Extending data protection rights to virtual spaces

AR2

I have been thinking about augmented reality a lot in the last few days for reasons explained in the last blog post. While most of the discussion in the next few weeks will be about cute pocket monsters, an interesting legal question has arisen, who owns virtual spaces around real locations?

This could prove to be a more relevant question than it would appear at first glance, as evidenced by the first few days of Pokémon Go mania. As reported elsewhere, a man in Massachusetts has had his house tagged as a gym, which is a location that invites people to come and visit constantly to train their pokémon. Cases like this one have prompted many to ask the question if one can have some sort of rights on how their house is portrayed online.

You may think that this is a trivial question, and nobody really cares if their tagged as a virtual stop for online players, the game’s hype will eventually disappear and we’ll be back to normal. But I argue that Pokémon Go is just the beginning, the augmented reality floodgates have been opened, and we can expect a large number of future applications of the technology to come our way. The wild success of location-based gaming may bring about a horde of imitators, so expect a new generation of AR gaming to hit the app stores soon (Blizzard, WoW Pet Battles are just waiting to receive this treatment, make it so). But the potential for AR has been with us for years, and while Google Glass was a bit of a fiasco, other technologies are making their way, allowing a future of geo-tagging and location-based interaction.

So imagine a future where your house is tagged in a global database without your permission, or a commercially sensitive database where your business has incorrect data, and you cannot reach the developer, or they refuse to act. Even more worrying, imagine a database showing the location of sex offenders being used in augmented reality apps, and this data being inaccurate, outdated, or not fit for purpose. It is possible that we will also see AR relying on user-generated content, what happens when it is inevitably used to abuse a person? Why spray-paint hate messages when you can geo-tag a house? Paint washes away, but data may be more difficult to erase.

My proposal is to extend data protection to virtual spaces. At the moment, data protection is strictly personal as it pertains to any information relating to an identified or identifiable natural person, known as data subjects. The data subject has a variety of rights, such as having the right to access, rectify and even erase inaccurate and excessive personal data. Under my proposal, the data subject’s rights would remain as they are, but we would include a new definition, that of the data object. This pertains to data that is related to an identified or identifiable location. The rights of data objects would be considerably more limited to those of a data subject, but this classification would make it possible to take advantage of various of the data protection mechanisms when the rights of a data subject may be intrinsically linked to a location.

In other words, just tagging a location on an augmented reality database would not warrant the exercise of data object rights, but the mis-tagging of a location as a public space which could have an effect on the enjoyment of that location could trigger an action to the regulator to have the tag amended, removed, or even erased.

This idea is in very early stages, so I would welcome your feedback. Is data protection the right way to try to protect sensitive location data? Are there laws that already cover this area?

Comments 3

  1. To be fair, the case of “my home was tagged as a Pokemon gym” occurred because the subject’s home was once a location open to the public (a church); the game developer used the same public data points it had created for an earlier game (named Ingress), and did not know that the church property had changed hands and was now a private residence. I suspect that to be a somewhat uncommon situation, especially in areas where zoning laws would prohibit the change to residential status. Even so, I would hope that the game developer responds affirmatively to a “delisting” request in such cases of “old data.”

    Nonetheless, I would agree that third-party use of virtual spaces corresponding to physical locations should be limited to that information which is publicly available. For instance, here in the US one can usually discover who owns the property at a particular address through public records, even if it is a private residence; they can also learn the price at which the property last changed hands and when that transfer took place. For businesses, one can also find the owners’ names and details of their business licenses. So, as far as the US is concerned, I would think that our baseline definition of “permitted use” for your proposed “data object” would be framed by that information which is publicly available.

    Given the differences between US, UK and EU data protection requirements, today’s release of Pokemon GO in the UK and Germany may well provide us with a few interesting test cases…

  2. […] “I have been thinking about augmented reality a lot in the last few days for reasons explained in the last blog post. While most of the discussion in the next few weeks will be about cute pocket monsters, an interesting legal question has arisen, who owns virtual spaces around real locations? This could prove to be a more relevant question than it would appear at first glance, as evidenced by the first few days of Pokémon Go mania …” (more) […]

Leave a Reply