Legal issues in the metaverse: Data protection in a new virtual world

Touted as the future of the internet and successor to the mobile web, the metaverse promises a new virtual world. The metaverse is a vision of many large tech companies who want to integrate the real world into the virtual world. The Facebook group, for example, which has rebranded itself as Meta Platforms, aspires to create a comprehensive virtual universe. The UK has now reacted with concern to Meta’s plans and passed the Online Safety Bill – legislation that also applies to the fledgling metaverse. The law aims to combat the distribution of illegal content in the metaverse, among other places. But how should society react when a decentralised autonomous metaverse is the new online reality and national laws no longer suffice? In the following, we point out some legal issues surrounding the metaverse and consider the problems raised from a lawyer’s perspective.

What is the metaverse?

The metaverse is the construct of a digital world in which people can immerse themselves by means of virtual reality (VR) and augmented reality (AR), letting them lead a kind of “second life”. They can experience that virtual world through an avatar and it is possible to interact with all other participants from the world. Separate virtual spaces within the metaverse are intended to offer numerous possibilities. Imagine, for example, a space that represents a virtual shopping mall or an area that can be visited to play games. There could also be virtual nightclubs there. What makes the metaverse special is that it runs without borders. Purchases in shops would then not be limited to the individual virtual space, but could be used across the entire metaverse – in every context and in every other virtual space. This is the essential difference to the current possibilities offered by the internet. For example, at the moment when you use tokens in a game, the tokens are basically limited to that game. You cannot usually use those tokens to pay for something on another platform. In the metaverse, however, this is supposed to be possible. So the metaverse is a collective virtual world that contains a multitude of spaces that overlap without any restrictions. At present, we can only speculate as to the real potential and the actual possibilities in the metaverse. It is also conceivable that people will use VR to take their avatar into an office room to work in the metaverse, or people might project digital holograms into their own homes. One metaverse prototype that you may well have heard of is Second Life. Meta Platforms has now also taken a step towards the virtual world with its Horizon Worlds. So the metaverse is no longer just an idea. It does seem that companies are more interested in building a metaverse of their own that will dominate the market. However, the vision behind the metaverse is becoming ever clearer and increasingly tangible now and for the near future. And yet despite all this potential, there are plenty of legal questions.

The question of which legal regime applies seems particularly challenging. First of all, it is important to remember that the metaverse is meant to be accessible across nations. According to the vision, in an ideal world everyone will have access to it. The main difference to a “normal” internationally accessible web platform lies in its decentralised nature and comprehensive interoperability. With this in mind, the question is how to unite all legal systems within a virtual world. In addition, an important point is that very few legal texts are already prepared for a metaverse, which raises the question of whether existing regulations are at all suitable for adequately regulating a virtual world.

Given the current status quo in law,

  • existing international agreements, such as treaties or conventions under international law,
  • private international law,
  • the law of the user’s country of origin,
  • or the law applicable to the platform operator

are all arguably potential candidates for regulating the metaverse.

Regulating the metaverse: Treaties under international law and “metaverse law”

It would be conceivable to create a kind of new international organisation as an association of states of all countries that want to enable access to the metaverse. As decentralised autonomous organisations, the participating states could create a separate legal construct for regulating the metaverse by means of international treaties – a kind of “metaverse law”. However, treaties under international law tend to be less suitable, as they only directly bind the contracting states and rarely the companies or private individuals resident in the country. In order to also have a treaty apply domestically, further steps would be required depending on the national law of each state. Moreover, the legal options for dealing with non-compliance with an international treaty are limited and not particularly effective. But legal certainty will be especially crucial in the metaverse, a place offering an alternative digital existence in real time. Moreover, the idea of accommodating all the interests of each state in a uniform treaty text seems utopian. However, a separate legal regime for the metaverse would make it easier to handle, clearer, and more user-friendly. Still, it is highly questionable whether this goal can be achieved. But it is not completely inconceivable, as shown by the example of the World Trade Organisation (WTO). The agreements on which the WTO is based create an effective and uniform legal framework for global trade. What is particularly noteworthy is that the sanctions set out in the agreements for non-compliance are very effective. This is one association of states which certainly serves as a model for a functioning global legal system.

Regulating the metaverse: Private international law

A solution could lie in private international law. Conflict of laws principles answer the question of which legal system applies in cases with references to legal systems of different states. Typical starting points – such as the habitual residence of the seller in sales contracts – are in principle transferable to the metaverse. Private international law covers scenarios under civil law. For criminal matters, international criminal law would have to be observed. It does seem conceivable to use private international law to solve legal questions that arise in the metaverse.

Regulating the metaverse: The user’s country of origin

The first question here would be: who is the user? Is it the avatar that “lives” in the metaverse? Or is it the person who controls the avatar from where they are in the real world? Since the avatar is only a digital embodiment of the real person behind it, it seems obvious that the focus should be on where the person controlling the avatar comes from.

As for data protection in the metaverse, the following question would arise: when would the General Data Protection Regulation (GDPR) apply? It is true that the GDPR’s territorial scope of application (set out in Art. 3 GDPR) depends primarily on the registered office of the company processing data. If, however, the country of origin of the data subject were to be taken as the basis for deciding which law applies, then everything would hinge on that person’s permanent residence alone. If their permanent residence were in the EU, then Union law and thus also the GDPR could be applied.

Regulating the metaverse: The law applicable to the platform operator

Arguably, the individual platforms – those “virtual spaces” that users can enter in the metaverse – could be seen as the basis for deciding which legal system applies. One initial question here would be whether it is the company’s real-world headquarters that matter, or its HQ in the metaverse.
If the company’s registered office in the real world were the starting point, then the legal situation would be clear. Then, for example, US law would apply in a virtual mall operated by a US-based company. For a virtual co-working space operated by a company established in the EU, Union law could then be applied, with the GDPR covering personal data processing. Following this logic, however, would at least render the “market place principle” from Art. 3(2) GDPR null and void. According to that principle, companies not established in the Union must comply with the GDPR when they offer goods or services in the Union or monitor the behaviour of data subjects in the Union. If it were decided that the applicable legal system must be the law to which the platform operator is subject, then this would not depend in any way on data subjects themselves, but solely on where the company is based. Accordingly, there may well then be some form of “exodus” of companies to whichever country had the least strict legal regulations. Legal plans such as the European Union’s Digital Services Act could serve to prevent this. The aim here is to establish platform regulation for all providers offering their services within the European Union, regardless of where the company is actually based.

Assuming that, in the metaverse, it would be the location of the company that mattered, this would frustrate the principle of applying the law of the place where goods and services are offered. It is probably unlikely that the virtual world will also contain state territories. This is why it becomes difficult to apply this “market place principle” in the metaverse. It would not be possible to apply legislation from the Union as a territorial area. What’s more, new companies could also in theory be founded in the metaverse itself, making it impossible from the outset to assign them to a particular real-world territory. These companies would simply not have corporate headquarters in the real world. Transferring the rules that apply to the analogue world would lead to a dead end here.

What is personal data in the metaverse?

People would immerse themselves in the metaverse by means of VR and AR. From a developmental perspective, it is true that these two technologies are not yet mature enough to offer a truly immersive metaverse. Nevertheless, the IT industry has already managed to bring so-called “smartcams” onto the market. These can not only record videos but also extract further information from them. Integrated sensors in the camera or in the computer can also record and evaluate physical actions (so-called “ubiquitous computing”). This poses the question of whether things like facial expressions, gestures and body language qualify as data and whether this would be compatible with the GDPR, assuming the latter were applicable in the metaverse. This would be particularly relevant if facial expressions could be used to determine a person’s emotional state or interest in a particular object, such as an ad in the metaverse. AdTech companies could then serve personalised ads.

Data is basically coded information. With regard to whether that data is personal in nature, the GDPR helps. Based on the definition in Art. 4 No. 1 GDPR, personal data is any information relating to an identified or identifiable natural person. By way of example, the law mentions, among other things “one or more factors specific to the physical, physiological, genetic, mental […] identity” of the natural person.
Since facial expressions, gestures and body language are visible movements of the body, these factors are specific to a person’s physical identity. As a rule, such factors specific to a person’s physical identity can then also be associated with a natural person, making the information personal data within the meaning of the GDPR. This would make the data subject to the provisions of the GDPR.

In addition, there are moral considerations as to whether facial expressions can be used to draw conclusions about a user’s personality, motivation, honesty, etc. Such analyses would profoundly interfere with the personal rights of users. Irrespective of the existence of a possible legal basis for lawful processing (see Art. 6 GDPR), the question should be whether this should be permissible at all. Such facial expression data could possibly be classified as particularly sensitive data according to Art. 9 of the GDPR. Processing such data is only permitted under strict conditions.

Under data protection law, who is the controller in the metaverse?

In a kind of codex for the metaverse, seven attributes have already been established that are supposed to apply to the virtual world:

  • Rule 1: There is only one metaverse.
  • Rule 2: The metaverse is for everyone.
  • Rule 3: Nobody controls the metaverse.
  • Rule 4: The metaverse is open.
  • Rule 5: The metaverse is hardware-independent.
  • Rule 6: The metaverse is a network.
  • Rule 7: The metaverse is the internet.

The third rule in particular could pose problems as regards responsibility for data protection. If no one controls the metaverse, can anyone be held responsible within the virtual world for processes normally subject to data protection legislation? The rule almost implies that anarchy should prevail in the metaverse. But that cannot be the goal. Especially not when considering that the metaverse is supposed to enable a kind of “second life”. Even in a virtual life, interpersonal encounters need to comply with the legal framework, whether that means respect for fundamental rights or data protection.

Following on from the question of which legal regime should apply in the metaverse, the GDPR can be applied under certain circumstances. The controller under data protection law would then be the body which, alone or jointly with others, determines the purposes and means of the processing of personal data (see Art. 4 No. 7 GDPR).

Single-organisation ecosystem accountability

It would be conceivable for responsibility for data protection to be “space”-related, comparable to individual websites and platforms that already exist. Accordingly, responsibility would fall to the person or party in whose room a person is currently present (in the form of their avatar). If, for example, a user entered a virtual shopping mall, then the mall operator would be responsible. But then the question would remain as to who is considered responsible on the “roads” that connect the virtual spaces. In theory, of course, personal data will also be processed on those virtual roads. For example, AdTech companies could use them to display personalised advertising posters or conduct promotional campaigns there.

Central responsibility for the metaverse

In order to simplify the web of responsibilities that would otherwise arise, there could therefore be a case for establishing some form of central responsibility for the entire metaverse platform. The obvious question here is: who would ultimately be held responsible? Would there then be a single controller responsible for the entire metaverse? Should there be some kind of joint controllership shared by all companies operating in the metaverse? Here it would already be a challenge to work out whether the joint determination of the purposes and means of processing (see Art. 26(1) Sentence 1 GDPR) could be realised across all of the metaverse’s possible potentials. Moreover, every controller would thus be jointly liable for every misstep by another controller. This would result in injustices that recourse claims could presumably only resolve to a limited extent.

Access point responsibility

It would also be conceivable to determine responsibility under data protection law via access points. Access points are dial-up providers, for example internet providers in the sense of DSL providers. Access point providers to the metaverse are then those service providers who enable access to the metaverse through an internet connection. The problem here is that this could then potentially balloon into unacceptably wide-ranging liability on the part of providers, with them generally liable for virtually everything. On the one hand, it would be clear and easy for data subjects to find out who they can contact in individual cases. But the solution would be insufficient in that the access point provider only allows entry into the metaverse. It is precisely within the metaverse that other providers operate, meaning it would be unreasonable to make access point providers solely responsible.


The legal issues surrounding the metaverse are complex. Much will depend on which legal system will apply within the metaverse. This article has only presented rough estimates, which are shaped by the abstract image of the metaverse itself. Beyond data protection issues, many other areas of law, such as criminal law or civil law, will also have to prepare for Web 3.0. In any case, it won’t be too long before the metaverse really takes off. It is crucial that we tap the hidden potential here. But even so, we cannot afford to disregard certain values – including the value systems of our legal order!


Subscribe to our monthly newsletter with information on judgments, professional articles and events (currently only in german).

By clicking on "Subscribe", you consent to receive our monthly newsletter (with information on judgments, professional articles and events) as well as to the aggregated usage analysis (measurement of the opening rate by means of pixels, measurement of clicks on links) in the e-mails. You will find an unsubscribe link in each newsletter and can use it to withdraw your consent. You can find more information in our privacy policy.