On 27 January 2023, the National Commission for Data Protection (Commission Nationale pour la Protection des Données - CNPD) organised a conference entitled "The metaverse: what reality for privacy rights and freedoms?" in the context of the 17th edition of the Data Privacy Day.
Metaverse, Myth or Reality?
This was one of the questions asked at the conference, where professionals in the field discussed the place, promises, challenges and realities of the metaverse.
Mr Arnaud Lambert, Director of the Digital Transformation Department at Luxinnovation, opened the conference by proposing several definitions of the subject. He then presented the different aspects of this new social universe combining physical reality and augmented or virtual reality. An overview was given of this ecosystem from a global and local perspective. He highlighted the many opportunities offered by the metaverse, but also warned about the risks related to privacy and data security.
Dr Kerstin Bongard-Blanchy, lecturer and researcher at the Human-Computer-Interaction group of the University of Luxembourg, and Dr Olivier Buchheit, founder of Sonopraxis, then shared their insights into the sociological dimension of the metaverse. They discussed the developments in human-computer interaction necessary for a complete immersion into the metaverse and the new possibilities that may arise from it. They identified the resulting psychological effects of using this digital universe on the individual and his or her social interaction in the real world, due in particular to the existence of a digital identity.
Mr Alexandre Kuhn and Mr Maxime Dufour, from the CNPD's Awareness Department, then addressed the issues related to the protection of personal data in the metaverse. In particular, they highlighted that the change in the typology of data and the mass of collected data, especially biometric data, represents a serious challenge for metaverse actors in terms of security and respect for the rights of the subject as provided for by the GDPR. Other existing and forthcoming legislative instruments were also cited which de facto apply or will apply to these parallel universes and provide a framework for them (DMA, DSA, DGA, DA, AI Act, Cyber Resilience Act).
In conclusion, the conference showed that the metaverse is an exciting universe in the making that offers many opportunities, but also faces many challenges. It should be seen more as an evolution than a revolution and does not, at this stage, necessarily require new regulations. The RGPD, a technology agnostic legal framework, will continue to apply also to the processing of personal data in the meta-verse. Luxembourg, as a promoter of innovation, must be attentive to these challenges in order to make the most of this development.
A symbolic date that is more relevant than ever
Data Privacy Day refers to the opening for signature of the Council of Europe's "Convention 108" on 28 January 1981. The first international legal instrument in this field, the convention establishes the basic principles of data protection that are still universally recognised.
Data Privacy Day was created to raise public awareness of the importance of protecting one’s personal data and respecting individuals’ fundamental rights and freedoms, in particular their right to privacy.
Data Protection Day 2023