The Metaverse: The evolution of a universal digital platform

What is the Metaverse?

The Metaverse is still just an idea. What is the idea and what are the basic building blocks for it? The Metaverse will be the outcome of the convergence of a range of nascent and extant digital and online technologies. It may start off as a focus for gaming, virtual reality, digital meeting spaces, digital assets (such as non-fungible tokens - see our briefing, Anatomy of an NFT), and perhaps even brain-to-machine interactions, but it will not end with that. Its scope and impact may expand when Artificial Intelligence is included, and when data from the physical world is brought in via the Internet of Things (integrating humans as well as businesses in ever more digital / physical co-existence).

The Metaverse’s true potential lies, however, not in ever more convergence for its own sake, but in the outcome of that. It may evolve to become a universal digital platform for personal and commercial interactions – the platform replacing the current technology stack of the world wide web operating on top of the Internet - and become the source of the most valuable data about consumers available to the business world.

Why would the Metaverse be any different from the World Wide Web?

An Internet interaction today depends on a specific server communicating with another server or an end user device on an as-needed basis. The Internet simulates simultaneous interactions, but in reality they are different instances separated by fractions of seconds which, for the most part, we do not notice. The Metaverse will be more akin to simultaneous video calls in terms of user experience and interaction. In order words, simultaneous many-to-many communication.

To achieve that, different infrastructure will be required, perhaps on a distributed or decentralised basis. While based on Internet infrastructure, there are already successful distributed/decentralised computing models (for example, distributed ledger technology and cloud computing) that might point to the future of what the infrastructure might be like.

“The Metaverse will require countless new technologies, protocols, companies, innovations, and discoveries to work. And it won’t directly come into existence; there will be no clean ‘Before Metaverse’ and ‘After Metaverse’. Instead, it will slowly emerge over time as different products, services, and capabilities integrate and meld together.”²

What are the potential legal issues?

The revolutionary nature of the Metaverse is likely to give rise to a range of complex legal and regulatory issues. We consider some of the key ones below. As time goes by, naturally enough, new ones will emerge.

Data

Participation in the Metaverse will involve the collection of unprecedented amounts and types of personal data. Today, smartphone apps and websites allow organisations to understand how individuals move around the web or navigate an app. Tomorrow, in the Metaverse, organisations will be able to collect information about individuals’ physiological responses, their movements and potentially even brainwave patterns, thereby gauging a much deeper understanding of their customers’ thought processes and behaviours.

Users participating in the Metaverse will also be “logged in” for extended amounts of time. This will mean that patterns of behaviour will be continually monitored, enabling the Metaverse and the businesses (vendors of goods and services) participating in the Metaverse to understand how best to service the users in an incredibly targeted way.

Therefore, in the Metaverse, a user will no longer need to proactively provide personal data by opening up their smartphone and accessing their webpage or app of choice. Instead, their data will be gathered in the background while they go about their virtual lives. 

This type of opportunity comes with great data protection responsibilities. Businesses developing, or participating in, the Metaverse will need to comply with data protection legislation when processing personal data in this new environment. The nature of the Metaverse raises a number of issues around how that compliance will be achieved in practice.

Who is responsible for complying with applicable data protection law? 

In many jurisdictions, data protection laws place different obligations on entities depending on whether an entity determines the purpose and means of processing personal data (referred to as a “controller” under the EU General Data Protection Regulation (GDPR)) or just processes personal data on behalf of others (referred to as a “processor” under the GDPR). 

In the Metaverse, establishing which entity or entities have responsibility for determining how and why personal data will be processed, and who processes personal data on behalf of another, may not be easy. It will likely involve picking apart a tangled web of relationships, and there may be no obvious or clear answers – for example:

• Will there be one main administrator of the Metaverse who collects all personal data provided within it and determines how that personal data will be processed and shared?
• Or will multiple entities collect personal data through the Metaverse and each determine their own purposes for doing so? 

Either way, many questions arise, including:

• How should the different entities each display their own privacy notice to users? 
• Or should this be done jointly? 
• How and when should users’ consent be collected? 
• Who is responsible if users’ personal data is stolen or misused while they are in the Metaverse? 
• What data sharing arrangements need to be put in place and how will these be implemented?

Consent to marketing 

A key driver in the development of the Metaverse is its potential to enable new forms of marketing which are seamlessly integrated into the fabric of the Metaverse. For example, an individual heading to a store in the Metaverse might be shown deals on his/her favourite products in real time as he/she is browsing the shelves based on his/her previous behaviour. 

This is likely to constitute direct marketing under many countries’ data protection laws, which could require the consent of the Metaverse users. 

The precise nature of the obligations would likely depend on whether the brands themselves instigate the marketing and how the marketing is presented, including whether the presentation of marketing is more akin to online behavioural advertising or social media marketing (where a network of participants operate to present relevant advertising). 

However, in all cases, thought needs to be given as to how and when any required consent would be collected and, in particular, whether “real world” consent can be relied on by brands in the Metaverse and vice versa. 

Data sharing

To enable interoperability, data collected by one entity in the Metaverse may have to flow seamlessly between different operators and even platforms. As interoperability improves and the consumers are allowed to move digital assets and avatars between platforms and across the Metaverse, software developers and brands will need to establish bilateral or multilateral data sharing agreements to improve the seamlessness of the consumer experience. 

This is not altogether different from the current environment in which databases are bought/sold, but there are conditions which must be met first. 

For example, one requirement under many data protection laws is that the receiving party’s privacy notice must be provided to an individual shortly after it receives the data to explain to the individual how their personal data will be processed. These conditions will become increasingly difficult to meet in the Metaverse, where data exchange is rapid and involves a multitude of participants. 

One solution to this might be for a central administrator of the Metaverse to give users a clear description of how their data will be used and (if necessary) the opportunity to give consent for various uses. However, data protection regulators have expressed distaste for this type of “catch-all”, bundled approach. 

These types of objections are likely to be more forceful in relation to the Metaverse, where the amount of data collected and complexity of data sharing networks is significantly greater in scale.

Data export and localisation

“Seamlessness” in the Metaverse demands that data crosses boundaries at speed and without friction. It will be challenging for organisations and/or central Metaverse administrators to manage this while the rules around data export and localisation are becoming increasingly strict. 

Many countries are also beginning to roll out “data localisation” laws which can impose onerous restrictions on data leaving the country in which it was collected (see our publication, Free Flow of Data). It would not be surprising to see developers and/or brands getting together to try and agree large, overarching data sharing/export agreements, although how feasible such initiatives might be remains to be seen. 

Responsibility for data breaches and cyber-attacks

As with any online platform, the Metaverse will face the usual challenges of fending off cybersecurity incidents and data breaches. However, in the Metaverse these types of attacks may also take more ‘sci-fi’ type forms through deep fakes and hacked avatars. 

These types of incidents may therefore be harder to identify, verify and bring under control, and it may also be difficult to ascertain where responsibilities lie in respect of breach notification to users and data protection authorities, given the complex web of relationships that entangle the Metaverse.

Decentralised / distributed models

The discussion on data, above, underscores a number of competing tensions that will need to be addressed in the Metaverse:

• Participants will want a seamless experience in traversing the subsystems of the Metaverse. 
• The platform technology itself may be decentralised. How will data sharing and a seamless user experience be possible in such circumstances if there is not central co-ordination by, say, an administrator? How will vendors who do not know each other and may have no commercial connection co-operate in relation to the exchange of data?  
• Vendors will want to have customer “ownership”. To do that, they may want their own terms and conditions to which a participant subscribes. Will this mean that large areas of the Metaverse will be gated (greatly reducing the user experience)? At the moment, if we want access to the world wide web, we subscribe to an ISP’s terms and conditions for that access, but such terms and conditions do not prescribe the terms applicable to our access to particular websites on the world wide web. We are used to “partitioned” access to websites, governed by separate clickwrap or webwrap terms and conditions. As that approach does not lend itself to seamlessness, how will it be addressed in the Metaverse? Universal terms and conditions seem unlikely, so would technology provide the solution (for example, self-executing smart contracts)?

Competition Law

Competition law issues may arise as a consequence of both developer and participant conduct. Businesses developing Metaverse products and services on their own are unlikely to face antitrust concerns. However, the global and interoperable nature of the Metaverse will inevitably encourage multiple businesses to communicate and co-operate with each other in order to provide greater choice and a better experience to participants. Where they are competitors, communications or co-operation between Metaverse offerings could give rise to antitrust issues, which will need to be examined with caution. 

For example, while co-operation among competing Metaverse businesses to facilitate interoperability will most likely be viewed as pro-competitive, any sharing of competitively sensitive information (especially pricing) or agreeing on separate areas of focus and development could constitute serious antitrust infringements and lead to high fines. 

To mitigate this risk, Metaverse businesses will need to implement competition policies and training programmes, not only for their employees but, potentially, for certain Metaverse participants as well. 

Similar to other online gaming platforms, participants in the Metaverse could engage in conduct that would contravene antitrust laws in the real world. Where online products and services hold real-world value, real-world antitrust laws (such as the prohibition on cartels and joint boycotts) will also apply, which could have both civil and criminal consequences for those participating.

Social Media Regulation

Will social media regulation impact upon Metaverse stakeholders? It is difficult to speculate, so far in advance, on what the legal position will be in relation to the Metaverse when social media itself is not yet much regulated globally.

BigTech, as incumbents, have a particular interest in the evolution of the Metaverse. Some commentators are calling for tougher regulation in order to make BigTech more accountable for content that appears on their platforms.

Intellectual property rights

If you collaborate with others to generate intellectual property rights, who owns the created rights?  Principles of joint authorship and co-ownership are complicated, and their application will become more so in complex virtual world scenarios where a community of stakeholders may have been involved.

It is for these types of reasons that the European Commission is considering legal reforms to clarify the position on “co-generated” data arising out of new technologies, as well as in relation to machine-generated data. Metaverse stakeholders will need to navigate these kinds of issues when participating in the Metaverse.

An IPR licence is a permission to do that which would otherwise be forbidden by intellectual property rights. The fast-moving world of the Metaverse may involve character “mash-ups” and the bringing together of intellectual property rights owned by separate stakeholders. Infringements caused by “use in combination” with other intellectual property rights is a typical carve-out in indemnities included in licences for intellectual property, but “use in combination” is precisely the kind of scenario that the Metaverse will bring about. Traditional risk allocations in IPR licences will need to be reviewed, as will scope of use provisions.

European Regulatory Initiatives

Some recent European legislative initiatives illustrate the kind of approach that regulators might take in dealing with the Metaverse (of course, the legislation might be in a very different form by then).

The Platform to Business Regulation

The e-commerce aspects of the Metaverse would be subject to laws that regulate e-commerce in Europe. The EU Regulation on Promoting Fairness and Transparency for Business Users of Online Intermediation Services (Regulation (EU) 2018/0112), known as the “Platform to Business Regulation” (P2B Regulation), deals with harmful trading practices by providers of online intermediary services (including online marketplaces, social media platforms and search engines) when dealing with their business users (that is, vendors). Its purpose is to establish a fair, predictable, sustainable and trusted online business environment, by enhancing transparency and redress obligations for business users (that is, vendors) of online platforms. As there will be a multiplicity of vendors operating in the Metaverse, regulations like these will be important.

Among other things, the P2B Regulation imposes requirements on digital platforms in relation to vendors whose content they carry or host (or whose goods or services are sold on the platform) to:

• Provide a description of any differentiated treatment which the platform gives in relation to goods or services offered to consumers by itself, on the one hand, and by other vendors, on the other hand.
• Not terminate a vendor’s participation on a platform without clear reasons, and to provide a right of appeal thereafter.
• Disclose the parameters that the platform uses to rank vendor goods and services in terms of search results.

Digital Services Act 

The European Commission (EC) has proposed a new piece of legislation, the Digital Services Act (DSA), whose aim is to increase the transparency and safety for users in online environments and to allow innovative digital businesses to grow. 

A key aspect of the DSA is to introduce liability and safety rules for digital platforms, services and products, and that raises the issue of how to strike a balance between:

• Ensuring digital intermediary service providers are held responsible for content moderation, data sharing and usage, and regulatory oversight.
• Avoiding imposing unreasonable penalties on service providers. 

Vendors operating in the Metaverse should expect to navigate the same kinds of issues.

Digital Markets Act

The EU’s Digital Markets Act (DMA) will:

• Create a new framework to identify gatekeeper platforms.
• Require or proscribe certain gatekeeper practices.
• Give the EC new powers to conduct investigations and impose both behavioural and structural remedies, such as divestitures.

According to the EC, gatekeeper platforms benefit from extreme scale economies, very strong network effects, a significant degree of user dependence, lock-in effects, a lack of multi-homing for the same purpose by end users, vertical integration, and data driven-advantages.

These characteristics make users vulnerable to practices that can substantially undermine the contestability of “core platform services” and lead to unfair treatment of business and end users.

The EC has identified the core platform services on the basis that these services are typically controlled by highly concentrated multi-sided platforms who act as gateways for business users (vendors, in the Metaverse context) to reach their customers and vice-versa. 

According to the EC, the gatekeeper power is often misused by means of unfair behaviour vis-à-vis economically dependent business users (vendors) and customers, leading to barriers to entry and weak contestability of the markets for these services. 

Gatekeepers would be subject to a range of enforceable obligations in Article 5. Of particular relevance in relation to the Metaverse are that gatekeepers must:

• Refrain from combining personal data sourced from their core platform services with personal data from other services offered by the gatekeeper or from third-party services or from signing in end users to other services to combine personal data without consent. As noted in our discussion of data earlier, the sharing of data within the Metaverse would be a key way of creating seamlessness of a participant journey through it, so such a prohibition would have significant consequences in the absence of such consent.
• Allow business users to promote offers to and conclude contracts with end users, and allow end users to access and use content, subscriptions, features or other items from the business user, via the business user’s app on the gatekeeper’s platform, regardless of whether the end user uses the gatekeeper’s core platform services. As noted in our discussion on decentralised / distributed models earlier, gating subsystems in the Metaverse with separate terms and conditions could impact upon the seamlessness of a participant journey.
• Refrain from requiring business users to use, offer or interoperate with an identification service of the gatekeeper. In general, identity passporting across the Metaverse will be a key issue, and one that touches on the extent to which Metaverse stakeholders can own customer relationships.

See our blog, Shaken, not stirred: EU mixes big tech regulation and antitrust, for more detail about the DMA.

Proposed EU AI Regulation

The European Commission has published a proposal for an AI Regulation (see our blog, EU proposes new artificial intelligence regulation). Many human interactions within the Metaverse may be enabled through artificial intelligence. The regulation would prohibit certain AI practices and require providers and users (among others) to comply with various obligations in relation to high risk AI systems, and to comply with transparency obligations.  

If much human/system interaction is seamless, and is to driven by AI, within the Metaverse (particularly any AI interpreting or manipulating human responses or simulating reality through “deep fakes”), relevant stakeholders should expect that they will need to comply with regulatory requirements of this type in the years ahead.  

Other issues

As aspects of the Metaverse materialise, so too will other legal issues we cannot yet foresee. We can, however, expect that Metaverse stakeholders will need to deal with the full range of other issues that would apply in any trading and digital context, such as anti-money laundering issues, sanctions and technology export restrictions, financial services regulation, infringement of intellectual property rights, etc.

The Universe is expanding. One day that might also be true of the Metaverse.