Evaluation On The Concepts Of Data Controller And Data Processor In The Metaverse - Data Protection

Summary

The Personal Data Protection Law Numbered 6698 and the European General Data Protection Regulation include the concepts of data controller and data processor. In the article, the qualifications, responsibilities, and obligations of the parties are given, and the positioning of the concepts in the Metaverse and the principles of data processing are mentioned in order to explain the concepts of data controller and data processor. Accordingly, the concepts of data controller and data processor were analysed in depth within the framework of the Personal Data Protection Law and the European General Data Protection Regulation, and then the results of the analysis were reconciled with the Metaverse fiction. In addition, evaluations were made on the definition, current status and development of the Metaverse and the data processing activities that have taken place and may take place within this scope.

Keywords: Metaverse, Data Controller, Data Processing, Data Processing, Big Data Law

I. Introduction

The Personal Data Protection Law Numbered 6698 ("PDPL") defines two actors, namely the data controller and the data processor, in accordance with the European General Data Protection Regulation ("GDPR"). The Law recognizes these two actors in the processing of data and addresses their obligations and responsibilities separately. Identifying the responsible parties will also be an important issue in the metaverse in order to ensure adequate protection.

The fact that technological developments continue unceasingly and that all existing and developing technological systems are based on personal data increases the concerns in this area. On rapidly designed systems, existing regulatory and legal terms are integrated, new concepts and scenarios that are not yet operational are envisaged and sanctions are imposed accordingly.

In order to be able to make legal evaluations on a fiction system such as the Metaverse –which is open-ended, connected to the Internet and will even bring different dimensions to the Internet– it would also be useful to mention the definitions of this system, as well as the initiatives and developments carried out in this direction.

II. Concepts of Data Controller and Data Processor

a. Data Controller

The concept of data controller is defined in Article 3 of the PDPL as "the natural person or legal entity that determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system." Data controllers are obliged to comply with data protection legislation and ensure that data subjects can exercise their rights.¹

The four basic elements that constitute the infrastructure of the data controller concept are as follows:

Data processing activity
Determines the purposes and means of processing personal data
Natural person or legal entity
Alone or with others²

The concept of processing of personal data has been transposed into Turkish Law with the definition in Article 2(b) of the EU Data Protection Directive 95/46/EC. This concept is defined in the Article 3(e) of the PDPL as "Any operation which is performed on personal data, such as the obtaining, recording, storage, preservation, modification, alteration, reorganization, disclosure, transfer, acquisition, making available, classification or prevention of use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system." As can be understood from the definition in question, data processing activity term has a broad and inclusive content that covers many operations to be performed on data.³

The Article 29 Working Party ("WP29"), in order to clarify the concept of data controller, defines the person who determines the purposes and means of data processing as the person who decides "why" and "how" the data processing is carried out.⁴

In the light of both domestic and international regulations, it is seen that the person who has the title of data controller should have the authority to decide on the following matters:

Collection of personal data and collection method,
Types of personal data to be collected,
The purposes for which the collected data will be used,
Which individuals' personal data will be collected,
Whether the collected data will be shared, and if so, with whom,
How long the data will be stored.⁵

Accordingly, it can be said that the data controller has the authority and responsibility to make decisions regarding any scope and activity on personal data from the acquisition of personal data until the end of the retention period.

On the other hand, according to the WP29, determining the means of data processing covers technical and organizational issues where decision-making power may be delegated to the processor, as well as the essential elements to be determined by the controller, such as "what types of personal data will be processed", "what is the necessary/legal period for the retention of personal data", and "who has access to personal data."⁶

As foreseen in the PDPL, data controller can be either a natural person or a legal entity. In practice, the data controller is usually a legal entity. Units within the internal structure of companies that do not have a legal entity independent from the company cannot be accepted as data controllers. However, the companies under the organizations formed by more than one company will be considered as data controllers independently of each other.

As a matter of fact, pursuant to the decision of the Personal Data Protection Board ("Board") dated 02.08.2018; data transfer between multiple data controller companies within the group of companies is considered as data transfer to a third party.

In addition, the PDPL does not make a distinction between whether the data controller is a public or private legal entity. Accordingly, business associations, companies, associations, foundations, public institutions and organizations can be data controllers.⁷

B. Joint Data Controller

Pursuant to Art. 26 of the GDPR, more than one natural or legal person may be the data controller of a single group of personal data according to the method of transmission of the data from one controller to another, in which case the data controllers concerned will be joint data controllers. At this point, it is not necessary for the joint processing to take place at the same time or at the same rate. In order to qualify as a joint controller, it will be sufficient for two or more data controllers to jointly determine the purposes and methods of processing.

The concept of joint data controller symbolizes a plural control activity. In other words, the concept of joint controller means that the controller determines the purposes and means of data processing not alone but together with others.

As a matter of fact, joint data responsibility may arise in some cases listed below as examples:

Use of centralized or shared infrastructure/database, e.g. common internet platforms or shared customer database,
Social media platforms and users, unless the household activities exception is applicable,
Common purposes targeted within the framework of different data processing activities. For example, data controllers working together on an advertising ecosystem for the purpose of behavioural advertising,
Different data controllers carrying out combined marketing activities, e.g. an airline company and an accommodation company carrying out their activities on the same website in agreement with a travel agency. ⁸

Although these scenarios provide guidance on the existence of joint controllers, the WP29 has not yet resolved the ambiguities regarding the extent and point at which a party must be involved in data processing in order to be considered a joint controller.⁹

Although there is an explicit provision on joint data responsibility in the GDPR, there is no provision in this context in the PDPL.

In the definition of data controller in Article 3/1(i) of the PDPL, it is mentioned that the data controller may be a natural or legal person, and it cannot be concluded from this definition that the data controller who will determine the purposes and means of the processing activity cannot be more than one person.¹⁰

c. Data Processor

The concept of data processor is defined in Article 3/1(g) of the PDPL as a natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by it. The activities of the data processor are mostly related to the technical parts of data processing.

The data processor must act on behalf of the data controller and within the framework of its instructions. While authorizing the data processor, the data controller may make a general delegation of authority or an authorization that will cover certain tasks. In addition, the data processor may be a natural or legal person like the data controller.

In some cases, the data controller may leave the decision-making authority regarding the means of data processing, such as technical issues, entirely to the data processor. In this context, in line with a personal data processing agreement to be concluded between the data controller and the data processor, the data controller will be able to grant the data processor the authority to decide on which systems and methods will be used in the collection of data, the method of storing the data, the security measures to be taken, the method of data transfer, the methods to be used in the deletion, destruction and anonymization of the data. However, in these cases, the general processing purposes must be decided by the data controller in order for the data processor not to be considered as the data controller. This may be exemplified by the provision of infrastructure services by a cloud computing provider.¹¹

The data processing agreement must be concluded in writing, clearly stating all the nature and purposes of the data processing activities, types of data, categories of data subjects. On the other hand, a data processor will not be able to involve another data processor in the data processing process without prior authorization by the data controller. In the event of an authorization within this scope, the first authorized data processor will be fully responsible to the data controller for the other data processors to be authorized by her.¹²

Some of the criteria to be considered when distinguishing between the roles of the data processor and the data controller are listed in the WP29 opinion 1/2010 as follows:

The level of instruction given in advance by the controller, which determines the degree of independent judgment that the processor can exercise,
Monitoring and supervision of the execution of the service by the controller: The stricter the supervision and monitoring, the more control the controller will have over the processing,
The visibility/image shown to the individual by the data controller and the expectations of the individual based on this visibility,
The expertise of the parties: The more expertise the service provider has in relation to its customer, the more likely it is to be classified as a data controller.¹³

In general terms, to identify the data processor:

Receiving instructions from someone else to process personal data,
Not having decision-making authority in the process of collecting personal data from individuals,
Not to determine the purposes of use of personal data,
Not having the authority to decide how the data can be disclosed and who can access this data,
Not having the authority to decide on the data storage process,
Not to be responsible for the consequences of data processing,
Whether there are some decision-making mechanisms for the processing of personal data within the framework of legally binding agreements such as the contract to be made with the data controller within the framework of the authorizations given by the data controller.

If most of the listed items are present when the above-mentioned points are evaluated, the party that performs the data processing activity will be considered as the data processor.

According to the WP29 opinion of 1/2020, a processor who is not itself a controller may have some decision-making power on how to carry out processing on behalf of the controller. However, this can only be the case as long as the data processor can point to another party responsible for the extensive data processing.

In addition, in some cases, the data processor will be able to take certain technical and organizational decisions on behalf of the data controller. An example of this may be when the data processor determines which software program will be used within the scope of the processing activity. However, the data controller shall take the decisions regarding the issues of importance that will form the basis for the essence of the lawfulness of the processing activity. At this point, the person who decides how long the data will be stored and who is authorized to access the personal data will be considered the data controller.¹⁴

III. Obligations of the Parties

a. Obligations of Data Processor

In addition to complying with the data processing principles listed in Article 4 of the PDPL and Article 5 of the GDPR, data controllers must be able to clearly demonstrate that they comply with these principles. In this respect, data controllers are obliged to implement appropriate technical and administrative measures, review and update these measures when necessary, taking into account various possibilities and risks.

If such data processing activities pose a high risk to the rights of natural persons, the data controller will have to take more extensive measures against these risks.

Recital 75 of the GDPR lists the following activities as examples of high-risk data processing activities that may result in the following consequences: discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage, processing activities that might deprive data subjects of their rights and freedoms or prevented from exercising control over their personal data, processing of special categories of data, data of the minorities or personal data relating to criminal convictions.¹⁵ This is also reflected in the scope of special categories of personal data regulated under Article 6 of the PDPL. As a matter of fact, pursuant to Article 6 of the PDPL, personal data that may lead to disadvantages such as discrimination are subject to stricter processing conditions.

On the other hand, the data controller is responsible for establishing and implementing appropriate data protection policies. In this context, data controllers are obliged to establish internal policies, allocate responsibilities and provide necessary trainings.

In addition to the obligation of the data controller to comply with the data processing principles within the scope of PDPL, other obligations are as follows:

Although it has been processed in accordance with the relevant legislation, personal data must be deleted, destroyed or anonymized by the data controller upon the request of the data subject or ex officio if the reasons requiring its processing disappear.
In case of transfer of personal data, the data controller must comply with explicit consent requirement or the PDPL.
The data controller is obliged to inform the relevant persons whose data will be processed.
The data controller must ensure data security by taking the necessary technical and administrative measures for the data it processes.
The data controller has a confidentiality obligation during and after its duty.
The data controller must finalize the requests included in the applications to be made by the relevant persons free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.
Data controllers are obliged to comply with the decisions of the Board in order to eliminate the unlawfulness detected by the Board.
Data controllers must register with the Data Controllers Registry before starting data processing activities.¹⁶

The obligations of the data controller listed in the GDPR, which are in line with the PDPL but contain some differences, can be briefly listed as follows:

Determination of binding internal policies and procedures,
Compliance with data processing principles,
Compliance with data subject rights,
Compliance with data protection rules from the design stage and ensuring that default settings comply with data protection,
Ensuring the integration of a risk-based approach and conducting Data Protection Impact Assessments accordingly,
Keeping records of data processing activities,
Ensure that appropriate safety measures are in place,
Appoint a data protection officer,
Maintain effective control over staff and data processors,
Compliance with special rules for international data transfers,
Evaluation of the effectiveness of the measures taken,
Demonstrate compliance with legislation,
Responsibility in case of non-compliance with the legislation.

b. Obligations of the Data Processor

Most of the obligations of the data processor are not for the end, but for the means. An example of a means-oriented obligation is the obligation to ensure data security. The obligations under Art. 29 of the GDPR that the data processor may not process data without the instruction of the data controller are result-oriented.¹⁷

The data processor must comply not only with directly applicable obligations, but also with contractually imposed obligations. At this point, Art. 28/3 of the GDPR sets out the obligations that the data processor must fulfil by law or under the data processing agreement.

It should be noted here that according to Art. 28/10 GDPR, if a data processor breaches the GDPR by determining the purposes and means of the processing, the data processor shall be considered as the data controller for this processing activity.¹⁸

On the other hand, other obligations that directly concern data processors under the GDPR are obligations to keep records of data processing activities, to notify the data controller of data breaches, to appoint a data protection officer, restrictions on international data transfers, and to adhere to codes of conduct and certification requirements.¹⁹

Some obligations are also imposed on data processors under the PDPL. Although the data controller and the data processor are defined separately in the PDPL, pursuant to Article 12 of the PDPL, the data controller and the data processor are held jointly responsible for taking measures regarding data security. Therefore, data processors are also under obligation to take measures for ensuring data protection.

Since Art. 3/2(g) of the PDPL defines the data processor as a natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller, the data controller may, through a personal data processing agreement, provide the data processor with authority on deciding (i) which information technology systems or other methods will be used to collect personal data, (ii) the method by which personal data will be stored, (iii) the details of the security measures to be taken for the protection of personal data, (iv) the method by which personal data will be transferred, (v) the method to be used for the correct application of the periods for the storage of personal data, (vi) the method of deletion, destruction and anonymization of personal data. In this case, the data processor will have the same obligations as the data controller in the relevant matters.

IV. The Legal Relationship and Responsibility Between the Data Controller and the Data Processor

The relationship between the data controller and the data processor takes two different forms: the data processor being an employee of the data controller and the data controller using outsourcing.

a. Data Processor Being an Employee of the Data Controller

The data controller's responsibility of care, one of the types of strict liability, will be in question at the point of eliminating the damage caused by the employees during their work. The data controller will be deemed to have failed to fulfil its duty of care when any damage caused by the employee's act occurs.

In order for the data controller to be released from liability, it must prove that it has taken every precaution to prevent the damage in question. At this point, the data controller's duty of care will be determined objectively, and taking due care in the selection of employees, taking due care in work-related instructions, and taking due care in supervision are critical activities in this direction. For example, providing necessary trainings to employees is one of the activities that should not be neglected by the data controller.²⁰ As a matter of fact, since employees are within the organization of the data controller, they cannot be considered as data processors, even if they carry out data processing activities with the authorization of the data controller and on behalf of the data controller²¹.

b. Data Processor Being a Service Provider

The most common example of a data processor acting as an outsourcer is where the data controller is the customer, and the data processor is the supplier. In addition to having to fulfil the obligations of the data processors, the outsourcing service provider data processor may also have certain obligations under outsourcing agreements. However, it should be clear from this contract that the controller has a dominant role in determining the purposes and means of processing.

c. Data Controller Being a Service Provider

It is common in customer-external service provider (supplier) relationships for the external service provider to play an active role in making some decisions regarding data processing. However, as we have already mentioned and as stipulated in the WP29 opinions and Art.28/10 of the GDPR, the data processor will be deemed to be the data controller if it exceeds its responsibility and determines the purposes and means of the data processing activity. At this point, the possibility arises that the external service provider may also act as a data controller.²²

V. Data Processing Principles

Under the GDPR and PDPL, there are certain data processing principles that must be complied with during the performance of data processing activities. These principles are listed in Articles 5 through 11 of the GDPR and Article 4 of the PDPL:

Lawfulness, fairness, and transparency,
Limitation of purpose,
Data minimisation,
Accuracy and timeliness of data,
Data storage limitation,
Confidentiality and integrity.

a. Lawfulness:

The principle of lawfulness stipulates that personal data shall be processed only and only on the basis of a legal reason. In other words, lawfulness means that the data processing activity is carried out within the framework of applicable laws. These laws include data protection laws and other relevant and applicable legislation such as labor, competition, health and tax laws.

Under the GDPR, certain legal grounds are stipulated for the lawful processing of personal data:

i. Consent: Consent of the data subject to the processing of his/her data for one or more purposes.

ii. Necessary for the establishment and performance of a contract: Data processing is necessary for the establishment or performance of a contract to which the data subject is a party.

iii. Legal obligation: Data processing is necessary for the data controller to fulfill a legal obligation.

iv. Vital interest: Data processing is necessary to protect the vital interests of the data subject or another natural person.

v. Public interest: Data processing is necessary for the performance of a task carried out in the public interest or for the exercise of official powers by the controller.

vi. Legitimate interest: The processing is necessary for the purposes of a legitimate interest pursued by the controller or another third party.²³ In addition to this requirement, the PDPL stipulates the condition of not harming the fundamental rights and freedoms of the data subject.

In addition to these, the PDPL stipulates that the data processing must be either; explicitly stipulated in the laws, mandatory for the protection of the life or physical integrity of the person or another person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid, has been made public by the data subject, or is mandatory for the establishment, exercise or protection of a right.

b. Fairness:

According to the principle of fairness, data subjects should be aware that their data is being processed. Accordingly, data subjects should be informed about how their data will be collected, stored and used in order to give consent to the processing of their data and to exercise their rights. At this point, as stipulated in the PDPL, the principle of clarity ensures that the personal data processing activities are clearly understandable by the data subject, that it is determined on the basis of which legal processing condition the personal data processing activities are carried out, and that the personal data processing activity and the purpose of this activity are set out in detail to ensure certainty.

c. Transparency:

The principle of transparency, which is directly related to the principle of fairness, requires the data controller to be clear and understandable to data subjects when processing their data. On the other hand, transparency requires that the information to be provided by data controllers is to be made in a timely manner. Where personal data is obtained directly from the data subject, the information to be provided to the data subject must be available at the time the data is collected. Finally, the GDPR stipulates that the information to be provided to the data subject must be clear, concise, easily understandable, and accessible. Within the scope of PDPL, in addition to the principle of clarity, the condition of compliance with the rules of good faith is stipulated.

d. Limitation of Purpose:

The main objective of the purpose limitation principle is for data controllers to collect and process personal data for their identified, explicit and legitimate interests. At this point, data controllers will not be able to process personal data for purposes other than these predetermined purposes. Data controllers will have to act limited to the scope of the personal data processing purposes they have initially determined. Secondary data processing will only be deemed lawful to the extent that it is compatible with the initial processing purpose. In the event that the purpose of secondary data processing is incompatible with the first one, it will be obligatory to rely on a separate legal ground. In such a case, the data controller will have two options: Obtain a separate consent from the data subject or inform the data subject in a clear and appropriate manner that it fulfils one of the other legal criteria in order to legitimize the processing.²⁴

e. Data Minimisation:

Pursuant to the principle of data minimization, the data collected by data controllers must be relevant, necessary and sufficient for the purpose of data processing. In order to achieve this, two understandings, namely necessity and proportionality, are discussed. Pursuant to the concept of necessity, the data processed must be necessary to achieve the purpose of processing. In terms of proportionality, data controllers should consider the amount and extent of the data to be collected. For example, collecting more data than necessary for a processing purpose will be considered disproportionate.

f. Accuracy and Timeliness of Data:

Data controllers must take reasonable measures to ensure the accuracy and timeliness of data. The principle of data accuracy also covers the obligation to respond and correct data arising from the applications of data subjects regarding incomplete and inaccurate information.

g. Data Storage Limitation:

According to this principle, personal data collected should not be retained for a longer period of time than required by the purposes of data processing. In other words, at the point where the data is no longer needed, it should be securely destroyed. Data controllers should set time limits for the purposes of destruction and periodic checks. In addition, data controllers should take into account the existence of legal retention periods according to the type of data processing. If these periods are not determined by law, data storage periods should be determined within the scope of internal policies in order to meet the principle of data storage limitation. These periods should be determined specifically for the purposes of data processing.

h. Confidentiality and Integrity:

The principle of confidentiality and integrity is foreseen on the Article 5(1)(f) of GDPR. According to this article, personal data should be processed provided that appropriate security measures are provided; and unauthorized and unlawful data processing, data loss, corruption and damage should be prevented by taking appropriate technical and organizational measures. In order to protect and preserve personal data, data controllers are required to establish an information security framework. In this context, the GDPR encourages the use of techniques such as blurring and encryption.²⁵

VI. Metaverse

a. Definition and Scope

The concept of the Metaverse was first explored by American author and technology consultant Neal Stephenson in his 1992 science fiction novel Snow Crash. The Metaverse is a collection of worlds created through augmented reality and virtual reality technologies. "Metaverse" is a combination of the terms "meta" (beyond) and "verse" (universe); it means "beyond the universe."

The Metaverse is an interconnected network of three-dimensional virtual worlds that allows its users to participate in a life-like social economy. It is possible to buy and sell things, earn money, make friends, build brands and collaborate on Metaverse platforms. Metaverse is designed as a decentralized space built with blockchain architectur. ²⁶

This concept has been frequently used by giant technology companies such as Microsoft, Epic Games and Meta with their large investments and ambitious projects in this field. Facebook and Meta CEO Mark Zuckerberg, as a pioneer in this direction, envisions the Metaverse as the next phase of internet evolution. Developments in virtual reality and augmented reality technologies to support this ambitious vision are increasing day by day. Wearable sensors will enable avatars (self-created personas) to mimic our real-life movements, and new and emerging technologies, such as eye trackers and haptic gloves, will enable the transfer of extensive data from the real world to the Metaverse.

Although some of the new data types that will be transferred to the Metaverse universe can be predicted due to the introduction of some innovative technology products that are in development and project stage around the world, it is clear that the data types that we cannot yet predict will gain diversity in a short time in a period where technological developments are making rapid progress. Metaverse, which will continue to grow by incorporating these technological innovations that will transform our physiological responses and even our brain waves into data, is a much more detailed and comprehensive concept than can be explained by today's conditions. For this reason, the framework of concerns about privacy that will appear under the umbrella of Metaverse will not only expand but take a different shape.

b. Centralized and Decentralized Metaverse Concepts

Currently, there are two types of Metaverse platforms: those managed by a central organization (Roblox, Fortnite, etc.) and those that are decentralized, built, and established by communities. In the centralized Metaverse, there is a single organization that manages the entire network, has internal servers and regulates policies created to regulate the virtual world. In centralized environments such as Roblox, the virtual community lives within the boundaries of a centrally controlled domain and users are limited by these parameters. Here, users within the community can interact and share their experiences, but they do not have the freedom to control or own parts of the digital environment.

Contrary to this fiction, there is an open-source platform in the decentralized Metaverse, and users have the freedom to completely control their own experiences. Here, the control of the platform is in the hands of the community rather than a central authority.
In other words, users have greater individual control not only over their individual assets but also over the creation and operation of the Metaverse. Decentralized Metaverse projects are moving in line with blockchain technology, and the increase in the number of such Metaverses like Decentraland can easily be seen recently.

At this point, Web 3.0, which is another issue that should be mentioned last, is an infrastructure for Metaverse. On a closer look, Metaverse and Web 3.0 are actually quite connected fictions.

The internet technology used today is defined as Web 2.0. Today, most of the data is in the hands of giant companies. Giant companies like Facebook, now called Meta, are actually the sole owners of the content we produce on the system.
These intermediary companies have complete control over all the content we produce. They can remove generated content or prohibit any user from using the application. Web 3.0, on the other hand, is built on the elimination of these intermediary companies; It allows users to interact and communicate with each other over the internet without any intermediaries. The concept of Web 3.0 is a version of the return to the decentralized system in Web 1.0, adapted to today's technology. Thanks to Web 3.0, users will not only be able to produce content that they own, but also have the authority to control and monetize this content on their own. In this way, users will only benefit from the content produced by the content producer and the applications will not be able to earn any income in this context. As a matter of fact, content owners will be able to deliver the work they have created directly to the user, and there will be no need for any intermediary.

VII. Data Processing Activities within the Scope of Metaverse

Avatars to be used on Metaverse platforms can be a symbol of what you do in real life, how you look or your hobbies. At this point, some features of avatars can be considered as personal data. However, the data that will constitute personal data in Metaverse are, as we mentioned above, data to be obtained within the scope of virtual reality and augmented reality technologies. In this direction, it is possible to show the user movements obtained through eye-tracking devices as an example of the data that will be the subject of online behavioural advertising activities. Game developers and Metaverse owners will want to determine which details the users examine more carefully in the virtual environments they set up, through eye-tracking technologies. For example, at this point, with the data they obtained game developers will be able to engage in product development activities, and virtual market owners will be able to identify the products that users are interested in by analyzing the eye movements of the users and put forward the necessary marketing activities in this direction. In this way, the Metaverse platform administrator, who is the data controller carrying out direct marketing activities, must obtain the prior consent of all users in terms of the data to be collected in this context. Many types of data, such as facial expressions, that can be the subject of such marketing activities, will have to take their place in legal regulations simultaneously with technological developments.
Additionally, biometric data will also be mentioned a great deal within the framework of these activities.

The data collected by technologies which will be located in the private areas of users, such as auditory and visual sensors, may also cause privacy problems. In a scenario where even daily conversations in a home environment can be processed, data processing principles such as data minimization and limitation of purpose will be at an important point in the future of Metaverse.

It is foreseen that the scope of follow-up of the employer will be quite wide in the future of virtual workplace applications, which are currently open-to-use projects. Eye tracking technology, which will also be used in marketing activities, can be used for various analyses such as the measurement of employee productivity in virtual workplace applications. It is clear that the explicit consent of the employees will be required for such a data processing activity. As a matter of fact, biometric data will be processed in this context.

Another data type that will pose a significant problem in the metaverse environment is data belonging to minors. Today, game companies constitute the majority of the leading companies that are making a name for themselves and taking firm steps towards introducing important Metaverse products. Considering that minors constitute a large population on these gaming platforms, detailed measures will be required regarding explicit consent. In most cases where a minor's data will be processed, parental consent is sought.
The GDPR explicitly mentions the need for special protection if minors' data is used for purposes such as marketing and user profiling. Contrary to what we see in online services and platforms, much more detailed age verification techniques should be used, and comprehensive measures should be taken to prevent minors from easily sharing their data.

VIII. Data Processor and Data Controller in the Metaverse Framework

A large amount of personal data will be collected throughout all activities that take place within the Metaverse, starting with logging into Metaverse. Data protection regulations in different countries and regions impose different obligations on natural or legal persons depending on whether they determine the purpose and means of processing personal data or only process data on behalf of someone else.

In this direction, it is necessary to determine who is responsible for determining how and why personal data will be processed in Metaverse and who will process personal data on behalf of others but making this distinction will not be easy due to the nature of Metaverse. In this sense, Metaverse will have a mixed relationship network and it will be possible that clear and unambiguous answers will not be received at the point of determining the data controller and data processors.²⁷

Several possibilities can be foreseen at this point;

There may be only one main administrator in Metaverse, who collects personal data and determines how and for what purpose it will be processed and shared. In this case, there will be a centralized Metaverse, and the data controller will be the main administrator of the Metaverse. The main administrator of the Metaverse platform will be the data controller, and the service providers within the scope of Metaverse will be the data processor. In this direction, any platform developer and manager will be the data controller. Parties that process users' data within the scope of providing services such as analytics, account security, customer support, promotion, etc. will be the data processor.
Another possibility is related to the case where the Metaverse is decentralized. It may be possible for more than one natural or legal person to collect personal data through Metaverse and each of them determines their own purposes while doing this. In this case, there may be joint data liability. On the other hand, considering the purpose and scope of the decentralized Metaverse, it is necessary to consider the possibility that all users in such Metaverses are data controllers. Since the Decentralized Metaverse is parallel to blockchain technology, users and blockchain nodes can be considered as parties engaged in the data processing.
At this point, users will provide their personal data to Metaverse, and blockchain nodes will act together to process this data provided by the data subject.
Another scenario that can be encountered in case the Metaverse platform is decentralized, is situations where a natural or legal person, who is included in Metaverse as a user, will have the title of data controller in terms of the data it will collect during the marketing activities to be carried out in the marketplace in Metaverse. In this respect, natural or legal persons who use the decentralized Metaverse platform as a means of providing a service or product will be considered data controllers.
MaaS (Metaverse as a Service): Metaverse as a Service is a solution which allows natural or legal persons to develop and strengthen their presence in the virtual world. However, this solution will allow companies to profit from existing Metaverse infrastructure similar to how SaaS (Software as a Service) works, not to create an equivalent to compete with Metaverse owners like Decentraland. For this reason, as seen in other cloud computing services, service providers will be defined as data processors.
On the other hand, to activate the principle of interoperability, which is one of the main features of Metaverse, the flow of data collected by a business in Metaverse will continue non-stop between different businesses and even various platforms. In this way, as cross-platform data flow develops, and cross-platform migration of digital assets and avatars is allowed, multilateral data transfer agreements between software developers and brands will be in question. How to manage these processes in the Metaverse environment, where the data flow will be uncontrollably fast, raises question marks. Finally, the question of which country's regulations will generally apply within a given Metaverse or between different Metaverses will also arise.

IX. Conclusion

The concepts of the data controller and data processor are defined similarly in PDPL and GDPR. In general, the data controller is the natural or legal person who determines the purpose and method of processing personal data and is responsible for the data recording system, and the data processor is the natural or legal person who processes personal data on behalf of the data controller with the authority given by the data controller. In the current situation, the concepts of the data controller and data processor defined within the scope of regulations in both PDPL and GDPR are not sufficient to determine the reflection of these concepts in Metaverse. If an evaluation will be made regarding the roles of the data processor and data controller in Metaverse with the current legal regulations, each scenario regarding Metaverse should be examined separately. First of all, the data controller should be appointed according to their activities and considering different criteria. Subsequently, the data processor should be determined by making the necessary evaluations and the obligations of the parties should be clarified accordingly.

In case the Metaverse provider is the party that decides on the data processing purposes and means, the provider will be deemed to be the data controller. At this point, service providers in Metaverse will be considered data processors. Other parties that carry out the dominant activity of determining the purpose and means of processing data within the Metaverse platform will be the joint data controller together with the data controller's main manager.

On the other hand, although we have talked about predictable scenarios for now, since Metaverse will have a decentralized system infrastructure, it does not seem possible to clearly define the concepts of data controller and data processor. Currently, it is not clear how the concepts of data controller and data processor will be positioned in Metaverse since there is no legal qualification and regulation regarding Metaverse both domestically and internationally, likewise, the applicability of the regulations in the PDPL and GDPR in the virtual and decentralized universe, Metaverse, is quite uncertain.

In today's information society, both domestic and international legal regulations must catch up with the era and technology. Especially at the point where the virtual world meets reality, such as Metaverse, the existence of specific legal regulations regarding these areas is very important in protecting natural people's rights. For this reason, relevant areas should be regulated with current and specific legal rules catching up with technological developments.

BIBLIOGRAPHY

Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of "controller" and "processor", p. 7, (Online) https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf, 22 March 2022.

Çigdem Ayözger Öngün, Kisisel Verilerin Korunmasi Hukuku: Elektronik Haberlesme Sektörüne Iliskin Özel Düzenlemeler Dahil, 2. bs., Istanbul, Beta Yayincilik, 2019

Kisisel Verileri Koruma Kurumu, Veri Sorumlusu ve Veri Isleyen, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/31d9c444-27a5-4a75-95b1-1ca9bdb81ea5.pdf, 22 March 2022

René Mahieu, Joris van Hoboken, Hadi Asghari, "Responsibility for Data Protection in a Networked World: On the Question of the Controller, 'Effective and Complete Protection' and its Application to Data Access Rights in Europe", Journal of Intellectual Property, Information Technology and Electronic Commerce Law, Page: 10, 2019,

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3256743, 22.03.2022

Eduardo Ustaran, European Data Protection Law and Practice, 2. bs., Portsmouth, International Association of Privacy Professionals, 2019

Cüneyt Pekmez, Kisisel Verilerin Korunmasi Kanunu Kapsaminda Veri Isleyen ve Veri Sorumlusu Kavrami Üzerine Degerlendirme, Annales de la Faculté de Droit d'Istanbul, Sayi: 67, 2018, https://doi.org/10.26650/annales.2018.67.0005, 22 March 2022.

Yordanka Ivanova, "Data Controller, Processor or a Joint Controller: Towards Reaching GDPR Compliance in the Data and Technology Driven World", Personal Data Protection and Legal Developments in the European Union, Tzanou, M., IGI Global, 2020,

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3584207, 22 March 2022.

Gamze Turan Basara, Kisisel Veri Isleme Sözlesmesi, Uyusmazlik Mahkemesi Dergisi, Page: 16, 2020, https://dergipark.org.tr/en/download/article-file/1472674, 22 March 2022.

Recitals of the GDPR, 2016

Tekin Memis, Veri Sorumlusu ve Veri Isleyen Arasindaki Iliskiler ve Sorumluluk Düzeni, Beykent Üniveritesi Hukuk Fakültesi Dergisi, Volume: 3, Issue: 6, 2017, https://docplayer.biz.tr/133422046-Veri-sorumlusu-ve-veri-isleyen-arasindaki-iliskiler-ve-sorumluluk-duzeni.html

Brendan Van Alsenoy, Liability under EU Data Protection Law: From Directive 95/46 to the General Data Protection Regulation, Journal of Intellectual Property, Information Technology and E-Commerce Law, Issue: 7, 2017, https://www.jipitec.eu/issues/jipitec-7-3-2016/4506#:~:text=Directive%2095%2F46%3A%20a%20%E2%80%9C,unlawful%20processing%20of%20personal%20data.

General Data Protection Regulation 2018

Lik-Hang Lee, Tristan Braud, Pengyuan Zhou, All One Needs to Know About Metaverse: A Complete Survey on Technological Singularity, Virtual Ecosystem, and Research Agenda, Journal of Latex Class Files, Issue: 14, 2021, p.5, (Online) https://arxiv.org/abs/2110.05352, 28.03.2022

Roberto Di Pietro, Stefano Cresci, Metaverse: Security and Privacy Issues, The Third IEEE International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications, 2021,https://www.researchgate.net/publication/357116743_Metaverse_Security_and_Privacy_Issues, 28.03.2022

Footnotes

1. René Mahieu, Joris van Hoboken, Hadi Asghari, "Responsibility for Data Protection in a Networked World: On the Question of the Controller, 'Effective and Complete Protection' and its Application to Data Access Rights in Europe", Journal of Intellectual Property, Information Technology and Electronic Commerce Law, Issue 10, 2019, p. 42, (Online) https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3256743, 22 March 2022.

2. Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of "controller" and "processor", p. 7, (Online) https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf, 22 March 2022.

3. Çigdem Ayözger Öngün, Kisisel Verilerin Korunmasi Hukuku: Elektronik Haberlesme Sektörüne Iliskin Özel Düzenlemeler Dahil, 2. bs., Istanbul, Beta Yayincilik, 2019, p. 131.

4. Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of "controller" and "processor", p. 2, (Online) https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf, 22 March 2022.

5. Kisisel Verileri Koruma Kurumu, Veri Sorumlusu ve Veri Isleyen, s. 2, (Çevrim içi) https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/31d9c444-27a5-4a75-95b1-1ca9bdb81ea5.pdf, 22 March 2022.

6. René Mahieu, Joris van Hoboken, Hadi Asghari, "Responsibility for Data Protection in a Networked World: On the Question of the Controller, 'Effective and Complete Protection' and its Application to Data Access Rights in Europe", Journal of Intellectual Property, Information Technology and Electronic Commerce Law, Issue: 10, 2019, s. 43, (Online) https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3256743, 22 March 2022.

7. Cüneyt Pekmez, Kisisel Verilerin Korunmasi Kanunu Kapsaminda Veri Isleyen ve Veri Sorumlusu Kavrami Üzerine Degerlendirme, Annales de la Faculté de Droit d'Istanbul, Issue: 67, 2018, p. 64, (Online) https://doi.org/10.26650/annales.2018.67.0005, 22 March 2022.

8. Yordanka Ivanova, "Data Controller, Processor or a Joint Controller: Towards Reaching GDPR Compliance in the Data and Technology Driven World", Personal Data Protection and Legal Developments in the European Union, Tzanou, M., IGI Global, 2020, p. 5, (Online) https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3584207, 22 March 2022.

9. Yordanka Ivanova, "Data Controller, Processor or a Joint Controller: Towards Reaching GDPR Compliance in the Data and Technology Driven World", Personal Data Protection and Legal Developments in the European Union, p. 6, (Online) https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3584207, 22 March 2022.

10. Cüneyt Pekmez, Kisisel Verilerin Korunmasi Kanunu Kapsaminda Veri Isleyen ve Veri Sorumlusu Kavrami Üzerine Degerlendirme, Annales de la Faculté de Droit d'Istanbul, p. 64 (Online) https://doi.org/10.26650/annales.2018.67.0005, 22 March 2022.

11. Gamze Turan Basara, Kisisel Veri Isleme Sözlesmesi, Uyusmazlik Mahkemesi Dergisi, Issue: 16, 2020, p. 66, (Online) https://dergipark.org.tr/en/download/article-file/1472674, 22 March 2022.

12. Eduardo Ustaran, European Data Protection Law and Practice, p. 194.

13. Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of "controller" and "processor," p. 28, (Online) https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf, 22 March 2022.

14. Eduardo Ustaran, European Data Protection Law and Practice, 2. bs., Portsmouth, International Association of Privacy Professionals, 2019, p. 189.

15. Recitals of the GDPR 2016, Recital 75

16. Tekin Memis, Veri Sorumlusu ve Veri Isleyen Arasindaki Iliskiler ve Sorumluluk Düzeni, Beykent Üniveritesi Hukuk Fakültesi Dergisi, Volume: 3, Issue: 6, 2017, p. 13, (Online) https://docplayer.biz.tr/133422046-Veri-sorumlusu-ve-veri-isleyen-arasindaki-iliskiler-ve-sorumluluk-duzeni.html

17. Brendan Van Alsenoy, Liability under EU Data Protection Law: From Directive 95/46 to the General Data Protection Regulation, Journal of Intellectual Property, Information Technology and E-Commerce Law, Issue: 7, 2017, p. 12, (Online) https://www.jipitec.eu/issues/jipitec-7-3-2016/4506#:~:text=Directive%2095%2F46%3A%20a%20%E2%80%9C,unlawful%20processing%20of%20personal%20data.

18. René Mahieu, Joris van Hoboken, Hadi Asghari, "Responsibility for Data Protection in a Networked World: On the Question of the Controller, 'Effective and Complete Protection' and its Application to Data Access Rights in Europe", Journal of Intellectual Property, Information Technology and Electronic Commerce Law, Issue: 10, 2019, p. 43, (Online) https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3256743, 22 March 2022.

19. Brendan Van Alsenoy, Liability under EU Data Protection Law: From Directive 95/46 to the General Data Protection Regulation, Journal of Intellectual Property, Information Technology and E-Commerce Law, Issue: 7, 2017, p. 13, (Online) https://www.jipitec.eu/issues/jipitec-7-3-2016/4506#:~:text=Directive%2095%2F46%3A%20a%20%E2%80%9C,unlawful%20processing%20of%20personal%20data., 27 March 2022

20. Tekin Memis, Veri Sorumlusu ve Veri Isleyen Arasindaki Iliskiler ve Sorumluluk Düzeni, Beykent Üniveritesi Hukuk Fakültesi Dergisi, Volume: 3, Issue: 6, 2017, p. 16, (Online) https://docplayer.biz.tr/133422046-Veri-sorumlusu-ve-veri-isleyen-arasindaki-iliskiler-ve-sorumluluk-duzeni.html, 27 March 2022

21. Kisisel Verileri Koruma Kurumu, Veri Sorumlusu ve Veri Isleyen, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/31d9c444-27a5-4a75-95b1-1ca9bdb81ea5.pdf, 22 March 2022

22. Eduardo Ustaran, European Data Protection Law and Practice, p. 528.

23. Eduardo Ustaran, European Data Protection Law and Practice, p. 365.

24. Eduardo Ustaran, European Data Protection Law and Practice, p. 367.

25. Eduardo Ustaran, European Data Protection Law and Practice, p. 369.

26. Lik-Hang Lee, Tristan Braud, Pengyuan Zhou, All One Needs to Know About Metaverse: A Complete Survey on Technological Singularity, Virtual Ecosystem, and Research Agenda, Journal of Latex Class Files, Issue: 14, 2021, p.5, (Online) https://arxiv.org/abs/2110.05352, 28 March 2022.

27. Roberto Di Pietro, Stefano Cresci, Metaverse: Security and Privacy Issues, The Third IEEE International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications, 2021, p.5, (Online) https://www.researchgate.net/publication/357116743_Metaverse_Security_and_Privacy_Issues, 28.03.2022

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Turkey: Evaluation On The Concepts Of Data Controller And Data Processor In The Metaverse

Login to Mondaq.com

Why Register with Mondaq

Your Organisation