VR: Not all legal plain sailing ahead
Harbottle & Lewis explores the potential product liability and data protection issues that might emerge with the rise of virtual reality
The games industry has so far been at the forefront of the virtual reality surge. Following on from the release of the Oculus Rift and HTC Vive earlier this year, next month PlayStation VR hits the shelves with the potential to bring VR gaming to the masses - despite its pretty hefty price tag.
With the introduction of game-specific peripherals and then later the Wii, Kinect and PlayStation Move, gaming moved from being a sedentary activity to one which often requires physical exertion. This raised a number of legal issues that the industry hadn't faced before, and VR will add another layer, combining physical exertion with an immersive experience in a separate reality. One factor challenging the widespread adoption of VR is the health and safety risk often associated with use of VR headsets. Motion sickness, nausea blackouts, behavioural changes and eyestrain are most commonly cited, but real-world falls, trips and bumps are not to be ignored.
Who is responsible for physical injury and discomfort caused by a VR experience? The most challenging question in relation to liability in the VR context is what or who caused the injury or accident; the hardware or the application? Terms and conditions between the platform provider and the application developer will inevitably have a big part to play in determining who bears the liability. For example, Oculus' consumer-facing terms attempt to disclaim all liability for "third party content" made available through the Oculus platform, pushing risk on to the developers of Oculus-supported games and applications. The Oculus terms also ask consumers to accept that use of Oculus Rift is "at their sole risk" (i.e. if something goes wrong when using the hardware, it's not the fault of Oculus).
Under English law, it is not possible for a company to restrict liability for death or personal injury caused by their negligence. If hardware is designed or manufactured negligently (e.g. the head strap is made out of material likely to break upon swift, but expected, movement) then, if an injury is caused as a result, the terms and conditions will not protect the manufacturer. Similarly, if a developer designs a virtual world negligently or without appropriately signposting risks and warnings, they may be unable to escape liability for injury caused as a result. An example might include negligently rushing a game out that has not been properly optimised for VR and therefore is likely to cause motion sickness when played.
VR stakeholders in the UK won't be able to disclaim liability by pointing users to notices that use of the headsets and applications are, "at their sole risk." Health and safety must be an important element of any VR design brief, as the success of any hardware or application will be affected by consumer trust in the safety of the product. Older readers may remember Nintendo's Virtual Boy, which was released back in 1995. It wasn't a commercial success, which might be partly attributed to the headaches and eye strains that were commonly associated with prolonged use of the product.
"VR provides the opportunity for developers, platform providers and manufacturers to gather significant amounts of very rich data about their users"
Sony seems to be on the right track with PlayStation VR. A safety notice for the hardware that was released in a recent PS4 system update file stated that users should "review surroundings and clear obstacles before use" and immediately stop using if any motion sickness or nausea is experienced. The notice also states that the hardware should not be used by children under the age of 12, perhaps reflecting a view that younger children are more likely to injure themselves or suffer adverse effects from use of the equipment.
Moving on from product liability, data protection compliance is also a key concern for VR stakeholders. VR provides the opportunity for developers, platform providers and hardware manufacturers to gather significant amounts of very rich data about their users. Where a user registers their details to an account in order to enter a virtual world, personal information is collected. Further information may be collected about that individual's interaction with their virtual world (such as for example their location, user engagement, transactions and preferences). Information relating to living, identifiable individuals is "personal data," and the collection, storage and use of personal data ("processing") is governed by data protection laws.
We currently have settled regimes in place throughout the EU to regulate the processing of personal data, but it's worth noting that the forthcoming General Data Protection Regulation (GDPR), due to come into force in May 2018, is set to shake up and harmonise data protection laws across the EU. Following the Brexit vote it isn't clear what the future holds for the UK's data protection laws but, in our view, it is likely that the GDPR (or something similar) will be adopted in the UK. Of course, the GDPR will still come into force in full in the remaining EU countries.
The changes proposed by the GDPR are significant and will likely impact all those processing personal data in any way. Fines for non-compliance have been significantly increased. The UK's data protection regulator currently has the authority to issue fines of up to £500,000 for serious breaches of our current data protection laws; maximum fines under the GDPR are the greater of €20,000,000 or 4% of worldwide turnover. Other key changes under the GDPR of particular relevance to VR include:
"The legal landscape for VR is uncertain. There are, however, some real-world issues out there. Don't get caught out; reality bites"
- Getting consent: The GDPR strengthens the requirements for businesses seeking to rely on an individual's consent as their legitimate reason for processing the personal data. GDPR consent must be freely given, specific, informed and must be an unambiguous indication of wishes by "clear affirmative action." In a VR context, presenting the user with the necessary information and signposting this requisite consent will be challenging, particularly as part of the attraction of VR is to escape into an alternate reality (where things like privacy policies and "tick here for consent" boxes don't usually appear). Unfortunately for VR stakeholders, consent language cannot be buried in lengthy terms or privacy policies but must, as with safety warnings, be built into the user experience.
- Keeping records: VR businesses will also be required to maintain detailed records of their personal data collection and processing, including the categories of information collected, the purposes for which it is collected, third parties to whom the data are disclosed, and so on. This will be an onerous task for any business but especially so for those collecting large amounts of personal data such as VR platforms and application providers.
- Data protection by design: VR stakeholders engaging with personal data will be required to adopt a 'data protection by design' and 'by default' approach to product development.
Much like VR's prospects for commercial success, the legal landscape for VR is uncertain. There are, however, some real-world issues out there. Don't get caught out; reality bites.
Daniel Tozer and Donald Mee are specialists in technology, media and entertainment at London law firm Harbottle & Lewis.