Identification without redundancy in the metaverse: balance between public interest and GDPR requirements
DOI:
https://doi.org/10.21564/2414-990X.172.353393Keywords:
metaverse, avatar, personal data, biometric data, inferred data, personal data protection, General Data Protection RegulationAbstract
This article examines the phenomenon of the metaverse as an evolutionary stage in the development of digital conditions and its impact on personal data protection, criminal evidence, and legal liability. Attention is paid to the role of avatars as digital representations of users capable of revealing and generating biometric and inferred personal data. The limitations of traditional approaches to investigating crimes in metaverse environments, especially those focused on end-device data are analysed, and the need to shift toward environment-oriented methods of evidence collection is substantiated.
Author examines the significance of the General Data Protection Regulation (GDPR) as a substantive limitation on the gathering of criminal evidence, as well as the challenges to the principle of informed consent under the environment of platform dominance.
Based on a comparative analysis of GDPR implementation practices in the Republic of Croatia, conclusions have been drawn regarding the need to adapt legal mechanisms to new forms of digital interaction in the metaverse. This approach entails considering the specifics of automated biometric data processing, ensuring the principles of data minimization and proportionality, and integrating effective transparency and accountability procedures for businesses and technology operators in public and commercial spaces.
References
European Parliament & Council of the European Union. (2016). Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation). Official Journal of the European Union, L 119, 1-88. Retrieved from https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng.
Almomani, A., Al-Qerem, A., Alauthman, M., Aldweesh, A., Aoudi, S., & Salloum, S.A. (2025). Ethical Foundations of AI-Driven Avatars in the Metaverse for Innovation and User Privacy. IEEE Access, 13, 130610-130628. https://doi.org/10.1109/ACCESS.2025.3589714.
Stephenson, N. (2011). Snow Crash, Penguin Books Ltd., Bangalore.
Ludlow, P., & Wallace, M. (2007). The Second Life Herald: the virtual tabloid that witnessed the dawn of the metaverse (1st ed.). The MIT Press.
Interpol. (2023). Technology assessment report on metaverse. Interpol. Retrieved from https://www.interpol.int/en/News-and-Events/News/2022/INTERPOLlaunches-first-global-police-Metaverse.
Europol. (2023). Policing the metaverse: What law enforcement needs to know, an observatory report from the Europol Innovation Lab. Publications Office of the European Union. Retrieved from https://www.europol.europa.eu/publications-events/publications/policing-in-metaverse-what-lawenforcement-needs-to-know.
Gómez-Quintero, J., Johnson, S. D., Borrion, H., & Lundrigan, S. (2024). A scoping study of crime facilitated by the metaverse. Futures: The Journal of Policy, Planning and Futures Studies, 157, 103338. https://doi.org/10.1016/j.futures.2024.103338.
Harbinja, E., Edwards, L., & McVey, M. (2023). Governing ghostbots. Computer Law & Security Review, 48, 105791. https://doi.org/10.1016/j.clsr.2023.105791.
Bulgakova, D., & Bulgakova, V. (2023). The recognition of the deceased biometric data under personal non-property rights in terms of the General Data Protection Regulation. Bulletin of the Penitentiary Association of Ukraine, 1, 22-34. https://doi.org/10.34015/2523-4552.2023.1.03.
Sorrentino, G., & López-Guzmán, J. (2025). Rethinking privacy for avatars: biometric and inferred data in the metaverse. Frontiers in Virtual Reality, 6. https://doi.org/10.3389/frvir.2025.1520655.
Bulgakova, D., & Deruma, S. (2023). The liability of online intermediaries under European Union law. Kyiv-Mohyla Law and Politics Journal, 8-9, 1-43. https://doi.org/10.18523/kmlpj303154.2023-8-9.1-43.
Majcher, Klaudia. (November 23, 2023) 'A Data Protection Law Perspective on Sectional Coherence', Coherence between Data Protection and Competition Law in Digital Markets, Oxford Data Protection & Privacy Law. Oxford Academic. https://doi-org.ezproxy.its.uu.se/10.1093/oso/9780198885610.003.0007.
Cornelius, K., & Hermann, D. (2011). Virtual Worlds and Criminality (1st ed.). Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-642-20823-2.
Pandey, P. (2025). Bits and Bytes Betrayal: Unravelling the Dark Threads of Cybercrime in the Metaverse. In N. Pitropakis & S. Katsikas (Eds.). Security and Privacy in Smart Environments, 14800, 120-148. https://doi.org/10.1007/978-3-031-66708-4_6.
Agency for Personal Data Protection. (December 31, 2021). Decision on excessive processing of personal data of prize draw winners (National case reference: Decision 29-06-2022 (bank)). Zagreb, Croatia. Retrieved from https://azop.hr/wp-content/uploads/2022/09/Prekomjerna-obrada-osobnih-podataka-od-strane-banke.pdf.
Republic of Croatia. (2025). Regulation on organizing prize games (Pravilnik o priređivanju nagradnih igara). Narodne novine, No. 125/2025. Retrieved from https://narodne-novine.nn.hr/clanci/sluzbeni/2025_10_125_1785.html.
Bulgakova, D. & Bulgakova, V. (2023) Realisation of the Right to Personal Data Protection in the Court of Justice of the European Union practice regardless of DIGITAL RIGHTS IRELAND, GOOGLE SPAIN, SCHREMS, TELE2 rulings. Ukrainian Journal of International Law, 1, 53-62. http://dx.doi.org/10.36952/uail.2023.1.53-62.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Дар’я Булгакова
This work is licensed under a Creative Commons Attribution 4.0 International License.
