VR/AR Data Collection Exceeds GDPR Safeguards

Immersive Technologies Bring Data Collection Closer to the Skin Than Ever Before

A groundbreaking analysis by the Rathenau Institute, with legal analysis by our CEO Joost Gerritsen, reveals that augmented and virtual reality technologies pose unprecedented privacy and data protection challenges that current EU digital law frameworks are ill-equipped to handle. The “Immersive Technologies” report, commissioned by the Dutch Ministry of the Interior and Kingdom Relations, provides essential insights for privacy professionals, supervisory authorities, and compliance consultants preparing for the next wave of digital transformation.

While consumer breakthrough of AR/VR remains uncertain, these technologies are already being deployed across healthcare, education, entertainment, and industry. The report warns that immersive technologies literally come “closer to the skin and to the senses” than smartphones or computers ever could, creating a new category of regulatory challenges that demand immediate attention from data protection professionals.

Beyond Traditional Data: The New Frontier of Intimate Information

Immersive technologies blur the boundary between virtual and physical worlds through two primary mechanisms:

• Augmented Reality (AR): Overlays virtual elements onto the physical world, collecting data about user environment and behaviour
• Virtual Reality (VR): Creates fully virtual environments while tracking minute physical responses and movements

What makes these technologies particularly concerning from a GDPR compliance perspective is their capacity to collect entirely new categories of data. Beyond traditional personal information, XR devices can capture pupillary reflexes, micro-movements, emotional responses, and potentially even neural activity—data so intimate that it reveals unconscious responses and internal states users may not even be aware of themselves.

Current Applications Reveal Future Risks

The report identifies seven domains where immersive technologies are already being deployed experimentally:

• Healthcare: Therapeutic applications with demonstrable benefits but raising questions about medical data protection
• Training and Education: Immersive learning environments collecting detailed behavioural and performance data
• Entertainment: Gaming and social platforms gathering unprecedented user engagement metrics
• Infrastructure: AR applications for navigation and city planning accessing location and movement patterns
• Industry: Manufacturing and design applications tracking worker movements and efficiency
• Office environments: Virtual workspaces monitoring productivity and collaboration patterns
• Art and culture: Creative applications exploring new forms of expression and audience interaction

Each application domain presents unique challenges for regulatory compliance and raises fundamental questions about consent, purpose limitation, and data minimisation principles central to European data protection law.

Public Values Under Threat

The research identifies critical risks to public values when immersive technologies combine with large-scale data collection:

Privacy and Self-Determination
The intimate nature of collected data—from emotional responses to unconscious behaviours—fundamentally challenges traditional privacy concepts. Users cannot meaningfully consent to data collection when they don’t fully understand what’s being collected or how it might be used.

Democracy and Security
The report warns that behavioural and physical data collected through XR could enable unprecedented manipulation and influence. This extends beyond commercial targeting to potential political manipulation and foreign interference, echoing concerns from previous reports on online tracking and generative AI.

Inclusivity and Non-Discrimination
The high cost of XR devices and varying physical abilities to use them risk creating new digital divides. Moreover, algorithms trained on intimate behavioural data could perpetuate or amplify discriminatory patterns in ways that are difficult to detect or challenge.

Regulatory Gaps in Current EU Digital Frameworks

While the GDPR, AI Act, and Digital Services Act provide some protection, the report identifies significant gaps:

• Purpose shifting risks: Information collected for one purpose can be repurposed against user interests, despite GDPR’s purpose limitation principle
• Consent inadequacy: Users cannot meaningfully consent to collection of data they don’t understand, particularly neurodata and unconscious responses
• Sensitive data derivation: While XR providers may collect “regular” physical data with consent, they can derive extremely sensitive information from it
• Neurodata protection uncertainty: Current frameworks don’t adequately address brain-computer interfaces and neural monitoring capabilities

The report notes that while European initiatives like the Creative Industries Immersive Impact Coalition and the European Initiative on Virtual Worlds promote XR development, they may inadvertently increase risks by accelerating adoption before adequate safeguards exist.

Industry Standards and Self-Regulation Challenges

The report examines how the XR Association and other industry bodies are attempting to address privacy concerns through self-regulatory measures. However, voluntary standards often prove insufficient when dealing with technologies that can collect such intimate data. The European approach emphasises that fundamental rights protection cannot rely solely on industry goodwill.

Current industry initiatives focus primarily on technical interoperability and market development, with privacy and fundamental rights considerations receiving secondary attention. This imbalance reflects the broader challenge of regulating emerging technologies where innovation incentives often outweigh protection considerations.

Fundamental Policy Choices Ahead

The Rathenau Institute presents policymakers with critical decisions about immersive technologies’ role in society:

1. Application boundaries: Where should immersive technologies be promoted (e.g., therapeutic applications) versus prohibited (e.g., large-scale deployment in schools)?
2. Data collection limits: Should certain data types like neurodata and pupillary reflexes be completely off-limits due to abuse potential?
3. XR-free zones: Should certain public spaces and domains remain free from immersive technology to preserve human autonomy?
4. Hyper-personalisation limits: To what extent should society accept ever-more-intimate personalisation in public spaces?

The report emphasises that because immersive technologies haven’t yet achieved mass adoption, policymakers have a unique opportunity to shape their development based on public values rather than retrofitting regulations after problems emerge.

International Perspectives and Best Practices

The report draws insights from international approaches to immersive technology regulation. Countries like South Korea have implemented specific protections for VR data, while California has introduced legislation addressing XR privacy concerns. These examples demonstrate that proactive regulation is possible and necessary.

European policymakers can learn from these early regulatory experiments while building on the continent’s strong tradition of fundamental rights protection. The challenge lies in creating frameworks that enable beneficial XR applications while preventing the most problematic uses.

Implications for Privacy and Compliance Professionals

For supervisory authorities and data protection professionals, immersive technologies represent a paradigm shift in privacy challenges. Traditional approaches to data protection impact assessments may prove inadequate when dealing with technologies that can infer thoughts and emotions from physical responses.

The report highlights that once intimate XR data exists, preventing misuse becomes nearly impossible. This “inherent risk” means that some applications may be fundamentally incompatible with European values of human dignity and autonomy, regardless of safeguards implemented.

Law firms advising on XR implementations must grapple with unprecedented questions: How can organisations obtain valid consent for data collection users don’t understand? What constitutes appropriate security for neurodata? How can purpose limitation be enforced when data reveals far more than originally intended?

Building Responsible XR Governance

The report concludes with recommendations for building responsible governance frameworks for immersive technologies:

• Multi-stakeholder engagement: Include civil society, academics, and affected communities in XR policy development
• Precautionary approaches: Err on the side of protection when dealing with such intimate data collection
• Continuous assessment: Regularly review XR applications as the technology evolves
• Public awareness: Ensure citizens understand what XR data collection involves

Navigate the Complex Regulatory Future of Immersive Technologies

As this report demonstrates, immersive technologies are creating entirely new categories of regulatory challenges that existing frameworks struggle to address. For supervisory authorities developing enforcement strategies, law firms advising on XR compliance, and businesses exploring immersive applications, understanding the evolving regulatory landscape is crucial.

At Digibeetle, our expert-curated platform helps you track how authorities across Europe are approaching these emerging technologies. Search our cross-referenced database for specific technologies like AR, VR, neurodata, or behavioural tracking to instantly access relevant supervisory opinions, enforcement actions, and emerging regulatory interpretations. Our daily updates ensure you stay ahead of rapid developments in how GDPR, the AI Act, and other frameworks apply to immersive technologies.

Whether you need to understand how data protection authorities view XR consent mechanisms, track enforcement patterns for behavioural data collection, or prepare for upcoming regulatory changes, Digibeetle transforms complex regulatory intelligence into actionable insights. Start your 30-day free trial to explore how we help professionals master the intersection of immersive technology and regulation, or book a consultation to discuss your specific compliance needs in the XR space.