Commercial augmented reality (“AR”) and virtual reality (“VR”) are not everyday solutions yet, but almost everyone has at least heard of Pokémon GO, the AR game that made the imaginary monsters viral for the second time since the ‘90s and reached over 50 million active monthly users in less than a year.
As the term itself implies, AR is a technology to augment reality. It creates a composite view, where a computer-generated image is superimposed on a user’s view of the real world. The most common way to deploy AR is to use the camera of a mobile device and add content on the view seen through the mobile device’s screen. While AR technology builds on the reality surrounding us, VR is to build completely new environments. It creates a computer-generated simulation of a three-dimensional environment that is an entirely artificial experience. Users can interact with or on the created environment by using special equipment, such as VR glasses, gloves fitted with sensors and/or other controls.
There are currently no AR or VR specific laws, but both the solutions and interactions of users thereon are subject to existing laws. As the laws have traditionally not been designed to be applied in an environment where reality and computer-generated simulation meet, one should therefore pay attention to the unique legal issues that may arise in the context of AR and VR. As AR and VR are software-based solutions purposed for the use of individuals, especial attention should be paid to intellectual property and data protection issues.
To secure one’s own intellectual property rights (“IPR”) and to avoid infringing the same of third parties, it is recommended to take at least the following themes into consideration.
Protecting the AR or VR solution itself. The software running behind is – in most jurisdictions – protected by copyright, gadgets may be protected in part or completely as technical solutions by patent, and their externals may be protected as designs. It is also important to investigate whether the planned brand name and other signs are available. The IPR strategy should be considered on an early stage to secure the key assets that quite often in technology business are intangible, and also to create a strong brand with desired associations. An AR/VR company should for example make sure, that in the agreements with employees, suppliers and consultants used in product, service and brand development the respective rights are vested in and transferred to the company appropriately and, preferably, exclusively and free from encumbrances. As another example, it should be evaluated if some words, slogans, figurative signs, shapes, colours, patterns, sounds or other signs to distinguish the product or service should be registered as trademarks in order to have tools to protect the company’s reputation from parties trying to benefit from it.
Including intellectual property of the real world into the virtual world. As a basic rule, one may not commercially use another’s intellectual property without proper authorisation. It is rather clear that one may not use for example registered trademarks as part of the AR or VR simulation without authorisation. However, importing content protected by third party IPR from the real environment to the AR solution raises tricky questions, especially as the captured view of the real world is usually decided by the user at his/her sole discretion. For example, if someone depicts the golden arches of McDonald’s or a movie shown on television as part of their screen view, could the right holder successfully claim that the respective AR solution commercially exploits content, and if yes, who shall be liable for the IPR infringements. Currently no one size-fits-all solution exists, but such scenarios should be taken into account in the design of technical solutions as well as by (user) agreements.
Applying virtual intellectual property to the real world. If intellectual property, especially data included to and accumulated in the AR or VR solutions are applicable to the real life objects, owners of these real life objects might want to claim rights to such, especially if they don’t yet have access to the same data. For example, if an application provides information for example on buildings, event venues or tourist attractions shown on screen (as real life objects or simulated versions), who owns the rights to the information that is virtually overlaid onto a real physical object? It is also a question of where the content is generated from; the answer depends if the data has been publicly available, licensed or provided by the user or developer community or obtained otherwise. Owners of real life objects might want to own those rights, but the ownership of information about any objects is not bound to the ownership of the object. However, this does not mean that the applications could process any data that they are provided with or is available. For example, occupant data of a building is subject to data protection and privacy laws, and certain company information may be trade secrets. In addition, the liability for distributing false information should be taken into account too.
User generated content. It is rather common that the users are not passive visitors of an AR or VR environment, but contribute to their virtual experiences, for example by adding text, photographs, video, music and other content that often is protected by IPR. The providers of the products and services should take into account how to regulate such content and, if any infringements of the third party occur, the liability between the respective provider and the user. It should be noted that the risk of IPR infringement is remarkable, since the content or possibly required permissions are usually not revised in any manner, but added directly to the platform in real time by the user, who usually do not even think about IPR but on the contrary like to imitate or copy popular content and viral phenomena. Many of the adverse effects may be mitigated most efficiently by contractual means.
Jurisdictional problems. AR and VR solutions may be used globally, as mobile phones and other gadgets are quite easy to travel with, but the laws related to intellectual property are rather local and differ from one to another, which may cause collisions of interests and hindrance to the enforcement of one’s rights. Something that is protected in Europe can be free game in Asia and even registered as property of a third party, if the IPR matters are not considered well in advance.
Both AR and VR solutions require processing of significant amount of personal data, including for example user’s identity information, appearance, physical movement, location, actions, communications, other behaviour and relationships, and so on. Businesses deploying AR or VR should therefore consider the steps that they must take to ensure compliance with data protection law. However, data protection and privacy legislation vary globally, and cause similar headache to AR and VR solution providers as the IPR.
Companies operating in Europe or processing personal data of individuals residing in Europe must, of course, comply with the General Data Protection Regulation (EU) 2016/679 that sets several formal and principled requirements. The AR and VR solutions should for example implement privacy-by-design and privacy-by-default principles, which require data protection aspects to be built as an inherent part of product and service development processes. If the processing might result a high risk, it is obligatory to conduct a data protection impact assessment (check out our earlier post on national data protection impact assessment requirements in Finland and Sweden). The GDPR includes several rights that the data subject may request from the controller, such as right to access (data), right to rectification, right to erasure (‘right to be forgotten’), right to object processing and so on. In addition, execution of these rights should be taken into account from technical and organisational perspective.
The controller (in most cases the party providing the solution to the users) is obligated to inform the individuals concerned of the existence of the processing of their personal data and of its content. This should be easily done in case of the users that may be informed on their personal data processing for example by providing privacy notices and cookies policies when registering, but how about for example the people who are captured as part of the AR view? In some cases the exemptions from the informing obligation may apply (e.g. when provision of such information proves impossible), but this should be evaluated on case-by-case.
In addition, each controller and processor (the party involved in the processing on behalf of the controller) shall maintain a written record of processing activities under its responsibility, covering all processing types and containing minimum content as set forth in the GDPR. They should also enter into a data processing agreement in accordance with the GDPR. For example, when a VR game is provided via cloud platform service, the game provider and the cloud service provider should have such data processing agreement established. The minimum content of the agreement is laid down in the GDPR, but it leaves room for consideration of the parties and there has been a lively debate going on concerning how and to which extent it is allowed to stretch the provisions of the regulation.
Associate at Hannes Snellman
Partner at Hannes Snellman