While AI is grabbing many headlines, the metaverse and its immersive experiences are starting to be used by big brands. While to some the metaverse seems futuristic, we need only think of the rapid take-up of video technologies during the recent lockdowns or the explosion of ChatGPT and other AI tools to see how quickly new technology can become mainstream. Given the pace of change and the potential opportunities this new technology presents, what are the workplace privacy issues employers should bear in mind?  

As with all new technology, there are emerging issues and risks.  

In a workplace privacy context employers will need to consider: 

• What data is being collected?  
• Is the data personal data?  
• Is an employee’s avatar personal data?  
• Are any new types of data being collected? What about empathic data from wearable technology, such as heart rate, voice intonation, and pupil dilation data?  
• What data can the technology collect? Will all this data be collected?  
• Is too much data being collected?  
• How will the employer access this data and what will it be used for?  
• Are any inferences being drawn from this data? Is such usage intrusive or unfair?  
• Is data being stored? If so, where and for how long?  
• What security measures are in place to ensure personal data and potentially sensitive personal data is secure?  
• What privacy notice will be used to cover the metaverse? Would it be considered transparent by a regulator?  

This is just a selection, and it’s certainly a long list. But employers can take comfort from the fact that a lot of these issues can be addressed by going back to basics and considering fundamental data protection principles. Thinking about the metaverse and these data issues in this way, and not being overawed by the novel features of the technology, will help businesses to identify how best to ensure any metaverse project is compliant from a data privacy perspective.    

Here are some tips for employers thinking about implementing a virtual workplace. 

• Consider engaging with your employees, Work Councils, and Trade Unions early in any project to gauge interest, address concerns, identify volunteers and set up a pilot group. Ensure an ongoing dialogue and that employees have the opportunity to provide feedback and raise any concerns about the metaverse (in general) and how any personal data will be processed (in particular). It should be clear that employers expect the same level of behaviour whether working virtually or in person, and all workplace policies and notices should be updated to provide details covering any metaverse project. It may be beneficial to set out the perceived benefits for your employees as well as for the business. These could include providing a more realistic environment for global employees, improving cohesion, allowing for ‘water cooler’ chats or being among the first adopters of cutting edge technology. The element of trust in the employment relationship is key to implementing new technology and the metaverse is no different. 

• Be sure to consider all the data protection principles, and to address each of them in turn. This exercise could provide the basis for a useful FAQ resource for employees. It is an opportunity to demonstrate that you take the protection of personal data seriously and want to be transparent about what you do with it and what you will use it for, while reminding employees how they may exercise their rights.  
• As always, it would be good practice (though probably not a legal requirement) to undertake a data protection impact assessment. This is a risk assessment setting out the detail of a project, identifying risks that could arise, assessing such risks and looking at mitigating factors, feeding into the decision-making process about whether a project should go ahead. Once again, this would be an opportunity to engage with your employees, agree parameters, and address concerns, helping to build a trusted environment while also demonstrating compliance. It shouldn’t be forgotten that just because technology can do something, this doesn’t mean it should be used in this way. 
• Carry out robust due diligence on any third-party service provider that is involved. Given the hardware and software associated with the metaverse, most businesses will need to engage a third-party provider. Your due diligence should be thorough and you should seek contractual assurances to ensure you know what data is being captured, which options you have around data capture and access, where the data will be stored (and for how long), and what security measures are in place.  

In summary, before you jump into the metaverse make sure you engage with your employees, explore the opportunities and address the challenges this new technology brings.