Once employees start working in the metaverse, employers face the question of how and to what extent they can process employee data. While metaverse interactions generate a wide variety of data, any associated processing requires a legal basis.
Recording data in the metaverse
Information on facial expressions, gestures and other physiological reactions to content and events in the metaverse as well as data on productivity and resilience can be logged in the metaverse or determined by linking data together. Speech can be recorded, and it is even possible to log employees’ pulse, blood pressure or ECG readings – and check on their health in the process. This could enable employers to take measures to counter burnout and other health issues at an early stage.
The Federal Data Protection Act
Section 26 Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”) applies to processing data generated in the metaverse.Under this provision, employee data from the metaverse may be processed if that processing is necessary, in particular, to perform or terminate the employment relationship (section 26(1), sentence 1 BDSG) or to detect criminal offences (section 26(1), sentence 2 BDSG). Article 88(1) GDPR lists the performance of the employment contract, the planning and organisation of work, health and safety at work and the protection of the employer’s or customers’ property as examples of possible processing purposes. Such purposes also include monitoring employees’ behaviour and performance. Following one of the fundamental principles of data protection law, personal data may also be processed in the context of employment based on the employee’s consent pursuant to section 26(2) BDSG.
Data processing in individual cases
Storing data for the purpose of documenting virtual meetings may be deemed necessary for the performance of employment relationships within the meaning of section 26 BDSG. Data processing is legally justified if it is necessary and the intended aim of the processing cannot be achieved by other equally appropriate means. It can be argued that such processing is necessary if the metaverse offers additional benefit – which is easy to substantiate if employees use the metaverse to discuss 3D models of development and construction work, for example. Meetings that could also be held via conference call or video conference and do not offer such added value could come under scrutiny from a data protection perspective. Meetings in the metaverse can, however, be deemed to offer additional benefit if participants who don’t speak the same language – or at least not at the same level – can communicate using speech recognition and translation functions.
In contrast, section 26(3) BDSG specifies that health data can only be processed if this is necessary to exercise rights or fulfil obligations arising from employment, social security or social protection law. The employer’s duty to ensure employees’ health and safety could be one reason for recording health data in the metaverse. But employers need to be cautious about recording private conversations – section 201(1), no. 1 Criminal Code (Strafgesetzbuch, “StGB”) makes it clear that recording privately spoken words is generally a criminal offence unless consent has been granted. If there is no legal basis and the employee has not granted consent or this consent is legally invalid, the employee not only has a cease-and-desist claim but might also have a claim for damages against the employer.
Works council’s co-determination rights
The co-determination right set out in section 87(1), no. 6 Works Constitution Act (Betriebsverfassungsgesetz, “BetrVG”) gives the works council the power to shape and restrict the use of employee monitoring technology. While the legal requirements for employee data protection are tied to data processing operations, the works council’s co-determination right under section 87(1), no. 6 BetrVG relates to the introduction of technical devices. This means that the works council can oppose the introduction of virtual meeting rooms. Even though the BetrVG only grants the works council information and monitoring rights when it comes to data protection compliance, this co-determination right actually gives it the power to veto the introduction of technical devices until a conciliation board procedure has been completed. It is therefore in a company’s interest to check whether proposed systems comply with data protection requirements and to collate information documenting that the use of employee data is necessary and the processing thereof proportionate. The introduction of such systems can then be negotiated on this basis and any joint assessment of data protection compliance documented where necessary.
Before establishing a presence in the metaverse, employers must check what data can be recorded under the BDSG – bearing in mind both that different areas of activity are likely to be subject to different requirements and that works councils have a co-determination right under section 87(1), no. 6 BetrVG.