PRIVACY IN A PROGRAMMED PLATFORM: HOW THE GENERAL DATA PROTECTION REGULATION APPLIES TO THE METAVERSE.

AuthorMartin, Baily

TABLE OF CONTENTS I. INTRODUCTION 235 II. GDPR: GENERAL, OR GLOBAL, DATA PROTECTION Regulation? 238 A. History of Europe's Privacy Landscape That Led to the General Data Protection Regulation 239 B. Goals of the General Data Protection Regulation 241 III. THE METAVERSE, A MICROCOSM BUILT ON DATA 243 A. Facebook Patents for the Metaverse 247 IV. THE META-TERRITORIAL REACH OF THE GENERAL DATA PROTECTION REGULATION 250 A. Privacy Concerns in the Metaverse 250 B. Suggested Amendments to the General Data Protection Regulation to Better Protect Metaverse Users 256 V. CONCLUSION 260 I. INTRODUCTION

Though the General Data Protection Regulation ("GDPR"), (1) the European Union's data protection and privacy regulation, was once heralded as "the toughest privacy and security law in the world," (2) the metaverse may soon expose the shortcomings of this "gold standard" of privacy regulation. (3) Hoping to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business, (4) the European Parliament approved the GDPR in April 2016, and it went into effect on May 25, 2018. (5) Mass adoption of the new privacy standards by international companies has been cited as an example of the "Brussels effect," a phenomenon wherein laws and regulations by the European Union ("EU") are used as a baseline due to their unilateral power to regulate global markets. (6)

In theory, the GDPR only applies to EU citizens' data, but the ubiquityof the Internet--housing around 5 million terabytes of data (7)--means that nearly every online service is affected by the regulation. The next iteration of the Internet lies in the metaverse, an integration of reality and a virtual world, "a 'place' parallel to the physical world." (8) Although "[t]here is no single owner of the whole [metaverse]," (9) this Note focuses on Facebook, renamed Meta, because the technology behemoth with about three billion users has said that it wants to be seen as a metaverse company rather than a social media one. (10) Because Facebook decided to focus its metaverse development in Europe, the GDPR will have a central role in regulating the metaverse. (11)

Just as social media platforms have eroded privacy, the metaverse will spur thorny issues as it gains widespread user traction. In 2020, each Internet user created 1.7 megabytes of data every second he or she was online. (12) The metaverse is projected to increase data usage of each Internet user by twenty times in the next ten years. (13) The GDPR is currently not equipped to protect metaverse users from data misuse. Therefore, amendments taking account of consent, transfers, and technology (particularly artificial intelligence, blockchain, and cybersecurity) are imperative before the metaverse is more widely implemented. Applying the GDPR framework to the metaverse's data practices provides a stress test as to the efficacy of a privacy-conscious programmed platform.

The discussion about regulating cyberspace is, of course, not a novel one. Also known as "virtual reality," cyberspace refers to the online world as a world apart, as distinct from everyday reality. (14) In a 1996 law review article, Judge Frank H. Easterbrook suggested that distinguishing cyberspace as a separate regulatory environment was like focusing on the abstract "law of the horse" rather than applying traditional doctrines to laws affecting horses. (15) Three years later, Professor Lawrence Lessig of Harvard Law School argued that existing laws are also open to interpretation, resulting in "latent ambiguities" that arise when trying to apply them to new situations. (16) Essentially, he categorizes cyberspace as "exceptional" enough--deviating from traditional legal standards--to warrant its own specific rules.

Through an "exceptionalism analysis," (17) this Note will explore whether the GDPR's extraterritorial privacy protections could extend to the metaverse. Part II provides background on the GDPR with a particular focus on the goals of the legislation. (18) Part III explains current and prospective metaverse development with a brief explanation of the technology that raises privacy concerns. Marrying the first two parts, Part IV applies the GDPR to the metaverse. Part IV determines that the metaverse undermines the goals of the GDPR and, thus, suggests potential changes to the law to better accommodate this next evolution of the Internet. Ultimately, this Note argues that the metaverse is exceptional in relation to traditional social media platforms, and that regulations should evolve accordingly to address new developments in cyberspace. (19)

  1. GDPR: GENERAL, OR GLOBAL, DATA PROTECTION REGULATION?

    Understanding the evolution of the EU's privacy landscape contextualizes the GDPR in the data protection efforts around the globe and explains the changes the GDPR requires of the existing European framework.

    1. History of Europe's Privacy Landscape That Led to the General Data Protection Regulation

      The GDPR is a complex document consisting of 11 chapters, 99 articles, and 173 recitals. (20) It is the encapsulation of a decades-long effort to codify a right to privacy. In 1950, the newly-formed Council of Europe articulated that every person has the "right to respect for his private and family life, his home and his correspondence" in Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms. (21) Although the court established by the Convention, the European Court of Human Rights, has interpreted Article 8 broadly, (22) the right has not been applied in the data transfer context. (23)

      Instead, in 1980, the Organisation for Economic Co-operation and Development ("OECD"), comprised of 38 member countries (24) (including 22 EU member states), (25) published "Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data." The document established several important principles of data protection and privacy that are reflected in the GDPR. (26) Referred to as a think tank or a monitoring group, the OECD aims "to shape policies that foster prosperity, equality, opportunity and well-being for all"; (27) thus, the guidelines are a non-binding and voluntary framework. Particularly as European nations sought to develop implementation measures to actualizethe guidelines, several individual--and at times conflicting--privacy laws were passed by OECD member states. (28)

      As a result, in 1995, the European Commission ("the Commission"), the executive branch of the EU, attempted to solve some of the problems caused by the mosaic of European privacy laws resulting from the OECD framework. Data Protection Directive 95/46/EC required each EU member state to adopt privacy laws "equivalent" to one another. (29) However, "equivalent" did not necessitate "identical." (30) Moreover, EU directives are addressed to the member states and are legally binding on individuals only insofar as each member state transposes a directive into internal law. (31) In turn, data privacy laws would change depending on an individual's location within Europe.

      Almost two decades later, the Commission updated the 1995 directive to reflect "a comprehensive approach on personal data protection." (32) In 2011, debates surrounding how to update the 1995 directive culminated in the GDPR. Unlike directives, which articulate certain goals, regulations have binding legal force throughout every member state. (33) In addition to harmonization, the law aimed to strengthen individuals' fundamental rights and facilitate the cross-border movement of personal data. (34) And yet, the GDPR is described as "the most contested law in the EU's history, the product of years of intense negotiation and thousands of proposed amendments" (35)--a reflection of the divergent interests at stake. For example, corporations, governments, and academic institutions all process personal data, but they use it for different purposes.

      Europe's challenges risk undermining efforts elsewhere in the world to create tougher privacy rules. On a macro scale, another reason for the regulation's complexity and ambiguity is that EU member states "have different historical experiences and contemporary attitudes about data collection." (36) Despite the convoluted principles--for example, the GDPR "promises to ease restrictions on data flows while allowing citizens to control their personal data" (37)--the regulation has seemingly served as a prototype for comprehensive data protection legislation in other countries. For instance, commentators have described China's Personal Information Security Specification, which defines technical standards related to the collection, storage, use, sharing, transfer, and disclosure of personal information, as modeled on the GDPR. (38) Others have warned that the GDPR is likely to result in unintended negative consequences. (39)

    2. Goals of the General Data Protection Regulation

      The objective of the GDPR is to safeguard the right to personal data protection, while ensuring that data moves freely within the EU. (40) In 2011, several high-profile incidents of personal data loss across Europe "prompted wide discussion on the level of security given to personal information shared, processed, stored, and transmitted electronically." (41) It also marked the first year that more than half of the United States ("U.S.") population had a social media profile. (42) The ubiquity of social media (43)--coupled with the acknowledgment that data can reveal intimate details about a person, such as "insights about your personality, your political leanings, how you spend your free time, your opinions on all manner of topics, what your priorities are, how you feel about yourself, and even where you physically are at any given moment" (44)--catalyzed discussions of a new data protection regime in the EU.

      After more than four years of negotiation and roughly four thousand amendments, (45) the...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT