August 11, 2022 | Jon Hautamäki

Blockchain & Cryptos


July went by fast, and it’s time to take a look at our next Crypto Phenomenon!

As a part of our 8-part series covering different crypto phenomena, we wanted to discuss one of the most brand new trends in cryptocurrencies – the metaverse. In this article we will go through the basics of the metaverse phenomenon, what possibilities it offers and what legal hurdles it presents.

Simply put, the metaverse is a 3D virtual world in which people can interact with each other via the internet. The contents and functionalities of metaverse can vary depending on the (metaverse) provider – some can offer virtual real estatea sandbox-style building world or a social metaverse. As the metaverse is a somewhat new concept, it raises several legal questions that this article shall assess.

Metaverse and NFTs

This article will not discuss non-fungible tokens (NFTs) per se. If you would like to know more about NFTs, check out our previous article here.

Transactions in the metaverse are usually done with cryptocurrencies or NFTs (for clarity, an NFT can be classified as a virtual currency if it meets the requirements set for virtual currencies; inversely, if the requirements are not met, the NFT is not a virtual currency).

Metaverse is a web where users can interact through avatars and utilize NFTs or cryptocurrencies to purchase e.g. virtual real estate, new apparel, avatar properties or other possible visual goods.

From a copyright perspective, it is important to let the buyer know what rights they actually receive when they buy an NFT in the metaverse and what restrictions apply. Metaverse projects can limit these rights contractually, whereby it can be agreed upon that the buyer of virtual real estate can receive only a license to the real estate located in the metaverse, and the actual IPRs (intellectual property right) inside the metaverse still belong to the issuer/project owners.

Metaverse and Data Protection

Data protection can create its own hurdles to metaverse projects and their regulatory compliance. The general data protection principles, such as data minimisation and purpose limitation set out in  Article 5 of the General Data Protection Regulation (GDPR) could be difficult to comply with in the virtual metaverse environment. The metaverse can bear new categories of personal data, such as the facial expressions of avatars’ faces, body movements and other reactions. The surroundings or behaviour of a user inside the metaverse could, in theory, reveal some sensitive personal data (e.g. political standing, religious beliefs, sexual behaviour or orientation) about them as per GDPR article 9, which would make compliance even more complicated.

Another problem could be the transfer of data outside the European Union. How are the borders between countries defined, who are controllers, processors or data subjects and who are responsible for data breaches?

Metaverse and user interaction

One of the central legal challenges is the regulation of user interaction and related rights of users, especially from the perspective of criminal law and damages. How could legislation be utilized to interfere with assault, sexual harassment, theft or fraud between users? From these examples, only fraud might be punishable under current regulation, even if fraud is committed in a virtual world through avatars. The first two titles are bound by their wording, which require physical violence or unsolicited sexual touching.  It is noteworthy to mention that a legislative renewal project concerning, among other things, sexual harassment, is currently in motion and the new law is set to come into force in January 1st 2023, after which also other than physical acts could be seen as sexual harassment. The renewal project would clarify the interpretation of such acts in the metaverse as well.

The legality principle in criminal law forces courts to interpret the wording of the law narrowly and forbids them to extend criminal liability using analogue interpretation. In order to extend criminal liability for the aforementioned acts committed in the metaverse, the law would need to be updated to cover the metaverse, or avatars would need to be granted some form of personhood.

As to theft, stealing another person’s virtual property could not be prosecuted since the subject matter of the offense concerns, by its wording, the theft of movable property, not intangible property. From all the current criminal acts, fraud might be the most easy to prosecute since the subject matter of the offence does not require a connection to movable/physical property, and a person could get significant financial gains from virtual assets by committing fraud.


Metaverse can be understood as a 3D virtual world that has similarities with the so-called real world, where people can interact with each other and exchange virtual assets and utilize the metaverse for business, for example holding meetings in a virtual reality environment.

The metaverse in itself is currently a non-regulated phenomenon, and the legal questions surrounding it are still open. Questions regarding the metaverse, cryptocurrencies and NFT tokens are subject to interpretation, and current legislation does not provide a clear framework to answer these questions. Due to non-regulation, all metaverse projects must be vigilant about the possible obligations that might apply to them. Does the project have to register as a virtual currency provider? What data protection obligations apply? What should the project consider when drafting contracts?

If you need a sparring partner in your crypto, NFT or metaverse project, do not hesitate to contact us.

Our Associate Trainee Patrik Anthoni took part in writing this article.

11.08.2022 JON

Nordic LawPioneer in Web3 and Fintech law