Eye-tracking devices for virtual and augmented reality metaverse environments and their compatibility with the European Union general data protection regulation

Abstract

Even though the Metaverse from science fiction is not a reality yet, it is possible to take a glimpse into how it might look like. Several companies and platforms are currently working and developing their versions of how the Metaverse will look in a not-so-distant future. However, the current vision of the Metaverse does not only encompass software. A great deal of companies is complementing their Metaverse projects with Virtual and Augmented Reality devices such as headsets and glasses. In this line, one of the last technological advancements in virtual and augmented reality devices included the introduction of eye-tracking technology. However, when new and additional kinds of data are processed, emerging risks for data protection might arise. While there is an already incipient stream of scholarship that analyses the risks that eye-tracking devices might entail for privacy, such literature mostly focuses on the technical side. However, no scholarship, up to this moment, has examined such devices from a legal perspective and particularly from a data protection lens. This paper will, therefore, discuss the compatibility of eye-tracking devices for virtual and augmented reality environments with the European Union General Data Protection Regulation (GDPR). Being the GDPR considered a worldwide role model in terms of fundamental rights protection, the compatibility of such devices with one of the most severe data protection regimes will be put to the hardest test. The paper will do so by analyzing the state of the art of the technology, its use in headsets and glasses for virtual and augmented reality Metaverse environments, and the potential risks that such use might entail for data protection. After that, such risks will be confronted with the relevant applicable provisions of the GDPR. Finally, the paper will issue policy recommendations regarding the need for more interdisciplinary research on privacy-enhancing techniques to solve the privacyutility conundrum; careful monitoring of access to data by third parties, including data security and minimization requirements; more guidance from supranational Data Protection Authorities and more attention when designing privacy policies, especially for children.