Metaverse Fashion Week in Decentraland, one of the most popular virtual worlds.

Legal Watch No. 48 – June 2022

Brave New WorldIn March 2022, the Metaverse Fashion Week event took place in Decentraland, one of the most popular virtual worlds.

An online concert streamed on the Fortnite gaming platform recently attracted 12 million viewers.

A virtual world is developing today, without its human, economic and social implications having yet been fully understood.

The European Parliament's recently published report on this topic states that by 2026, 25% of people will spend at least one hour a day in the metaverse for work, shopping, education, social activities and/or entertainment.

Many commercial companies have started to develop their own platforms there, even when their activities have only a very remote connection with digital technology.

The Metaverse can be described as an immersive, constant 3D virtual world in which people interact through an avatar to enjoy entertainment, make purchases and transactions, or work without leaving their homes.

The economic metaverse ecosystem leverages blockchain and cryptocurrency technologies, such as non-fungible tokens (NFTs), to monetize transactions in the digital environment.

This evolution of the web raises many questions, particularly regarding the application of the law.

How can we practically regulate online mergers and acquisitions, harassment, more or less legal transactions carried out in cryptocurrencies, massive data collection concerning individuals' behavior via their avatars, or even the surveillance of individuals online by law enforcement?

The stakes are high with regard to the GDPR, as highlighted in a recent article published on May 20 in the newspaper Le Monde, and as the European Parliament points out, given the unprecedented quality and quantity of data collected.

These may include facial expressions, gestures, or other types of physical or emotional reactions that an avatar may produce during interactions, in real time and without being aware of it.

Sensitive data such as biometric data can thus be collected.

This information will, for example, allow companies to better understand user behavior and adapt advertising campaigns in a highly targeted manner.

Are the existing rules adapted to this new universe?

How can we obtain individuals' consent to such data collection, and who is responsible for the collection, in an environment where roles are multiple and where it is all the more difficult to identify the data controller?

How to manage interactions with artificial intelligence, inherent in the functioning of the Metaverse, and the automated decisions that result from it?

Several avenues are being explored, based not only on the GDPR, but also on proposed European regulations concerning artificial intelligence and data governance.

Let us mention the role of data intermediaries, who could centralize users' authorizations regarding the use of their data.

The proposed data governance regulation provides for the protection of personal data spaces, or data portfolios, by regulating data sharing and controlling individuals' consent.

However, to the extent that intermediaries use artificial intelligence in data management, safeguards are necessary to prevent misappropriation and abuse.

It should be recalled that these two proposed regulations have been the subject of comments from the European Supervisor and the European Data Protection Board, which insist on respect for the principle of purpose in the use of data, and call for measures that provide for more controls and guarantees for the data subject, for example codes of conduct or certification mechanisms.

Authorities also have reservations about social scoring in the context of social networks in general, and even more so in the Metaverse.

Particular attention should also be paid to the protection of vulnerable groups, particularly children, in order to verify their age and discourage them from providing their personal data.

Some further advocate for an open and decentralized Metaverse, controlled by the users themselves in the form of decentralized autonomous organizations (DAOs).

In this type of model, different from a centralized business model, users would have more control over their data and its sharing.

Here again, in addition to regulatory guidelines, codes of conduct and certification mechanisms would contribute to greater legal certainty.

A few answers to a lot of questions...

In any case, the application of the law will not be achieved without greater accountability from the actors concerned.

And also

France:

On June 7, the CNIL published questions and answers regarding the use of Google Analytics.

The Commission has ordered several organisations to comply with the GDPR, as none of the additional safeguards presented to it have been sufficient to prevent US intelligence services from accessing the personal data of European users.

A solution allowing the use of a proxy to avoid any direct contact between the Internet user's terminal and the servers of the measurement tool could, according to her, be possible, if this server meets a set of criteria respecting the recommendations of the European Data Protection Board (EDPB), published on June 18, 2021.

The Council of State confirmed that the CNIL was competent to impose sanctions outside the European single window mechanism.

The case in point concerns the company Amazon online France, which has an establishment on French territory and processes the data of people residing in France.

The €35 million fine imposed in 2020, penalizing the use of cookies without user consent, has thus been confirmed.

On June 30, the CNIL imposed a penalty of 1 million euros against the company Total Energies Electricité et Gaz de France. in particular for not having respected the obligations regarding commercial prospecting and the rights of individuals.

On June 13, the CNIL launched a study on geolocation data collected by mobile applications.

As announced in its 2022-2024 strategic plan, the CNIL wishes to raise awareness among the public and professionals of the issues linked to the collection of geolocation data by mobile applications.

It is also a question of verifying the compliance with the GDPR of professionals in the commercial prospecting sector.

Europe:

The European Data Protection Supervisor (EDPS) expresses its concerns about the amendments to the Europol Regulation, which came into force on 28 June 2022.

The EDPS stresses that they weaken the fundamental right to data protection, do not ensure appropriate oversight of the agency and significantly expand Europol's mandate with regard to the exchange of personal data with private parties, the use of artificial intelligence and the processing of large datasets.

On June 14, the European Data Protection Board (EDPB) published his response to the European Commission consultation on the creation of a digital euro.

On June 16, theEDPB adopted guidelines on the certification as a tool for personal data transfers to third countries which do not provide an adequate level of protection.

The conference organized in June by theEDPS, followed online and in person by more than 2,000 people, concluded with critical observations concerning the European cooperation in investigations.

For the EDPS, any good model should include strong collegiality mechanisms, and strategic inquiries could be conducted at a central level, which would overcome "problems arising from incompatible national legislation or disparate attempts at harmonization."

THE Council of Europe publishes a study on the Pegasus spyware and its impact on fundamental rights. It should be remembered that this spyware is also the subject of an investigation by the European Parliament.

THE Consumer Protection Cooperation Network (CPC), in cooperation with data protection authorities, has approved 5 key principles for a fair advertising to childrens.

THE Swiss Federal Data Protection and Information Commissioner (FDPIC) advised Suva (Swiss National Accident Insurance Fund, which provides healthcare coverage for its employees) to reconsider its decision to outsource the processing of its personal data to the United Statess – more precisely in Microsoft's cloud service, even though the data is hosted on an MS server in Switzerland.

Transfers outside Europe are also at the heart of the recent decision of the Council of State of Belgium, which suspended a decision to choose an American contractor in the context of a public procurement procedure on the grounds that this authority did not sufficiently examine whether the contractor complied with the requirements of the GDPR, in particular the provisions relating to transfers.

The decision also calls into question further processing by another company, Smart Analytics, based in Russia (via GDPRhub).

Ten consumer associations, under the coordination of the European Consumer Organisation (BEUC), announced on June 30 that they are taking steps to ensure Google complies with the law: the tech giant would direct consumers to its tracking system when they sign up for a Google account, instead of providing protection of their data by default and by design, as required by the GDPR.

The post-Brexit reform of UK data protection legislation reached a new milestone on 17 June with the government's final response to its public consultation.

The document includes several reforms, such as removing the requirement to appoint a data protection officer, replacing the consent requirement with a right to object to tracking of internet users, and changes to the operation of the Information Commissioner's Office.

Finnish ODA ordered a hospital to delete employee histories, location logs, and other personal data generated by the default location recording feature in Windows 10.

This setting violated the "data protection by default" principle of Article 25(2) of the GDPR (via GDPRhub). 

The Italian data protection authority has fined a hospital €70,000 for CC-ing the recipients of two medical newsletters. instead of CCI, revealing their personal data (including health data) to all recipients without a legal basis (via GDPRhub).

On the same subject, Romania's ODA also fined a subcontractor responsible for implementing a marketing campaign €1,000 for sending a marketing email to 27 people without hiding their email addresses.

Let us remember that Belgium ruled on April 29 in a similar case that sending such an email did not constitute a security breach when fewer than 16 people were involved.

International :

Russia: A Moscow court has fined Google RUB 15 million for repeated failure to comply with the data localization rule.

Google had already been subject to an administrative sanction in 2021 for violating this same principle of the Russian law on personal data, which obliges companies to store the personal data of Russian citizens on the territory of the Russian Federation..

UNITED STATES : The implications of the Supreme Court's Roe vs. Wade decision extend to data privacy issues. 

The question concerns the attitude of tech giants towards authorities' access to fertility data.

This data can be revealed through sources such as browser history, searches, email and text logs, use of fertility apps and other commercial products that many users interact with daily.

This type of information has already been used by law enforcement as evidence in abortion-related cases, as The Register reports.

China: The New York Times publishes an investigation citing hundreds of documents detailing software purchased by China to sift through its vast surveillance databases to predict who will become a suspect or potential troublemaker.

In Canada, Since June 16, a Digital Rights Charter has protected consumer rights and personal data, and regulates artificial intelligence..

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.