Augmented reality – Convenient technology or potential privacy risk?


Augmented reality (AR) has seen spectacular growth over the past few years. The use of AR applications, however, implies the collection of many different types of data, giving rise to various potential issues in terms of privacy assurance and the protection of personal data related to users as well as non-users of the technology. In this blog, we will look at how AR works and what sort of privacy risks may be involved.

What is augmented reality?

Augmented reality (AR) has seen a spectacular pace of development over the past few years. AR expands or ‘enhances’ the real world by digitally adding visual or auditive elements to the user’s direct environment. Conceptually, AR is a broad term for multiple technologies allowing us to experience our surroundings with an added layer of virtual reality. Deployment of the technology can be based on the use of familiar devices like smartphones running photo filters on Snapchat or Instagram, or dedicated wearables, like special AR goggles. One of the prime examples of AR from the recent past is the immensely popular Pokémon Go game.

Making advanced AR technology work, requires creating a 3D model of the real world, making it possible for the system to superimpose overlay-objects on the physical background layer in a convincing way. For a Pokémon character to realistically appear on your tabletop for instance, the AR system has to ‘know’ the dimensions and depth of the table. Just as for photo filters on Snapchat and Instagram to be effective, the application will first have to produce a detailed scan of your face in order to have a canvas to apply the filter to.

Although the majority of current applications may appear to be of a trivial nature, the technology is also proving its worth in more serious areas of endeavour, being used by the U.S. military, for instance, for enhanced realism in soldiers’ training missions and by Chinese law enforcement to help in identifying suspects. There are also numerous experiments in the field of medicine, with AR projections of 3D brain scans serving to support surgery. Year by year, the global market for AR hardware, software and services continues to grow. At the same time, this fast-paced development raises questions as to the associated potential privacy and security issues.

User’s personal data

Using AR applications inevitably implies the collection of personal data, such as information on the user’s location and environment. AR applications also, and to a significantly large extent, collect data on the user’s identity and his or her activities on social media networks and other technological platforms. This means that users of AR applications run relatively serious privacy risks. The large amounts of data being collected allow for the creation of a highly detailed picture of the user’s personal life and private sphere, along with meticulous mapping of their movements. Using AR applications, in other words, implicitly entails the collection of large amounts of privacy-sensitive information related to the user.

Third parties’ personal data

AR applications screen the user’s physical environment, capturing data for further processing. Commonly, these data include personal characteristics of persons – third parties – who happen to be at the same general location at the same point in time. This means that these third parties are now running the risk of their privacy being violated. Multiple incidents have been reported of bystanders physically attacking wearers of AR smartglasses for reasons of perceived threats, on the part of these bystanders, to their privacy.

Privacy issues

In this context, it is essential to consider what is actually being done with the collected data. Are they locally stored and processed on the device being used or are they sent to the cloud? In the latter case, is the information being encrypted? Will the data be shared with third parties, possibly for the purpose of targeted advertising? Are there options for the users to exercise their right to the protection of personal data? Is it transparent to the users how their data are handled or processed? Do users have the opportunity to grant or withhold valid consent?

Privacy protection

These are questions which are important for AR developers and users alike to keep in mind. There is always the possibility, similar to what we have seen with other major technological developments, that the further evolution of AR will open the door to new options for the protection of the users’ right to privacy.

At the very least, it needs to be transparent to users about what will be done with their data. In other words, AR applications will have to inform users on the processing of their personal data. They will have to ensure that personal data are being effectively protected and treated confidentially in terms of ‘prevention or minimisation of unauthorised access or publication’. This is where security measures come into play, such as data encryption and identification- or authorisation-based limitation of access.

Users have to be sufficiently informed on the data being collected and the parties these data are to be shared with. And this has to be done from the realisation that certain data may be significantly sensitive and, as a result, subject to special measures of protection. What is currently most important is that in the development of AR applications, as much thought as possible is given to the limitation of data collection to what is strictly necessary.


In this blog, we have looked at AR technology and the associated potential privacy risks. The use of AR applications, after all, implies intensive collection of data, allowing for the creation of a detailed picture of the user’s personal life. Which raises a number of privacy-related questions. It is important for AR developers and users alike to be aware of these questions and the risks they may be pointing to. The minimal requirement is transparency, on the part of AR applications, on what will be done with personal data related to the users. Another basic requirement is confidential treatment of these data. Users have to be sufficiently informed on which data are being collected and who they will be shared with. Another important consideration is the implementation of appropriate security measures, in order to offer maximum protection of the users’ privacy. Developers will have to set up their AR applications in such a way that user privacy, to the maximum extent possible, is ensured by the very design of the system – a trend which is generally gaining strength in software development. Strong policies, high degrees of transparency and privacy-by-design engineering, are the key ingredients for augmented reality applications that embrace reliable protection of privacy.

Maxime Visser

Maxime Visser

Maxime is a legal counsel at The Privacy Factory and is currently obtaining a master’s degree in Internet, IP and ICT at the Vrije Universiteit Amsterdam. She is interested in new technological developments and all the legal issues that arise from this.

Recent publications

Privacy Weekly

Subscribe to Privacy Weekly and stay up to date on recent privacy trends and developments.

In search of

Free GDPR|Check

Connect with us

Subscribe to Privacy Weekly

Subscribe to Privacy Weekly
A privacy alert, blog post or white paper in your inbox every Thursday!

We use only functional and analytical cookies to ensure that we give you the best experience on our website. This means that our cookies do not collect personal data. Learn more.