During our meetup on October 31st, 2022, we explored the legal and ethical obligations of implementing XR in education. Marco Correa and Joanna van der Merwe of the Data Responsibility team at the Centre for Innovation presented various data protection and intellectual property laws, covering how to take a holistic approach to data responsibility.
XR holds great potential for transforming education, offering novel and effective learning experiences, and is increasingly adopted by higher education institutions. However, overlapping legal frameworks apply when implementing XR, particularly data protection and intellectual property laws. Beyond legal obligations, ethical considerations are paramount.
Data and Intellectual Property
In the realm of XR, data is user-provided, ranging from account details to biometric data. Account details can include an email address or social media account provided when using an application or setting up a device. These devices collect biometric data — personal data based on the technical processing of physiological, biological, and behavioral characteristics allowing the identification of a person. Biometric data includes not merely facial images and fingerprints for purposes of recognition. It extends to the accurate measurement of brainwaves, pulse rates, skin temperature, and eyeball movement when, for example, performing a particular cognitive task. Then there is the inferred information from aggregated data — the profiles built based on the abovementioned data.
Intellectual property encompasses inventions, designs, and literary and artistic works. Laws pertaining to intellectual property are mainly comprised of patents, trademarks, and copyright. Most common in education are literary, artistic, musical, and other educational works, which fall under the scope of copyright law. It can also apply to databases; how a database is built determines whether it can meet the criteria. There are ongoing discussions (and speculations) about how copyright (and intellectual property laws, more generally) apply to XR technologies.
Legal Obligations First, Then Ethical
As the Centre for Innovation is based in Europe, meeting legal obligations involves looking at the General Data Protection Regulation and, in many cases, other legal frameworks. For example, the conflict between the EU and US data protection laws means having to work with issues of transferring and processing data from Europe to the US. Similarly, concerning intellectual property laws, using third-party content that is copyright protected has different requirements for educational institutions in Europe and the US. These are issues that must be addressed when working with an international educational institution or online platforms based in different countries, as the Centre of Innovation often does.
The AR project seen in the image above uses copyright-protected characters. In this case, unauthorized use would be an infringement. Determining whether third-party content is protected under intellectual property laws is a part of developing any such XR project. It may be the case that a legal exception applies, allowing unauthorized use. Obtaining authorization entails identifying, contacting, and negotiating with the rights holder. XR software, products, and applications commonly have an open-source license or one of the Creative Commons licenses, which may dictate that if any modifications are made, that too must be published under the same license. In other words, it must stay open source.
When working with data protection and intellectual property, the Data Responsibility team always starts with legal obligations. As such, the first objective is to determine what laws apply and how to integrate them into a project. Working with the immense amount of (quite sensitive) data produced and collected in XR often entails delving into gray areas of the law, mainly due to the law tending to be behind on the developments of technology. After meeting the legal obligations, the goal is to go beyond by moving forward with what has yet to be clearly defined in those gray areas.
A Holistic Approach to Data Responsibility
To aid the Centre for Innovation in going beyond mere legal obligations by determining whether the collection and use of data and the implementation of a project are inherently ethical, Joanna van der Merwe developed the Holistic Data Responsibility Framework.
Each XR project is first evaluated based on its proposition. A project is initiated if it is deemed feasible in terms of meeting legal and ethical obligations. The analysis begins by examining the different elements identified in the framework: technology, legal, governance, process, people, and network. The question guiding the analysis is how to utilize each element to protect data.
Examining the technology element of a project involves determining whether it is possible to provide adequate cybersecurity. For some projects, a proper infrastructure to store the necessary data must be in place, for example. A legal examination involves determining what laws apply and what legal mechanisms to put in place to provide the highest level of data protection. It may, for example, be necessary to do a Data Protection Impact Assessment. Examining the governance element — the decision-making processes within a particular project — involves asking who has the right to approve changes or what policies are in place regarding document storage processes or external communications.
Examining the process element includes both formal and informal processes, from how people work on a project to how a system or device is used. Supposing some failure occurs in a system or device, the project must be set up to enable people to react appropriately and responsibly by taking steps that are as ethical and secure as possible. Examining the people element entails determining the knowledge and skills required for those involved to be responsible within a project. That includes people running the project and the data subjects, which in the case of XR, are the people using the devices. Specifically for data subjects, the question is what level of knowledge is required to understand (and voice opinions or make decisions concerning) what and how data is collected about them. The network element has to do with sharing lessons learned in and across sectors to facilitate the emergence and transfer of expertise.
After examining each of these elements and having established that it is possible to provide the proper level of data protection, the project may move forward. By applying this framework, taking a holistic approach to data responsibility is integral to any XR project run by the Centre for Innovation team.