When virtual reality hits Part 2

If you haven't already, please have a quick read through Part One, which provides some background to what the concept of the metaverse is, and our thoughts on how metaverses will be adopted in the workplace in the near future. If you're already a metaverse expert or just need some quick data protection advice…read on!

Why are data protection regulations relevant to the metaverse?

As the metaverse has gone from a vague idea to an emerging reality over the past few years, one of the most consistent issues which has been raised is the amount of data that will be required in order to realise the ultimate potential of the metaverse – the interoperable, integrated, accessible and living experience that we explored in Part One.

The full functionality of a metaverse is reliant on hardware being able to use and track an individual's movements, facial expression, tone of voice and body language, and mimic that in the metaverse in order to create a realistic experience for the individual and other users. This will involve the processing of high volumes of personal data and in many cases special categories of personal data since the data being processed (e.g. physiological responses, employee movements) will be considered biometric or health information.

What do employers need to do to lawfully process the data required to adopt a metaverse?

Employers are considered data controllers of their employee data for the purposes of the UK General Data Protection Regulation. Under the GDPR, every time a business wants to collect or process data about its employees it will need to establish that it has a lawful basis for doing so.

We have considered below what these lawful bases could be:

• Where processing is necessary for the performance of the employee contract (or, for special categories of personal data, where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the employer or employee in connection with employment).

In these situations, the processing must be necessary for the company to fulfil its role.

For example, if a role involves significant health risks or hazards, such as roles in the defence sector, an employer may have a stronger argument that the use of a metaverse and virtual reality for training is a necessary part of the job and ensures compliance by the business with health and safety obligations. However, this is a high bar that is currently untested. Because of this, it's probably unlikely that most employers would be able to meet it at the moment and in the near future, except in limited situations.

• Where processing of personal data is necessary for the purposes of legitimate interests pursued by the employer or by a third party.

In this case, the processing must not only be necessary for the employer, but must be balanced against the interests or rights and freedoms of the employee. At the moment, metaverses are not yet woven into everyday society and employment in the same way that, for example, social media is. Because of this, most employers are unlikely to be able to rely on this lawful basis for wide ranging processing of personal data in the metaverses in the near future. However, as the metaverses become more ingrained in our day-to-day lives the balance may start to shift and we might see use of a metaverse becoming more necessary for businesses to the extent that it justifies the infringement of employee privacy. Special category data needs an additional lawful basis, and for this employers may need to look to explicit consent.

This will only be available in exceptional circumstances where consent can be freely given, which is rarely the case in an employment context due to the imbalance of power between an employee and their employer.

Where one of the above lawful bases for processing apply, employers will still have a couple of further hoops to jump through including, at a minimum:

a) being transparent about their processing of personal data in the metaverses, including by providing detailed information about it in their employee privacy notices;

b) considering whether such processing is adequate, relevant and limited to what is necessary within the employment context; and

c) implementing appropriate data security and retention policies.

Is all this going to stop businesses from adopting a metaverse?

We won't see the full functionality of metaverses being generally accessible for quite a few years, and as metaverses grow in popularity and become increasingly embedded in employees' day-to-day lives, we anticipate that new guidance will be introduced to better enable use of metaverses within carefully controlled boundaries.

In the meantime as metaverses develop, we don't think that data protection compliance will be a barrier for employers who want to begin to adopt a metaverse. If employees are given real choice in how they participate it will be possible for employers to at least start to test the waters.