Robert Cruz, VP of information governance, Smarsh, joins Neha Pradhan Kulkarni on Data Privacy Day 2022 to chat on how enterprises can navigate data privacy in the metaverse. They discuss what happens to data privacy and valuable information from the metaverse in case of a data breach, how the metaverse impacts identity and access management principles, does consent apply to artificial intelligence (AI) and more.
In this edition of Tech Talk, Smarsh shares the steps companies can take to build a safe, privacy-sensitive, and regulated metaverse in the future. Cruz also talks about the ways in which users and companies both can take on the mantle of privacy.
Key Takeaways on How To Navigate Data Privacy in the Metaverse:
- Data privacy in the metaverse will be dependent on the policies of those delivering the servicesÂ
- Consent obtained by a human or an AI-driven bot will have the same legal obligations
- Consider how applications in the metaverse are being designed to address the volume of data
Here are the edited excerpts from our exclusive interview with Robert Cruz of Smarsh
1. The metaverse has taken the tech industry by storm. In our poll, 30% of IT participants picked the metaverse as the biggest tech trends for 2022. So, what does the metaverse mean for the technology industry?
Having been in Silicon Valley over a long career, I’d have to position the current state of the metaverse in a similar place to the early days of the web or smart phones– limitless possibilities, but with still unclear impact as a consumable concept. I’m certain that we will see a similar pattern emerge in 2022 of venture funds flowing into the sector until a clear use case, killer app, or prime targets of industries to be disrupted emerges. One of those industries is likely to be financial services, where disruption by FinTech entrants has already witnessed the exploding demand for cryptocurrencies and digital assets built on underlying blockchain and distributed ledger technologies. I’d imagine that these trends will continue to accelerate and augment traditional methods of service delivery, such as in the use of robo or virtual advisory services provided by established firms.
See More: Golden Copy: The Key to Fortifying Your Backup Strategy
2. As the metaverse becomes commonplace and more data is collected, stored, accessed, and used, what happens to data privacy and valuable information from the metaverse in case of a data breach?
It depends on the underlying storage and data protection technologies that these applications are built upon. Blockchain offers inherent security advantages, but the respect and protections for data privacy will remain dependent on the practices and policies of those delivering these services and applications.Â
Individuals interacting in a physical or virtual world will still have rights to information that is tied to them individually, and firms providing these services will have obligations to use information only for a stated purpose (presuming that we will continue to see more data privacy regimes similar to GDPR, CCPA and similar state laws around the US).Â
For any provider of services or applications delivered via the metaverse leveraging legacy technologies you will see an amplification of a challenge that they are already faced with, namely, dealing with an exploding volume and variety of disparate data. This will serve to drive greater adoption of public cloud infrastructure to provide the scale and leverage of data protection investments made by the cloud industry leaders.
3. The metaverse will allow a deep dive into a 3D virtual realm in which users adopt avatars, which could be used to hide identity. How does this impact identity and access management principles in the metaverse?
Anonymization to disconnect data from identified individuals is not new, and will continue to make sense in specific use cases, such as gaming or other consumer applications. However, in a business context, an individual is engaging with an assumption that there will be an exchange of value that carries rights and consequences, if one party violates the agreed upon terms of that exchange.Â
If avatars are able to transact it is completely within the interest of the other party in that transaction to ensure that the avatar can be associated to an identified individual, and that it would provide the appropriate access right protections to reduce the risk that the avatar was being used fraudulently or by an unauthorized individual.Â
When nothing else is certain, one can be confident that litigation and case precedents will emerge quickly here.
See More: Worried About Online Privacy? Check Out These 5 Privacy-Centric Browsers
4. Conversational AI is currently colliding with the Metaverse as the primary interface. When conversational AI starts to process and request a user’s personal data, who has legal authority on that information? Does consent apply to AI?
It depends entirely on the privacy rights carried by that individual (for example, whether they are a CA or EU resident). How an individual provides consent differs depending on the specific privacy regulation, but it is generally provided for a specific purpose.Â
For example, I consent to providing certain pieces of personally identifiable information to a financial institution if it pertains to the marketing or sale of a security because they have a regulatory obligation to do so. That requirement does not change if that personally identifiable information is obtained by a human or an AI-driven bot.Â
Further, the obligation to use that information only for the stated purpose that the user has consented to does not change regardless of whether it is misused by an individual or an algorithm. In general terms, the information belongs to the individual, and their rights and recourse is defined by data privacy law (and will continue to be with new state privacy regulationss).
5. How can users and companies both take on the mantle of privacy for developing technologies in the metaverse?
As noted above, it starts by understanding existing rights and obligations of personal data privacy under laws in the state/country/region where that individual resides.Â
As we see very clearly today from practices of web advertisers and social media companies, some companies care more about data privacy protection than others, and have practices and policies that are clear, unambiguous and transparent to users.Â
These practices shift demand, and some firms will continue to differentiate based upon treating data privacy by design and default (borrowing language from GDPR). Companies intending to participate in the metaverse would be wise to learn this lesson.
See More: 6 Ways To Recover Data From Ransomware Attacks
6. What steps will go a long way to build a safe, privacy-sensitive, and regulated metaverse in the workplace of the future?
- Understand the rights and obligations of individuals under the applicable data privacy regulation (whether that is a physical being or a virtual representation associated with them.
- Start with the assumption that rules that govern how individuals engage, interact, and transact do not change if they occur in a physical or digital universe.
- Consider how these services or applications are being designed to address the volume and variety of information that will be generated.
- As a consumer/user, recognize that some providers will care and invest more than others in the respect and protections provided for your information.
About Robert CruzOpens a new window :
Robert Cruz is vice president of information governance at Smarsh. He leverages 20 years of experience in the domains of regulatory compliance, eDiscovery, and risk management to lead Smarsh efforts in presentations, content, and customer advocacy surrounding these complex use cases. Robert has spent his entire career in Silicon Valley and holds an MBA from the Stanford University Graduate School of Business.
About SmarshOpens a new window :
Smarsh enables companies to transform oversight into foresight by surfacing business-critical signals in more than 80 electronic communications channels. Regulated organizations of all sizes rely upon the Smarsh portfolio of cloud-native electronic communications capture, retention and oversight solutions to help them identify regulatory and reputational risks within their communications data before those risks become fines or headlines.
About Tech Talk
Tech Talk is an interview series that features notable CTOs and senior technology executives from around the world. Join us as we talk to these technology and IT leaders who share their insights and research on data, analytics, and emerging technologies. If you are a tech expert and wish to share your thoughts, write to [email protected]Opens a new window
How do you plan to navigate data privacy laws in the metaverse? Share your tips with us on LinkedInOpens a new window , FacebookOpens a new window , and TwitterOpens a new window .
More on Data Privacy: