The metaverse – where immersive, connected experiences will bring a sense of presence to the digital world – continues to take shape. As policymakers and product makers, it’s our job to keep up, no matter how fast things change. But how can we best empower users with data transparency in technology that's still being defined?

Luca Bolognini understands data privacy in the metaverse better than most. As President of the Italian Institute for Privacy and Data Valorisation, he’s at the forefront of data protection and has published several esteemed articles on the subject. Here, Luca gives his expert opinion on the legal and ethical responsibilities that businesses must consider, so that users can exercise their rights.

Before diving into the crux of the matter, can you tell us a bit about yourself and your background?

I divide my professional life between two "worlds". On the one hand, I founded ICT Legal Consulting, a leading digital law and cybersecurity firm in Italy. On the other hand, I am Chair of the Italian Institute for Privacy and Data Valorisation. I’ve written both heavy legal commentaries and lighter books. The last one, "The Art of Privacy", published in 2022, was about compliance, ethics, and data protection.

So, you’re a lawyer and researcher by trade – when did your interest in data and privacy begin?

Since my university days, I have always been fascinated by new tech regulations. I immediately focused on studying rules on privacy, personal data protection and digital marketing. When offered to lead the formation of the Institute by several experts in 2008, I accepted immediately.

“We never focus on ‘as-is regulation’, we always strive to look beyond, at the rules of tomorrow.”

Can you tell us more about the Institute, why it was established, and what your main pillars of work are?

The Institute is now the leading think tank dedicated to advanced data protection studies in Italy. We conduct European research and innovation projects for large companies that require strong skills in ethics and digital law. Each year, the Institute's Academy trains thousands of data protection officers for free, thanks to Meta’s sponsorship. Now we’re considered the reference point in Italy for analysing and addressing avant-garde and complex legal issues in all things digital.

You’ve recently written a paper on the future of personal data in the metaverse, could you share some insights from that with us?

Of course. The paper I co-authored with Marco Emanuele Carpenelli proposes a reading of the metaverse as a new dimension, enlivened by a continuous and vibrant flow of information and images. In terms of processing personal data under EU Regulation, we encouraged adopting a balanced, consciously optimistic approach.

“There’s an unmotivated distrust of the metaverse. We favour a more harmonious balance between the risks, benefits and opportunities presented by these new technologies.”

What responsibility — legal and just as importantly, ethical — should businesses consider when thinking about the metaverse?

The metaverse represents a reality that is both virtual and augmented. So, rights and opportunities for businesses and individuals can also be considered ‘augmented’ and the impact on users will also 'increase'. For this reason and with a view to greater accountability, companies must consider new methodologies to fulfil privacy compliance obligations.

So, what will that mean in terms of regulations?

This will require an even more intensive effort to implement the principles of ‘Data Protection by Design’ and ‘Data Protection by Default’ in Article 25 of the EU Regulation. I hope you know your EU Regulations! It will also be crucial to devise a new way of conducting data protection impact assessments (DPIAs) under Article 35 of the GDPR in such a way as to extend the analysis to the ‘person in a metaverse sense’.

How can we empower users with the ability to understand data collection, so that they can exercise their choice and control in the metaverse?

In my opinion, more effective awareness and training campaigns will need to be launched. For instance, we should encourage more dynamic ways of administering the information referred to in the EU Regulation. Perhaps the time will come to discuss the ‘Empowerment of Data Subjects’, rather than simply the empowerment of data controllers.

How can we best navigate the trade-offs between accounting for users’ needs and managing experts’ expectations from academia, civil society, industry, and government?

That's an interesting one. From my experience, these groups are united by the idea that integrating discussions, individuals, and sectors is crucial to unlocking the benefits that the metaverse can offer users.  In fact, the metaverse cannot be built by a single company, and no single social network or single brand will own the metaverse.

“Through an open dialogue between lawyers and innovators, we can ensure the highest level of user protection and empowerment while balancing rights, freedoms and interests.”

In your opinion, what areas of the metaverse have the greatest potential to create value?

The metaverse will be the source of boundless new opportunities, including greater inclusivity, accessibility to rights and new ways of working. Companies that deliver the most innovative products and services will be able to tap into the true value of the metaverse. Handled correctly, the metaverse can help us transform our future for the better in terms of data and privacy.