Determining jurisdictional and relevant laws
A decentralized and seamlessly interoperable metaverse will present challenges when you seek to determine “who” an incident impacts and which data breach notification laws attach to that individual. Depending on your operation in the metaverse, you should explore the use of Terms of Use, registration (for example, users could be required to “select a jurisdiction” when creating a profile/logging in), FAQs or technical controls to address this uncertainty.
Home
Determining jurisdictional and relevant laws
A decentralized and seamlessly interoperable metaverse will present challenges when you seek to determine “who” an incident impacts and which data breach notification laws attach to that individual. Depending on your operation in the metaverse, you should explore the use of Terms of Use, registration (for example, users could be required to “select a jurisdiction” when creating a profile/logging in), FAQs or technical controls to address this uncertainty.
Typically a jurisdiction’s data breach reporting laws turn on an impacted individual’s residency, the location of the incident, or the location of the relevant organization’s headquarters. This is a factual question which the complexity of dataflows within the metaverse can complicate. Platforms, operators and users can all be in different jurisdictions around the globe, VPNs may further obscure location, and users may not be required to register their physical location. It remains to be seen if existing laws will be adapted to meet this issue, or indeed if the metaverse itself will be further regulated to require, for example, geo-fencing of users based on their real-world jurisdiction.
Companies may also have to grapple with existing sector-specific incident/data breach reporting requirements (for example, where your services could be considered key pieces of national infrastructure, where they involve confidential communications services, or where you are providing certain financial, telco or health services). The key consequence being that even if a jurisdiction can be identified, any cybersecurity incident in the metaverse may give rise to reporting obligations to multiple regulators concurrently within that same jurisdiction.
In the absence of clarity in a revolutionary world populated by avatars and virtual spaces, regulators and courts are more likely to hold ambiguity against companies than against individuals who come forward and can demonstrate harm, just as they did in the early days of the Industrial Revolution with the steam engines that threw off flaming embers.
Mitigating risks
- work with the platform operator and relevant third parties to establish an agreed-upon approach for determining the legal jurisdiction applicable to a user
- if appropriate, consider developing contractual (e.g. “by entering this site, you agree that the laws of England and Wales will apply”) and technical controls/accompanying FAQs (e.g. by having users indicate their jurisdiction at time of registering their avatar or otherwise entering a metaverse experience) to help establish a clearer indication of a user’s jurisdiction
- to the extent possible, maintain an accurate map of the data flow of information relevant to your products/services, including detail of data flows between multiple entities/third parties and jurisdictions
- be mindful of additional sector reporting obligations which may apply
Key legal risks / issues
- challenges when companies seek to determine “who” an incident impacts and which data breach notification laws attach
- typically, data breach reporting laws turn on an impacted individual’s residency, the location of the incident, or the location of the relevant organization’s headquarters – this may be followed as a rule of thumb unless relevant law provides otherwise
- consider developing contractual and technical controls, or perhaps even a self-declaration of a user’s primary residency (or technical means to determine a user’s physical location during use to establish a clearer indication of a user’s jurisdiction
- maintain an accurate map of the data flow of information relevant to your products/services
- consider if any sector specific breach reporting requirements apply
Questions to consider
- can you determine relevant users’ locations or residency?
- if position isn’t clear, can you work with the platform operator/relevant third parties to establish an agreed-upon approach for determining the legal jurisdiction of a user (e.g. by requiring self-declaration)?
- do additional sector specific reporting obligations apply?
Find out more by viewing our three Cybersecurity and Data Breaches issues:
Contact
Paula Barrett
Co-Lead of Global Cybersecurity and Data Privacy paulabarrett@eversheds-sutherland.com View Paula Barrett's full contact details
Michael Bahar
Co-Lead of Global Cybersecurity and Data Privacy michaelbahar@eversheds-sutherland.com View Michael Bahar's full contact details
Jonathan Palmer
Click on the topics of interest available below to explore the legal issues arising in the metaverse. We will be releasing further reading on a variety of topics periodically.
View our
Shaping the future
Digitalization and corporate digital responsibility (CDR)
Businesses are forecast to spend $10 trillion over a five-year period on digital transformation. Digitalization is game-changing. But it comes with numerous risks, challenges and obligations that need to be understood and navigated to stand the best chance of success.
Our global report highlights key findings on the uptake of digital technologies, future strategies and M&A activities, perceived risks, challenges and approaches to using, developing, buying or selling digital technology responsibly.