Working in the metaverse: What legal issues do virtual and augmented reality create?

 What employers need to know now about new work with digital twins.

Working in the metaverse: What legal issues do virtual and augmented reality create?

In recent years, HR has seen the rise of new technologies at an immense speed. To avoid being overtaken, companies need to examine the business opportunities offered by the metaverse while also keeping an eye on changes to the way we work. We describe the pitfalls arising from copyright and labor law as well as data protection.

Visualization makes understanding information easier and more efficient

Virtual reality (VR) solutions let users immerse themselves into a computer-generated virtual environment. In contrast, augmented reality (AR) and mixed reality (MR) applications supplement the real environment with additional content. One example is the use of data glasses to project maintenance instructions onto a machine. Even entire production plants can be mirrored as digital twins in order to test and optimize logistics processes or material supply before the plant goes into operation. In the case of operational production facilities, artificial intelligence can utilize the virtual twin to track the history of a defective product. For example, it can identify which batches are defective because of an excessively high operating temperature. Or determine how these defects can be prevented in the future. The metaverse enables employees to communicate with each other as avatars and involve remote experts to analyze the physical characteristics of a car or machine using a 3D model and identify any potential for improvement in the process. This requires less work and lowers costs in comparison to working with real prototypes. At the same time, it also represents an interesting option in view of the shortage of skilled workers by significantly expanding the recruiting radius. In all likelihood, application processes will increasingly move into the metaverse: This will enable job seekers to gain a virtual first impression and tour their potential employer’s offices or production.

However, legal risks also lurk. We describe dos and don’ts that companies need to consider when deploying VR, AR and MR software in the workplace:

  1. Copyright also protects virtual works
    When providing software and digital content, the rights of use always have to be regulated. As such, the supplier of a VR or AR solution must ensure that the necessary rights of use and consents from authors or persons depicted have been obtained. The same applies to elements of well-known brands or photos of well-known buildings, for example. Working on 3D models in virtual reality environments involves another consideration: If users create something new alone or in collaboration with others in virtual space, this can also constitute the creation of a copyright work.
  2. The user is generally responsible for data protection
    One thing that almost all VR/AR solutions have in common is that they process personal data. Applications in the metaverse capture facial expressions, gestures or physiological reactions to certain content, for example. In the business sector, this must take place in compliance with data protection regulations: for example, when managers want to experience the day-to-day work of employees in contact with customers or when maintenance technicians work virtually on a complex machine at the customer’s premises. In the case of an assessment center or VR/AR training courses in connection with a qualification certificate, the parties involved are usually aware that the General Data Protection Regulation (GDPR) has to be complied with. In contrast, engineers or product designers collaborating in virtual spaces on digital twins are less familiar with this issue. The same applies when technicians document joint maintenance operation carried out by an on-site technician and a remotely connected specialist.As a rule, the users of VR/AR software are responsible for the data protection. Therefore, they are required to check whether the company-specific use of the specific solution is complies with the GDPR. The existence of a legal basis is the primary issue. If employee data is processed, the legal basis is frequently Section 26(1) of the German Employee Data Protection Act (BDSG). In other cases, the employer’s legitimate interest is frequently used as a justification in accordance with Art. 6(1)(1)(f) of the GDPR. However, it is not sufficient for employers to simply refer to these regulations, as is often the case in practice. Instead, each individual case requires a specific and, sometimes complex, risk analysis, which the company is also required also document. As a rule, employers should refrain from relying on the employee’s consent pursuant to Art. 6(1)(1)(a) of the GDPR, as this consent cannot generally be regarded as voluntary as it is part of the employment relationship. Furthermore, employees can revoke their consent at any time for the future.
  3. Caution with data processing in “third countries”
    From a company’s perspective, the location where business-related personal data is processed is critical. This is particularly important if the data is not processed on the end device itself but rather on a server run by the provider of the VR/AR software. If this server is located in a third country outside the EU as defined by the GDPR and is not in a country which possesses an adequate level of data protection in accordance with the decision of the EU Commission, the special regulations on cross-border data traffic apply pursuant to Art. 44 et seq. of the GDPR. Therefore, if the provider of a VR or AR application utilizes a large cloud service provider, the following must be documented: Why was an alternative not available in a country with an adequate level of data protection? Which measures have been taken to ensure that the data is adequately protected despite this?
  4. Work towards a company agreement
    At German companies with a works council, the introduction of VR/AR solutions is subject to co-determination pursuant to Section 87(1)(6) of the Works Constitution Act (BetrVG). The interactions in the virtual space are documented and enable conclusions regarding who performed which action, and when. Therefore, these interactions are objectively suitable for monitoring the employees’ behavior or performance.At companies with a works council, the mandatory involvement of the works council has the advantage of enabling a company agreement to be used to establish a legal basis for the data processing. As explained above, this data processing would not be permissible solely on the basis of Section 26(1)(1) of the Federal Data Protection Act (BDSG) or Art. 6(1)(1)(f) of the GDPR.
  5. Protect company and business secrets
    In most cases, VR/AR solutions are not only used within the company itself. Field staff also use these solutions while employees collaborate with customers and service providers in virtual spaces. Therefore, users of VR/AR solutions have to be aware that they may be endangering the confidentiality their customers’ company and business secrets. Data glasses in particular can easily capture information of this nature: for example, when design plans, documented business processes, recipes or machine arrangements pass through an employee’s field of vision. Or when conversations about confidential information are recorded in the vicinity of the data glasses. In view of this, requiring customers to take appropriate technical and organizational measures to protect their business secrets may be recommended. Non-disclosure agreements are one option.
  6. Clear liability rules
    Suppliers and users of software for the metaverse have to clearly regulate the following: Who is liable for ensuring that the application works properly? Who is liable for the correctness of the information displayed by the solution? This is especially applicable when the supplier develops a solution based on information provided by the user.
  7. Observe occupational health and safety rules
    Employees who want to use a VR/AR solution at the company need to ensure that it complies with the safety regulations at the place of use. Under certain circumstances, focusing on a virtual environment can obscure the view of real hazards in the immediate vicinity such as when servicing machines. Yet, at the same time, data glasses can also help to prevent accidents by checking whether an employee is wearing protective gloves.
  8. Extend the code of conduct to virtual spaces
    Given that avatars are digital twins of employees, one has to consider to whether employers are permitted to define their appearance and behavior. As such, extending existing rules, guidelines and codes of conduct to include virtual space it is recommended.

Working in the metaverse creates new legal issues for HR along with the exciting challenge of keeping pace with technological advancement. These issues and challenges are easier to address if HR departments proactively examine the opportunities and risks and adapt existing regulations to the unique aspects of working in virtual spaces ahead of time.