative obligations and duties applied to the cable could be a useful inspiration for the metaverse.

Metaverse as an extension of California

Meta has its headquarters in Menlo Park, Silicon Valley, California. Scholars argue that considering the historical precedent and the personality of Zuckerberg, it is likely that the metaverse is going to have a centralised technical architecture and the servers in California will acquire a paramount rank in comparison to the other mere content delivery networks around the globe. It will be clear that the control of the metaverse would necessarily pass through the control of those servers, and the regulatory power would lie with the state where these servers are located (i.e., California).

Also, Facebook already implements different jurisdictions according to its different versions; for example, the German version, knowing that it could face problems with the German regulator, already gives the jurisdiction to Germany. Thus, the argument of the place of the servers is a compelling one, but not the strongest. Many services in Europe have their servers in the Netherlands, but they are not considered an extension of Amsterdam online.

This issue is not clear and will remain as such until the terms and conditions (the ‘Terms’) of the Metaverse are drafted.

ii Applicable laws in the metaverse

Metaverse: a country with its own laws?

Meta offers its metaverse, or will, as it already does with Facebook, allowing a user to create an account. When the account is created, a user is asked (or forced) to accept a contract in the form of the Terms. Are Terms able to become law?

Many civil codes have considered a contract a ‘biding force of legislation’.7 However, this does not entail that a contract is a law itself. It is mostly a hyperbole to explain the strength of a contract between the parties.

In this sense, if we correctly think that the metaverse’s Terms could be able to create a strong contractual bound between the parties, the obligations will just regulate the behaviour among and between the users and between the users and Meta.

However, without the Terms, this issue is a moot point, as we do not have any actual way to ascertain the legal regime that Meta will implement and the degree of freedoms the users will enjoy.

Law of the metaverse or law in the metaverse?

While no Member State of the EU recognises a peculiar and ad hoc legal category for the metaverse, at least not currently, general civil codes and long-time legal traditions are flexible enough to address the issue: as stated, entering into the metaverse is fundamentally entering into a contract and the momentous principles of freedom of contract play a relevant role in establishing relevant rules for the metaverse.

One of the main relevant consequences of the above-mentioned principle is that a contract, unless otherwise specified by law, can discipline whatever the parties agreed.8 Therefore, the legal requirements of the metaverse just need to meet the legal requirements for contract formation in a jurisdiction where the users log in.

In the context of the European Union, this is relevant in relation to the legislation for electronic contracts. Some jurisdictions need to review their domestic law accordingly: this is the case in Germany, where an ad hoc provision, rectius Section 312j of the German Civil Code (BGB), was implemented to create a special regime for electronic contracts that are concluded with consumers. The same happened in France,9 while other jurisdictions, like Spain10 or Italy11 adopted laws in the past that are sufficiently flexible to regulate the matter.

However, some problems related to the contract validity still stand: Is the act of wearing your goggles a contract concluded by behaviour? Is a click enough? There are no practical solutions for these issues and Meta will probably face them when the metaverse will be operative.

However, what should be clear is that the issue is not the law of metaverse, as this is just a reflection of old laws into the metaverse.

iii Jurisdictions in the metaverse

When the metaverse is not bound to the law of country where the server is placed, what general rules of international private law apply? For purposes of efficiency, this section’s discussion will be limited to the US and European frameworks.

European framework

The main international private law regime is the regulation Brussels I. This regulation indicates mandatory jurisdictions for certain topics; however, in general it favours the choice of jurisdiction (certain similar issues have already been raised in the past for electronic commerce).12

In the context of Meta, problems may be brought by Article 7 of the Brussels I regulation which gives a special jurisdiction as follows:

A person domiciled in a Member State may be sued in another Member State:(a) in matters relating to a contract, in the courts for the place of performance of the obligation in question;(b) for the purpose of this provision and unless otherwise agreed, the place of performance of the obligation in question shall be:— in the case of the sale of goods, the place in a Member State where, under the contract, the goods were delivered or should have been delivered,— in the case of the provision of services, the place in a Member State where, under the contract, the services were provided or should have been provided;(c) if point (b) does not apply then point (a) applies;

The article is clearly quite confusing and, it is important to state in advance, the European Court of Justice has not been very helpful in solving the issues.

The article should be read from bottom-up: clause (c) states that the main rule is clause (b) and, if it does not apply, then clause (a).

What clause should apply to the metaverse: (a) or (b)? First of all, clause (b) will most likely not be applicable. It is imaginable that the Terms will include a specific jurisdiction. However, as often, a person shall resort to this article because they do not want to be bound to that jurisdiction and want to counter it. This could also be complicated by other issues such as a service within a service (e.g., advertising).13

Thus, clause (a) applies. What does it mean in the context of the metaverse, the place of performance of the obligation? This could be highly speculative and almost impossible to define with certainty.

In essence, virtual reality is the interaction between a person and a machine, but it cannot be limited to that. What would be the difference between the metaverse and videogames? It is agreeable that the main point of the metaverse is the interactions between users. However, users are in many jurisdictions and how would such interaction be legally translated as ‘performance of the obligation’? It would be quite effective in the countering of Meta, which states that the performance of their obligation is to allow the access of a user and no more.

Apart from the relation between the users, as briefly mentioned, there are also the issues of the business-to-business scenario (e.g., purchasing an item, tailoring it and so forth). Those services would render even more complications to ascertain the correct jurisdiction in the EU, especially because the European Court of Justice is quite reluctant to give clarification to certain aspects such as ‘performance to the obligation’ or ‘service’. They prefer to leave the issue to the substantive applicable law to the contract, which, in this context, would be the worst scenario: how many laws can apply in the context of the metaverse at the same time? If an Estonian user offers services to a Czech user for a service in the metaverse that would impact a Portuguese user, what would be the correct one? What if a Cypriot complains that the service is violating his or her rights?

There is no clear or easy solution: the lack of international rules on such topics preclude any form for abstraction. The only possible solution would be to resort to the relevant international private law of all the jurisdictions involved.

Some authors suggested that courts could evaluate the context in an overall manner: interpreting the metaverse, the semantic contract (the Terms) and any additional coding or documentation. In this way it would be possible to determine the legal obligations between the parties.

In this scenario, if the semantic contract should prevail, unless the parties can demonstrate that their intentions differed, the legal issues would not be different from an ordinary dispute revolving around the jurisdiction of that contract. On the other hand, if the metaverse’s algorithms should prevail, it is not clear what jurisdiction should be given: that of the coders? The one of the server hosting them? The one implementing it?

Moreover, there are other cases in which the code could also form only an integral part of the legally binding contract and not the entirety of the contract. In this case, it would be possible to consider the natural language version as a support to the code (for example, for what concerns the non-operational clauses) and thus the code would be considered to have legal effects. However, while this is theoretically interesting, it would be hardly practical: the expertise of a seasoned judge wouldn’t be doubted; however, his or her ability to understand complex mathematics might be.

Also, in a scenario where the divergences between Member States’ laws about contractual requirements, related to public order for example, the risk that the metaverse would not be brought to a court, and thus be able to elude the law, increases exponentially (at least in one of the Member State involved).14

The natural consequences of these scenarios are that there may be situations in which the metaverse must comply with specific requirements in a jurisdiction and none in another one. Surely the metaverse will test the resilience of the EU international private law in practice, as those problems are not new, but they have never faced a situation with such a degree of disruptiveness: only an open and robust case law will be able to clarify it.15

iv US framework

A completely different approach is the one offered by the United States, where it is reckoned that the metaverse’s Terms are more autonomous than in the EU context. This would mean that they can most likely be enforceable under general federal contract law principles.16 As a consequence, the rule of conflict merely follows the terms.

US scholars have considered that the mix of terms and general common law principles could provide sufficient legal basis for the metaverse. In this way it could be that, as long as the metaverse has been embedded with the terms of a legal contract, it does not require any additional ad hoc law.

However, additional legislation at a state level could increase the fragmentation and ultimately jeopardise any incentives to innovation. Additionally, certain issues could manifest from the US constitution (freedom of speech? relation to slavery in the metaverse?).

However, even in the presence of all these issues, the United States seems to offer a certain degree of flexibility as they have a long tradition in dealing with electronic contracts and all the issues that technology poses.17 In the United States, corporations resort more often to arbitration than courts as per their traditions of freedom and free market.

Lastly, as the US approach usually stems from the industry, it is possible that they would prefer to allow Meta to grow, and only at a later stage regulate it in a strict manner (as was the case of the famous Section 230 for the internet, as it protects the providers from liabilities at certain conditions). However, it is unlikely, given the current political situation that this approach would influence other jurisdictions or a global standard. The internet is already undergoing a fragmentation and splitting; in this setting, the metaverse could even be seen as a saviour.

II Metaverse and Substantive Law

iLand and the metaverse

The metaverse aims to be a new frontier of space as understood and construed by a human’s mind. However, it is without any doubt an artificial and mental construction.

The idea of what a land is in the metaverse can be broken down into two meanings: (1) the land in the metaverse representing or corresponding to a land in the reality; and (2) the land in the metaverse representing a fantasy.

Those can refer to the case of the selling or purchasing of a land inside the metaverse with effects both inside and outside the metaverse.

The following sections will try to understand what rules could apply to each case.

ii Property law in the metaverse

The concept of property is quite clear: it is the power to use, in any manner, land. This also entails the right to exclude others or to modify it according to the applicable law.

It is clear that land in the metaverse is not something physically real, because the metaverse is essentially turning an electric signal into imagination. The sensorial perception is just limited to sight, while a real property is related to all other senses.

The essence of a fictional property is more closely linked to the concept defined by intellectual property law (IP), without the need to create a new category of rights.

Thus, the concept of ‘property’ as elaborated by land law is not completely correct. However, for linguistic simplicity, it will be used.

Acquiring and selling a property in the metaverse

As stated, there is no real property in the metaverse, but only a different particular form of IP. While this can be disappointing, as property entails stronger rights, it is actually better for what concerns other aspects of a property.

In relation to environmental friendliness and public interest, the interesting feature of the metaverse is that one can actually develop a property without destroying a natural park or risking polluting the area, for example; thus, granting a greater level of freedom.

Additionally, as opposed to requiring a high degree of formality for the acquisition such as a burdensome contract or sometimes registering the transcription into a public registry (i.e., Germany, Italy, Malta and others), in case of an IP, the transfer can happen by a simple agreement.

However, as explained later, IP may allow certain exemptions of the originality protection, which is weaker than the protections given to a property.

The above relate to the situation of a real or fantasy property in the metaverse having effects in the metaverse. What about the case of a purchase of a property outside the metaverse that is just visited via the metaverse?

The last case is particular interesting: there is nothing in traditional law that forbids a party to visit a premises in a digital version. Photos or videos are allowed in such case. In this situation, the matter is more technical: the metaverse must guarantee (using hash stamps?) that the property is corresponding to the real one. Once this is guaranteed, then there is not a real issue as the metaverse property is just a small part of a broader ‘real’ property contract.

Renting a property in the metaverse

For renting, the situation is a bit more complicated.

An intellectual property is not rented, just licensed. However, an IP licence is a certain degree weaker than the right granted by a rental agreement. Moreover, Meta itself is offering a sort of rent space to users, so a further licensing would be sub-renting/licensing, which would require the approval of Meta (though it is foreseeable that Meta would waive its right to allow the metaverse to thrive).

For this reason, it is imaginable that the rent of a property in the metaverse mostly relies on the content of the contract along with the ability of the provider to enforce it, according to the mechanism (legal or inside the metaverse) that will be provided when the Terms are released.

Some companies are already selling and renting spaces in the metaverse exploiting the function of non-fungible tokens (NFT). They believe this would guarantee a better degree of certainty as the NFT gives a certification of an owner over a given certificate (referring to a certain piece of art). This is an astonishing bet as there is no guarantee that the terms of meta would allow interoperability with such technology: it could be in the interest of Meta to licence its own NTFs and cryptocurrencies. However, this will be settled by further development of the metaverse by Meta.

iii Contract and the metaverse in the metaverse

As we have stressed, the entire metaverse is a fictional concept. Thus, everything that happens inside is mostly related to services provided by the main providers (server, Meta, etc.) and others.

The main issue of the metaverse is an issue of contract: everything from the registration to the in-game activities, passing through Terms, will be a contract as it is usually in the real world.

Entering into a contract into the metaverse

While it is clear that a user, when logging in, is entering into a contract with Meta and other related providers, it is also clear that users can also enter into a contract in the metaverse with other users for certain services.

Both in common law and civil law, the freedom of contractual form is set forth in codes, statues or case law. For certain contracts, a specific form (i.e., written) could be requested by the law. However, it is imaginable that this will not be an issue for the metaverse environment as most of the contract inside it will be, one way or another, that of service.

In the event that, as already mentioned, the metaverse is just a conduit for activities outside the metaverse (e.g., selling a necklace that is represented inside the metaverse), this would not necessarily pose legal challenges, but technical ones.

On the other hand, the contract concluded inside it is always referring to certain services a person is offering to another (or a software to a person) within the game. In this case, the flexibility of contract law allows users to proceed and is not conceptually far from smart contracts.

The issue will become a matter of presentation of the agreement itself, in all its elements, and how they will entwine with the Terms of Meta. At this point it is unlikely to assume that Meta will allow a great freedom of operations. However, this will be detailed when the Terms are released.

Performance of a contract

The performance of the contract, with effects inside the metaverse, is also not problematic.

The performance itself is heavily dependent on external factors of the parties. While this can sound obvious, as every contract carries the risk of non-performance, the parties are relying on factors they have no control over: if the selling of goods require that there is a stock, which can be foreseen on a certain extent, the services in the metaverse rely on the main providers (meta, internet, electricity and so forth) and on the exact execution of the algorithm.

If an algorithm is corrupted and the contract is not performed as established, this could be a hindrance as the parties could not establish it in advance and it is also possible they never realise it.

Thus, the main point is: is the algorithm part of the contract? The answer is not clear. However, denying that an algorithm constitutes a central part of the description of a service in the metaverse would render the service lacking a description. It is general contract law that a contract, to exist, requires the object to be described with a certain degree of precision. Without this, it would be more similar to the concept of an ‘impossible contract’ of civil law as the object of it does not exist itself. This crucial point is most likely to be solved by a court, as it is likely that Meta will try to promote its exclusive control over the algorithms.

Terminating a contract

Terminating a contract does not seem to be a matter of particular relevance. However, this would be the case when the termination is mutually agreed or respecting the terms.

The most difficult part would be for reasons of termination such as hardship, duress, misrepresentation and any other excuse for non-performance.

Most of the problems that would relate to those have already been introduced: the role of algorithms, the flexibility of law and so forth. Others, such as the identification of a party, will be discussed later.

In this context, it is important to bear in mind that this situation will most likely not be solved inside the metaverse and lead the parties to resort to a court or any other alternative dispute resolution. Meta should struggle to keep the environment objective and impartial.

It is possible to assume that in the metaverse, one party, technically skilled, is able to manipulate the appearance of the metaverse in such a way where one party sells an apple, but the other party sees a pear.

Thus, it is important that Meta keeps at a minimum the possibility of the users to ‘cheat’ (using a word borrowed from videogame law). However, anti-cheating would lead to other problems that we will see when discussing data protection.

iv Tort and the metaverse

Conceptually, the problem of tort is similar to those of property: tort requires a real physical harm to a person, even if potential or in fear of a potential damage. On the other hand, the metaverse is digital and not real. Is there no room for tort? The answer is quite complicated.

While it is clear that it cannot be, in the context of trespass to person for example, a battery (a fist on the metaverse would clearly be nothing more than a ‘jump scare’ borrowing from movie jargon) or an assault (because there will never be a real threat), there is still room for some discussion.

Nuisance could be undertaken from one user against another. Most likely certain forms of online stalking would be able to be punished in the form of tort. This will depend on how courts around the world will define the tort according to their own laws.

However, one of the most interesting elements is that if one person is addicted or heavily dependent on the metaverse, could a simple joke (i.e., ‘your avatar has been banned’) be able to constitute a tort? Most likely, yes. If the joke is able to affect the person, causing a real and evidence-backed shock or a measurable disease (vomit, debilitation, headaches), it is most likely to be accepted as such in certain jurisdictions: in the United Kingdom, the famous Wilkinson v. Downtown related to a similar situation (a woman heard a joke regarding the injury of her husband which caused her severe distress).

However, it is quite difficult to analyse this as a tort as it is highly dependent on territory and is thus elaborated upon within the law and legal doctrine of a country.

Libel and defamation

Contrary to other torts, there is no real issue for what concerns tort against honour and reputation.

At first, the metaverse may not be intensively populated by users and therefore this kind of tort would be considered less than a defamation via newspaper. This could change according to how the metaverse will evolve.

Nonetheless, it is clear that the honour and reputation of a person will be brought into the metaverse: if a user cannot travel thought the metaverse for fear that his or her reputation has been undermined, this would clearly have an effect.

The reputation of a fictional character would be an interesting challenge. Laws already cover the reputation of pen name or other artistic name. In this case, the step is further: you are covering the entirety of the representation of a person in the metaverse, their honour and reputation.

In this context, it is possible that common law jurisdictions, which are more open to recognise such persons, will address the issue in a legal manner more than the civil law jurisdictions, which seem less interested in avatars or fake accounts online. Even in this case, the community, the reputation, the likelihood of being recognised as an individual (even if a fictitious one) will play a role.

Misuse of personal information

Hacking, identity theft and the like are clearly crimes. However, there is also an aspect of tort; if information gathered is able to give an unfair advantage against a certain user, what could be done?

This is probably one of the central torts of the metaverse, as a digital service would be most likely affected by cybercriminals.

Putting aside the criminal part, this tort is quite elusive, but there is clearly a possibility to elaborate the misuse of information. Currently, courts in the European Union tend to be quite open to quantify such damages (even if a small amount). This is expected to continue for the metaverse. Moreover, if common law jurisdictions will allow the award of punitive damages, this would open up new scenarios given the theoretical impact of a parallel digital world. As already stated for libel, this is expected to be developed through time.

v A person in the metaverse

What is a person? What distinguishes a natural person from a legal one or a fictional character? The representation in the metaverse is not a person per se, but the reflection of a real person.

In such context a relevant point becomes momentous: how can we identify a user? A common problem of information technology law is that you can establish, with a good degree of certainty, the computer that did something, but not who was behind it. Clearly, there are elements that can help: if a person chooses an avatar that fairly represents a person who is known to use a certain machine, it is a fair legal presumption that the avatar corresponds to that person.

However, what if, for any reason, a person claims not to be the same as one avatar?

This could be addressed by Meta in two ways: one is technological and the other is legal (and, clearly, a hybrid solution could be implemented).

From a technical point of view, there are technologies already used to identify a user. The most common, usually used by financial services, is the photo of an identification document and a service. Then an artificial intelligence makes the comparison. This could be implemented in a way that is even data protection and privacy friendly (if only a one-way algorithm is used for identification).

From a legal point of view, unless someone objects, the avatar must be presumed to be linked to that person – similar to how signatures are interpreted.

While both have advantages and disadvantages, the issue may be regarded as more technological than legal. In this case, such presumptions would be dangerous as a person may not be aware of an avatar ‘using’ his or her characteristics. It would be burdensome to leave to users the duty to monitor their own images in a vast place such as the metaverse could be, while Meta could just implement technologies for this purpose.

vi Data protection

Personal data has been the main issue for the last three decades. Information technologies give the power to constantly monitor people and extrapolate data from each and every aspect of someone’s life: whether awake, asleep, resting or working.

Given this, it is clear that the metaverse poses a high risk for privacy (as general protection or private life) and data protection. Meta is theoretically able to monitor every second that a user spends in the metaverse, analyse in real time what he or she is doing and sell the data for the right profit to provide, for example, behavioural advertisement. However, the commercial side is not the online one: naturally governments would be particularly interested in targeting citizens that could be suspected of illegal activities (and this assuming that the government is a democratic one). In other words, Meta brings the surveillance capitalism to its highest peak.

However, Meta still has to comply with the law of states and, as such, it is likely to be hindered by legislation such as the General Data Protection Regulation (GDPR) and all the laws based on that, as it would be quite complicated, from a technical point of view, to tailor the surveillance according to the applicable jurisdiction (and this is worsened by the interaction between users and the possible jurisdictions involved).

Data protection principles in the metaverse

In order to avoid an Orwellian nightmare, the metaverse should try to integrate the main principles of data protection.

Such principles may be an incredible effort for Meta, but they are in fact an opportunity. They would be allowed to understand what they really need and how to develop a solid business model.

In order to monitor the behaviour of the users to avoid cheating, Meta could deploy anti-cheat mechanisms that are privacy friendly. This will be difficult but it will not be impossible as such tools are used by other game providers.

The ability to embed those principles into the algorithm (which is a part of ‘Privacy by Design’) and other features will be the central challenge of Meta. At the current stage, we have no hint of how they wish to proceed. Thus, we can only raise awareness that the risks are quite substantial and that the metaverse could be a place with virtually no privacy, where a user is milked from his or her data in each moment.

Data protection rights in the metaverse

GDPR provides certain privacy rights and protection.18 How can those be enforced in the metaverse? This issue is another compelling challenge of Meta, as each right would have its own problem: the right to data portability requires that the data are provided in a commonly used format. What would that be in the case of the metaverse? Accessing the data, on the other hand, requires that they are not machine readable, but human intelligible. How could that be? What would be the manner to provide an opt-out to legitimate interest to the data subject? To what extent would the objection against the legitimate interest of Meta be able to be derogated by lex specialis such as the e-privacy directive (soon to be e-privacy regulation)?

At this current point, it is impossible to foresee how Meta wishes to implement the execution of the rights. It is also possible, even if unlikely, that they will try to avoid GDPR, forbidding European users to join the metaverse. Time will tell the solution developed.

Data ownership in the metaverse

Another extremely relevant issue is data ownership. Who owns someone’s data in the metaverse?

While it is clear that there is one main controller (Meta), the relationship of other subjects in the metaverse is quite complicated.

If we apply the tendency that the European Court of Justice started with the famous case of Wirtschaftsakademie Schleswig-Holstein (C 210-16), which involved the ownership of a Facebook page, we would notice that the court, when in doubt, prefers to give joint controllership.

Thus, in the context of the metaverse, it is possible that this would apply mutantis mutandis: Meta will be a controller, but whoever a user could interact with (e.g., a shop) will be a controller too. However, this would quite complicate the numbers of joint controllers. How this would affect rights, freedoms and other data protection issues is impossible to foresee at this stage.

vii IP and the metaverse

In the beginning, it was mentioned that the creation of something in the metaverse is substantially comparable to the creation of intellectual property. The originality and effort of a mind substantiate into an original creation in the metaverse: be it a house, an item or an avatar itself.

The level of originality and creativity related to the right is known as artistic rights or copyright. It can be said with a certain degree of confidence that most of the metaverse consists of copyright.

However, it is also possible that other intellectual properties like trademarks could be included in the metaverse. Patents and design should not be included as they are too linked to reality to have any appreciable matter in the metaverse.

Trademarks and the metaverse

In case of a trademark, a visual element able to link a certain good or service to a specific entity does not pose a real problem: the trademark system is based on registration in national or international offices. Once an office has accepted the registration and no one has opposed it, it is a choice of the holder of that trademark what to do with it: use it wherever he or she wishes (including the metaverse) or not (with the risk revocation for non-usage).

The case of trademarks that have not been registered (unregistered trademark or, as it is often called, common law trademark) requires to distinguish between a trademark existing outside the metaverse and integrated in it, and a trademark developed inside the metaverse and used only within it as well as expanding from it.

The first case is quite straightforward: as it is possible for a trademark to be used on a newspaper or on the internet, there is no main issue to integrate in within the metaverse to indicate a specific service or even good. The scale of the users will be used to prove the acquired distinctiveness of the trademark itself.

The second case once again depends on the scale and the capacity to reach an average consumer. If a trademark is developed inside the metaverse, as long as it is able to generate a proper link between the offered service and the graphical sign developed by an entity, then there should be virtually no issue in allowing it the (weaker) protection of an unregistered trademark.

Again, the scale of the metaverse would impact this issue.

Copyright and the metaverse

The fulcrum of the thesis of this article is that, in essence, the metaverse is a gigantic receptacle of contents created by users. Such content will refer to the legal protection given to copyright.

Copyright is the protection given to a work of intellects that develop an original work. The protection is fairly strong, does not require registration (a copyright is valid at the moment of the creation), is quite long-lasting (usually the life of the author and then 50 to 100 years) and able to cover everything that is not an industrial right (all form of arts, software algorithms and so forth).

Copyright is also quite flexible as it is able to distinguish between the moral rights (the authorship and the like) that cannot be given to someone else (as the author is clearly an identified individual), and the economic rights that stem from the copyright, which can be given by agreement to another person or entity.

The control given to an author on his or her work product is quite pervasive: control over derivative works, translation and further performance is granted. Through agreements, an author may license his or her work to someone else, while still conserving all the rights. On the other hand, copyright law allows a greater degree of exceptions: inter alia, parody, educational, personal use. Those last points would be of great relevance in the metaverse as each state can choose its own exemptions. How Meta will handle this complicated mosaic of laws is not exactly clear. The main risk is that Meta will use the ‘shoot first, ask questions later’ approach: whoever claims a copyright against another user will be granted the execution of the claim, without asking the user whether he or she has the right over that work. This has been the praxis of YouTube and it is imaginable it would translate into the metaverse. However, this, as it has been stressed over and over throughout this chapter, will strongly depend on the Terms of Meta.

III Conclusion

The metaverse has within its potential the possibility of being a game changer, but maybe not the ‘next big thing’ in law.

Certain issues it generates are significantly new, others are something that the legal theory has already addressed, and some would only require some deeper analyses.

The most significant challenges will be to define clearly the law and the jurisdiction and what kind of service the metaverse is.

Also, everything discussed, till the moment of availability of the metaverse, is moot and speculative. A relevant, central and paramount role will be played by the Terms of Meta.

It is only possible to hope that they will be reasonable and broader than the mere interest of Meta.

It is impossible to foresee the impact on these issues without seeing what would happen in practice. We cannot go back, the only possibility is to steer into the future and try to profit from it, or to be doomed in a worse manner than the unlucky famous Gatsby: we cannot be borne back ceaselessly, because we no longer have a past to go to.