Metaverse in 2023: legal considerations and actions

Now we are well into the new financial year, it is a good time for Australian companies to reassess their metaverse strategies. While generative artificial intelligence has stolen the spotlight and continued to gain momentum, the metaverse remains relevant and is likely to present additional opportunities as its underlying technology develops.

There is not a universally accepted definition of the metaverse, but it is generally known as expansive and immersive digital space where users can interact with each other, engage in activities and access content through virtual reality or augmented reality technologies.

Since 2022, we have seen increasing coordination by organisations and companies to develop open interoperability standards essential to fostering an open and inclusive metaverse. This includes the Metaverse Standards Forum, which is comprised of various exploratory and working groups on issues such as Digital Asset Management, Real/Virtual World Integration, 3D Web Interoperability and Privacy, Cybersecurity & Identity.

In this article we consider the key legal issues and actions that Australian companies, or companies transacting with Australians, should consider when tapping into the vast potential of the metaverse.

Key legal considerations

In Australia, there is currently no metaverse-specific legislation. Governance of the metaverse relies on existing laws.

The relevant areas for companies seeking to engage in the metaverse include:

1. Privacy and cybersecurity

Given the significant amount of data (both personal and non-personal information) generated by and transferred over the metaverse, it is paramount that companies engage with the metaverse in a safe, secure and privacy compliant manner.

Actions:

• Identify relevant privacy requirements – With the elimination of geographical and physical boundaries, companies may be subject to multiple privacy regimes. In Australia, due to the expanded extraterritorial effect of Australia’s Privacy Act 1988 (Cth) (Privacy Act), companies which engage with Australian individuals through a metaverse platform may be subject to the Privacy Act, even where the company is not based in Australia. This may also be the case for many non-Australian privacy regimes, creating an array of potentially applicable privacy laws for actions in the metaverse.
  

• Uplift cybersecurity capabilities and practices – Companies should consider adopting cybersecurity safeguards that are commensurate with the amount and sensitivity of information generated and transferred when they engage with a metaverse platform.

• Develop future-proofing strategies – Companies should review their metaverse strategies against present and developing privacy requirements, including reforms discussed in the Privacy Act Review Report. One of the proposed changes is the expansion of ‘personal information’ to include information ‘relating to’ an identified or reasonably identifiable individual, which may capture technical information about an individual’s actions on metaverse platforms (e.g. IP address or hardware used to access the metaverse).

2. Financial regulations

Cryptocurrency, non-fungible tokens and other crypto assets are indispensable elements in facilitating transactions on metaverse platforms. As we have discussed, companies should keep up to date with crypto regulations that are developing in Australia and abroad.

Actions:

• Identify relevant financial regulations – Companies and metaverse platform providers utilising crypto assets should consider whether the developing range of domestic and international regulations may apply to their actions.
  
  
• Review ASIC guidance – Companies and metaverse platform providers should also review ASIC Information Sheet 225 to assess whether their proposed arrangements relating to crypto assets align with ASIC’s expectations, including in relation to when a crypto asset may be a financial product or where representations in relation to crypto assets may amount to misleading or deceptive conduct.

3. Content regulations

Australia’s Online Safety Act 2021 (Cth) (OSA) regulates online service providers. Metaverse platform providers rendering ‘social media services’ may be captured. Platform providers may also require their user companies to assist with their compliance of the OSA through platform terms of use and codes of conduct.

Actions:

• Develop monitoring ability – Metaverse platform providers should strengthen the ability to monitor actions on their platforms, and to comply with ‘take-down notices’ issued by eSafety Commissioner requiring the removal of offensive content.
  
  
• Comply with the ‘basic online safety expectations’ (BOSE) – Metaverse platform providers should also comply with BOSE, which include taking reasonable steps to:
  
  
  • ensure users can access the service safely;
  • minimise the provision of harmful content (e.g. cyber-bullying material); and
  • provide users with a complaint and reporting mechanism.
    

4. Metaverse contracts

Where contracts are formed in the metaverse, the counterparty (with the use of avatar) and the applicable governing law/jurisdiction may not be apparent. Some consumer protection regimes may also imply terms into consumer contracts (e.g. warranties as to the quality or nature of the goods or services provided) that cannot be excluded by law.

Actions:

• Uplift contract templates – Companies should uplift their contract templates to address metaverse specific requirements and risks.
  
  
• Review terms and conditions – Companies should ensure that they have in place terms and conditions which govern third party’s engagement with the company in the metaverse and allocate liability and risk that may arise from this engagement. For example, where a metaverse user brings a digital asset into the company’s space on the metaverse which breaches the IP rights of a third party, the terms and conditions for access to the company’s space may provide that the company is not liable for any claims in relation to this IP infringement.

5. Intellectual property

As the metaverse involves substantial creation, trade and display of digital assets, companies should rethink their intellectual property (IP) protection and commercialisation strategies.

Actions:

• Review existing IP portfolio – Companies should consider whether currently registered trademarks extend to the use in a metaverse context.
  
  
• Review licensing arrangements – Companies should review their licences to ensure they are allowed to use third-party IP in a metaverse context.
  
  
• Adopt effective IP protection strategies – As the dissemination of counterfeit digital assets is easily repeatable (e.g. sharing a file containing a counterfeit digital asset can be done near instantly and infinitely), IP infringement is likely to rise with the increased use and value of digital assets in the metaverse. Companies may consider establishing a presence in the large metaverse platforms or engaging a third party to do this, to review these platforms for conduct which may infringe the company’s IP.

What’s next?

Although popular focus has shifted to generative AI in recent months, there is a real risk in dismissing the metaverse as a passing fad.

As the underlying technology continues to evolve (including through the use of generative AI), organisations are likely to find real opportunities to drive customer engagement and revenue through their metaverse presence. Watch this space.