PRIVACY THOUGHTS WITH KARA KELLY The metaverse presents many unique challenges to individuals’ privacy. Data minimisation—the need to collect only data necessary to conduct processing activities—is a principle of data protection regulations. A challenge posed by the metaverse is that the data processing required to create immersive environments is expected to result in massive collections of data about individuals, from health data to financial data. Companies in the metaverse such as JP Morgan, Walmart, Nike and Samsung may soon have access to surveillance data from business engagement and sales, exposing us to highly commercialised digital spaces where overcollection of data may become unavoidable. The 2022 Deloitte Australia Privacy Index stressed the link between consumer behaviour and privacy with 51 percent of individuals surveyed saying they were uncomfortable with their behaviour being subject to online surveillance. So, how do companies create these environments while managing consumer expectations of data minimisation? Meta is one company that has attempted to overcome this challenge. As of August 2022, users of Meta’s virtual reality (VR) devices will no longer need their Facebook account details to log in. However, Meta will still require name, email address, phone number, payment information and date of birth for age verification to create this new type of account. This practice raises the question of whether or not Meta is adhering to the principle of data minimisation.
How do we address the risk of overcollection of personal information in the metaverse?
and explain this to their users in a manner that
Most data protection laws are drafted to be agnostic
allows for informed decisions. Companies looking to
in their treatment of new technologies, and are
benefit long term in the metaverse by engaging with
applicable to the metaverse. The EU’s General Data
individuals must examine their data collection needs
Protection Regulations (GDPR) and China’s Personal
and build trust through transparency.
Information Protection Law (PIPL) specifically persons living within their territories regardless of
SECURITY THOUGHTS WITH SARAH IANNANTUONO
where the data gathered is processed. They also
The metaverse represents a convergence of multiple
require a high level of transparency from entities
technologies. This makes security a top priority
processing the personal information of individuals.
for metaverse development if the opportunities it
Such entities must be able to identify exactly what
creates are to be exploited. With countries like South
they are collecting and processing in the metaverse
Korea investing $US177.1 million into the metaverse
mention monitoring the behaviours of natural
102
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022