Protection of biometric and inferred data in immersive virtual environments: A systematic review of GDPR limitations
Article Sidebar
Main Article Content
Abstract
The rapid development of immersive virtual environments has intensified the collection of biometric data and the generation of inferred information, creating new risks to privacy and the protection of fundamental rights that challenge traditional regulatory frameworks. In this context, this article aimed to analyze the limitations of current regulatory frameworks, particularly the GDPR, for the protection of biometric and inferred data in metaverse and extended reality scenarios. To this end, a systematic review was conducted following the PRISMA guidelines, using a structured search in Scopus for studies published between 2018 and 2025, applying predefined inclusion and exclusion criteria. The results revealed structural shortcomings in current regulations, particularly regarding the lack of specific provisions on inferred data, the inadequacy of informed consent in continuous capture environments, and jurisdictional fragmentation that limits the effective application of cross-border safeguards. Furthermore, it was identified that immersive technologies enable body surveillance and algorithmic profiling practices that exceed the operational scope of the GDPR. It was concluded that it is necessary to move towards adaptive regulatory frameworks that integrate algorithmic impact assessments and multi-level governance models to ensure effective protection of personal data in the emerging immersive ecosystem
Downloads
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
El contenido de los artículos es responsabilidad exclusiva de los autores.
Debe cumplir con los siguientes aspectos de la licencia CC BY NC ND :
- Atribución: debe otorgar el crédito correspondiente, proporcionar un enlace a la licencia e indicar si se realizó algún cambio. Puede hacerlo de cualquier manera razonable, pero no de ninguna manera que sugiera que el licenciante lo respalda a usted o su uso.
- No comercial: el material no se puede utilizar con fines comerciales.
- Sin derivados: si remezcla, transforma o construye sobre el material, no puede distribuir el material modificado.
- Sin restricciones adicionales: No se pueden aplicar términos legales o medidas tecnológicas que restrinjan legalmente a otros de hacer cualquier cosa que permita la licencia.
References
Alshamsi, M. A., & Sipos, A. (2024). The legal implications of the aviation industry’s entrance to the metaverse. Access to Justice in Eastern Europe, 1(22). Documento en línea. Disponible https://doi.org/10.33327/AJEE-18-7.1-a000111
Arismendy Mengual, L. (2024). Liability for wrongful behaviour in the metaverse. Journal of Intellectual Property, Information Technology and Electronic Commerce Law, 15, 229–245.
Bulgakova, D. (2023). The Prohibited Artificial Intelligence Practice. Theory and Practice of Forensic Science and Criminalistics, 32(3), 89-112. Documento en línea. Disponible https://doi.org/10.32353/khrife.3.2023.06
Bustamante, C., Alama-Maruta, K., Ng, C., & Coppersmith, D. (2022). Should machines be allowed to “read our minds”? Uses and regulation of biometric techniques that attempt to infer mental states. MIT Science Policy Review, 3. Documento en línea. Disponible https://doi.org/10.38105/spr.qy2iibrk72
Cha, W., Park, J.-S., & Won, D. (2025). A systematic review of biometric authentication in immersive technologies. Human-Centric Computing and Information Sciences, 15, Article 39. Documento en línea. Disponible https://doi.org/10.22967/HCIS.2025.15.039
Cheng, R., Chen, S., & Han, B. (2023). Towards zero-trust security for the metaverse. arXiv. Documento en línea. Disponible https://arxiv.org/abs/2302.08885
Christopoulou, M., Koufos, I., Xilouris, G., & Dimitriou, N. (2025). 5G/6G architecture evolution for XR and metaverse: Feasibility study, security, and privacy challenges for smart culture applications. IEEE Access, 13, 103077–103095. Documento en línea. Disponible https://doi.org/10.1109/ACCESS.2025.3578595
Cruz Ángeles, J. (2023). Las transferencias de datos a través del metaverso a la luz de los últimos acuerdos (UE–EE. UU.): El fenómeno “tú a Londres y yo a California”. Cuadernos de Derecho Transnacional, 15(2), 251–292. Documento en línea. Disponible https://doi.org/10.20318/cdt.2023.8056
Cunneen, M., AnandFinn, R., Friel, R., Tennent, P., & Brandt, S. (2025). From bones to bytes: Anticipating and addressing the governance challenges of human digital remains and posthumous digital human twins. AI & Society. Advance online publication. Documento en línea. Disponible https://doi.org/10.1007/s00146-025-02514-4
Darwish, S. M., Essa, R. M., Osman, M. A., & Ismail, A. A. (2022). Privacy preserving data mining framework for negative association rules: An application to healthcare informatics. IEEE Access, 10, 76268–76286. Documento en línea. Disponible https://doi.org/10.1109/ACCESS.2022.3192447
Duane, A., Jónsson, B. Þ., Lee, H., & Gurrin, C. (2023). LAD: An application design model to support the analysis of large-scale personal data collections generated by lifelogging. Personal and Ubiquitous Computing, 27, 2133–2145. Documento en línea. Disponible https://doi.org/10.1007/s00779-023-01726-z
Ehimuan, B., Chimezie, O., Akagha, O., Reis, O., & Oguejiofor, B. (2024). Global data privacy laws: A critical review of technology’s impact on user rights. World Journal of Advanced Research and Reviews, 21(2), 1058–1070. Documento en línea. Disponible https://doi.org/10.30574/wjarr.2024.21.2.0369
Fiaz, F., Sajjad, S. M., Iqbal, Z., Yousaf, M., & Muhammad, Z. (2024). MetaSSI: A framework for personal data protection, enhanced cybersecurity and privacy in metaverse virtual reality platforms. Future Internet, 16, Article 176. Documento en línea. Disponible https://doi.org/10.3390/fi16050176
Fu, H. (2025). Real-time immersive animation using IoT-enabled edge computing and AI for next-generation intelligent systems. Discover Internet of Things, 5, Article 152. Documento en línea. Disponible https://doi.org/10.1007/s43926-025-00255-w
Gambarelli, G., Gangemi, A., & Tripodi, R. (2023). Is your model sensitive? SPEDAC: A new resource for the automatic classification of sensitive personal data. IEEE Access, 11, 10864–10882. Documento en línea. Disponible https://doi.org/10.1109/ACCESS.2023.3240089
Gerry, F., Muraszkiewicz, J., & Iannelli, O. (2018). The drive for virtual (online) courts and the failure to consider obligations to combat human trafficking: A short note of concern on identification, protection and privacy of victims. Computer Law & Security Review, 34(1), 1–8. Documento en línea. Disponible https://doi.org/10.1016/j.clsr.2018.06.002
Gligora Markovi?, M., Debeljak, S., & Kadoi?, N. (2019). Preparing students for the era of the General Data Protection Regulation (GDPR). TEM Journal, 8(1), 150–156. Documento en línea. Disponible https://doi.org/10.18421/TEM81-21
González Torres, V. H., Bracho-Fuenmayor, P. L., Lucero Baldevenites, E. V., Carrillo Guerrero, M. V., & Santander Erazo, R. D. (2024). Immersive learning in the metaverse: A review of evidence on pedagogical effectiveness and implementation gaps in higher education. Metaverse: Basic and Applied Research, 3, Article 97. Documento en línea. Disponible https://doi.org/10.56294/mr2024.97
Jamali, M.-U.-R., Kansro, N. A., Chandio, S., Rajper, G. N., & Shah, S. A. A. (2022). The design, use and impact of cloud computing during the COVID-19 crises. VFAST Transactions on Software Engineering, 10(4), 181–189.
Kalyvaki, M. (2023). Navigating the Metaverse Business and Legal Challenges: Intellectual Property, Privacy, and Jurisdiction. Journal of Metaverse, 3(1), 87-92. Documento en línea. Disponible https://doi.org/10.57019/jmv.1238344
Karnchanapayap, G. (2023). Activities-based virtual reality experience for better audience engagement. Computers in Human Behavior, 146, Article 107796. Documento en línea. Disponible https://doi.org/10.1016/j.chb.2023.107796
Kim, Y. (2022). Virtual reality data and its privacy regulatory challenges: A call to move beyond text-based informed consent. California Law Review, 110(1), 225–256. Documento en línea. Disponible https://doi.org/10.15779/Z380Z70X6P
Krishnan, C., Lamba Sahdev, S., & Mariappan, J. (2024). Navigating complexity: Thematic insights into ethical challenges and metaverse integration in Indian education institutions. Cogent Education, 11(1), Article 2428110. Documento en línea. Disponible https://doi.org/10.1080/2331186X.2024.2428110
Liang, G., Xin, J., Wang, Q., Ni, X., Guo, X., & Chen, P. (2023). Research on Metaverse Security and Forensics. Computers Materials & Continua, 77(1), 799-825. Documento en línea. Disponible https://doi.org/10.32604/cmc.2023.038403
Martins, M. G., & Tateoki, V. A. (2019). Proteção de dados pessoais e democracia: Fake news, manipulação do eleitor e o caso da Cambridge Analytica. Redes: Revista Eletrônica Direito e Sociedade, 7(3), 135–148. Documento en línea. Disponible https://doi.org/10.18316/REDES.v7i3.5610
Martins, R. M., Ferraz, S. B., & Fagundes, A. F. A. (2024). “Fundamentalist, pragmatic, or unconcerned?”: An analysis of consumers’ willingness to disclose information online. RAUSP Management Journal, 59(1), 31–49. Documento en línea. Disponible https://doi.org/10.1108/RAUSP-06-2023-0099
Mascitti, M. (2023). The metaverse impact on the politics means. SSRN Electronic Journal. Advance online publication. Documento en línea. Disponible https://ssrn.com/abstract=4346123
Mayasari, H. (2023). A examination on personal data protection in metaverse technology in Indonesia: A human rights perspective. Journal of Law, Environmental and Justice, 1(1), 64–85. Documento en línea. Disponible https://doi.org/10.62264/jlej.v1i1.4
McStay, A. (2023). The metaverse: Surveillant physics, virtual realist governance, and the missing commons. Philosophy & Technology, 36, Article 13. Documento en línea. Disponible https://doi.org/10.1007/s13347-023-00613-y
Menéndez, N., & Bozkir, E. (2024). Eye-tracking devices for virtual and augmented reality metaverse environments and their compatibility with the European Union General Data Protection Regulation. Digital Society, 3(2). Documento en línea. Disponible https://doi.org/10.1007/s44206-024-00128-9
Merino, V., & Garrido, A. (2023). Digital biomarkers for early detection of cognitive decline in Alzheimer’s disease. Archives of Clinical Psychiatry, 50(6), 182–188. Documento en línea. Disponible https://doi.org/10.15761/0101-60830000000725
Nair, V., Garrido, G., Song, D., & O’Brien, J. (2023). Exploring the privacy risks of adversarial VR game design. Proceedings on Privacy Enhancing Technologies, 2023(4), 238–256. Documento en línea. Disponible https://doi.org/10.56553/popets-2023-0108
Proniewska, K., Pr?gowska, A., Do??ga-Do??gowski, D., & Dudek, D. (2021). Immersive technologies as a solution for General Data Protection Regulation in Europe and impact on the COVID-19 pandemic. Cardiology Journal, 28(1), 23–33. Documento en línea. Disponible https://doi.org/10.5603/CJ.a2020.0102
Qureshi, S. S., He, J., Zhu, N., Nazir, A., Fang, J., Ma, X., Wajahat, A., Ullah, F., Qureshi, S., Dhelim, S., & Pathan, M. S. (2025). Enhancing IoT security and healthcare data protection in the metaverse: A dynamic adaptive security mechanism. Egyptian Informatics Journal, 30, Article 100670. Documento en línea. Disponible https://doi.org/10.1016/j.eij.2025.100670
Romansky, R. P., & Noninska, I. S. (2020). Challenges of the digital age for privacy and personal data protection. Mathematical Biosciences and Engineering, 17(5), 5288–5303. Documento en línea. Disponible https://doi.org/10.3934/mbe.2020286
Sánchez-Adame, L. M., Monroy-Rodríguez, G., Mendoza, S., Decouchant, D., & Mateos-Papis, A. P. (2023). Framework for ethically designed microtransactions in the metaverse. IEEE Access, 11, 140687–140701. Documento en línea. Disponible https://doi.org/10.1109/ACCESS.2023.3341057
Saxena, S., Srivastava, S., Dudeja, D., Dora Pravina, C. T., Kapila, N., & Narooka, P. (2025). Enhancing cybersecurity measures in virtual reality and augmented reality environments: Challenges, risks, and solutions. Journal of Discrete Mathematical Sciences and Cryptography, 28(8), 3001–3011. Documento en línea. Disponible https://doi.org/10.47974/JDMSC-2444
Senthuran, V., Thayasivam, U., Natgunanathan, I., Sood, K., & Xiang, Y. (2025). Balancing privacy and health integrity: A novel framework for ECG signal analysis in immersive environments. Computers in Biology and Medicine, 192, Article 110234. Documento en línea. Disponible https://doi.org/10.1016/j.compbiomed.2025.110234
Seo, J., & Park, S. (2024). SBAC: Substitution cipher access control based on blockchain for protecting personal data in metaverse. Future Generation Computer Systems, 151, 85–97. Documento en línea. Disponible https://doi.org/10.1016/j.future.2023.09.022
Slipeniuk, V., Babaieva, O., Zuiev, V., Chugaievska, A., & Lukianchykov, B. (2025). Artificial intelligence in criminal proceedings: Challenges and opportunities in the context of human rights. Relações Internacionais do Mundo Atual, 4(50), 189–204.
Soares, R. O., & Ehrhardt Júnior, M. (2025). Os dados pessoais como bens de valor econômico e a despersonalização das pessoas naturais: A comoditização do indivíduo e sua incompatibilidade com a ordem constitucional brasileira. Civilistica.com, 14(1). Documento en línea. Disponible https://doi.org/10.5281/zenodo.18371337
Sorrentino, G., & López-Guzmán, J. (2025). Rethinking privacy for avatars: Biometric and inferred data in the metaverse. Frontiers in Virtual Reality, 6. Documento en línea. Disponible https://doi.org/10.3389/frvir.2025.1520655
Sulistianingsih, D., Ihwan, M., Setiawan, A., & Prabowo, M. S. (2023). Tata kelola perlindungan data pribadi di era metaverse (telaah yuridis undang-undang perlindungan data pribadi). Masalah-Masalah Hukum, 52(1), 97–106.
Zhang, W., Zhang, H., & Deng, Z. (2025). Public attitude and media governance of biometric information dissemination in the era of digital intelligence. Scientific Reports, 15, Article 2419. Documento en línea. Disponible https://doi.org/10.1038/s41598-025-86603-w