virtual_reality_headset_insight
What if Lewis starts to feel peckish and glances towards the bakery whilst wearing the headset? What if he sneezes? Would the technology monitor his eye movements and realise that he is hungry and unwell? How will data protection laws deal with the processing of this data (particularly special category data) when it is provided passively by the user?

One of the most exciting aspects of spatial computing technology devices are their ability to allow users to interact with the world around them on another level than we do now. Spatial computing technology incorporate augmented reality (AR); virtual reality (VR) and Mixed Reality (MR). AR overlays digital content onto the real world, normally using a tool (for example a mobile phone). VR traditionally creates a fully immersive digital environment which completely replaces the user’s actual surroundings. Mixed reality overlays digital content onto the real world and enables the physical and digital elements to interact. 

Because of the MR Lewis is experiencing when wearing his headset, the different sensors which process data from Lewis’ surroundings to provide him with the MR will in turn be processing data from Lewis himself. 

In the example above where Lewis looks at the bakery because he’s hungry, eye-tracking technology may monitor his gaze and can then use this information to infer that the wearer of the headset (Lewis) is hungry. It may then show him advertisements for other restaurants nearby. Similarly, sneezing while wearing the headset may allow the technology to infer that Lewis is unwell, and show him pharmacies nearby or advertisements for health remedies.

These considerations are much more prevalent for providers of such devices because of the unprecedented nature of collecting data in this way. Users of spatial computing devices may be using it for long periods of time, allowing providers and any other businesses, like advertisers and goods and services vendors, on the platform to build up a pattern of their behaviours very quickly, and understand how best to personalise content for users with things that they may be interested in.

We set out a few issues that parties in a spatial computing technology universe will need to consider regarding data protection obligations: 
 

Responsibility

With so many different entities involved in the creation of the immersive content, how will the roles of data controllers and data processors be delineated? 
It’s important for companies to understand their role in relation to any personal data which they process through spatial computing technology as it will affect their obligations under, and how a company complies with its obligations under data protection legislation, including the GDPR. 

Joint controllers
 
If two parties together both determine the purposes for and the means by which the data is processed, they will be joint controllers together. 
Determining these roles will then allow providers to work out who is responsible for the rest of the issues we consider in this article. 
Because of all the different relationships in a spatial computing technology environment (the spatial computing technology hardware manufacturers and software developers; the third party platform users, advertisers), there may be no clear answer to the questions above. Manufacturers and developers may have to consider if there will be one main controller who collects the personal data provided and decides how that personal data will be processed, or if the different entities will all collect personal data and determine their own purposes for processing it.

Special category data 
 
Some types of data, such as anything relating to someone’s physical, physiological or behavioural characteristics have more stringent obligations attached to collecting and processing it. So when Lewis sneezes and the headset collects this data and processes it to first infer he is unwell and then to target him with relevant content (like advertisements for medicine), this will be processing data relating to Lewis’ physical health.
 
Because the technology is being used to learn about Lewis and make decisions about the state of his health, it will be considered special category data under the General Data Protection Regulation (GDPR).
 
Controllers will need to consider how they will satisfy the extra conditions to process such data, how they will go about informing users that this type of data is being processed, and how they will collect consent from users to process the data. 
 

Consent

The obligation to tell individuals what you are doing
 
Companies need to give individuals using the technology information about what data they collect, how they collect it and what they use it for. The information should be concise and easy to understand. The easiest way to do this is to include the information in a privacy notice and provide a clearly signposted link to it in an explicit consent statement.
 
Note that valid consent under the GDPR has to be:
  • Freely given: users should have a genuine choice and control over how their data is used. If there is no “real” choice, the consent isn’t freely given and so won’t be valid (note an exception to this is if consent to the processing is necessary to use the service i.e. if users do not give consent, it is not possible for them to use the service; providers will need to consider if consent is a condition of the service or not).
  • Specific and informed: users should be told who the controller is of their personal data, what specific processing operations will be performed on their data and about their right to withdraw their consent.
  • Indicated by an unambiguous action: consent should be collected by the individual taking a deliberate and specific action to “opt-in” or agree to the process, like ticking a box.

Entities will also need to give some thought as to how consent will be gathered practically, such as:

  • how privacy notices will be displayed to the user in the device;
  • whether the user will be shown one joint privacy notice to cover all controllers and their respective processing activities, or whether they will be shown individual own privacy notices for all controllers;
  • when the privacy notice(s) will be shown to the user i.e. when they first put the headset on; and
  • how and when the user will be shown the consent statement 

Consent must also be given by the user for direct marketing e.g. if Lewis goes into his favourite store, his headset may display deals on products he is looking at currently or based on his previous buying habits. Who has to gather the consent depends on whether the brands themselves are delivering the marketing. Entities will have to establish who has responsibility for this activity to ensure all parties are adhering to their obligations under data protection law as well as other consumer law obligations.

Marketing to children 

Marketing to children is much more strictly regulated in many countries. In general, if you want to rely on consent to process a child’s data, parental consent must usually be given. Entities will need to consider how parental consents may be verified in practice. 

Further, the cut off age for a “child” is different in some countries and entities should be aware of this. One method to ensure parental consent is being gathered where necessary is to use age gating measures to estimate or verify the age of a user. 

A positive step entities can take is to include a “Children’s data” section in their privacy notices and describe the specific protections you use to protect their data. 

In general, if considering offering spatial computing technology services to children, you should be aware of the Children’s Code and the Age Appropriate Design Code.

Take a look at our IP article and liability article for further discussions about the legal issues involved in spatial computing tech.

 

Authors