The Tour d’ Horizon of Data Law Implications of Digital Twins
The creation of a DT is a data intensive task. As visible from the examples mentioned above, there are many companies who operate at a B2B level and create DTs for other businesses. Here, data agreements as well as confidentiality agreements become ever more relevant to protect crucial operation related data of businesses opting for DT related services from a third-party.
3.3 CROSS BORDER DATA TRANSFERS AND LOCALIZATION
In most DT applications, the data flows and transfers may not be limited to one jurisdiction. For instance, the procurement of Input Data may be from a different jurisdiction; or the data processing may be in a different jurisdiction than where the DT is deployed. This may be particularly relevant where a company that intends to create a Process DT of its manufacturing units, which may spread across multiple jurisdictions. Let us take an illustrative example- a company, headquartered in California, may have a manufacturing unit in both India and China, and may want to combine the data of both these units to gain insights for operational efficiency. The Process DT( including the DT of the China and India units) may be created and accessed by the company in California. In such cases, the laws governing the data import / export and processing in all the relevant jurisdictions would be applicable.
From this perspective, it is significant to note that certain jurisdictions have adopted cross-border data transfer restrictions or data localization requirements. For instance, transferring personal data outside the European Union(“ EU”) involves stringent compliance requirements. One approach is through an adequacy decision, where the European Commission recognizes that a non-EU country ensures an adequate level of data protection and permits the transfer of personal data. In the absence of such a decision, data transfers may be based on contractual arrangements. 17 Likewise, transfer of certain sectoral data from India( such as payments data, insurance data, geospatial data, financial services data, etc.) is either prohibited entirely or a copy of such sectoral is required to be maintained in India. In addition to this, jurisdictions may not permit the transfer of data related to defense, in the interest of national security( discussed below under Data Localization).
3.4 DATA MINIMIZATION, PROCESSING AND RETENTION LIMITATIONS
One of the core principles across data protection laws is that only minimum and necessary data should be collected / processed, and used for specific purposes and for a duration justified for fulfilling such purpose or for which permissions have been obtained. Therefore, in DT applications, it must be ensured that only a minimum amount of data is procured / processed and no unused dataset is being hosted on DT systems. This is especially integral in applications that are collecting and processing personal data, where the Data Subject has to consent to each of the specified purposes of processing and retention of their personal data. Further, the Data Controller may be obligated to erase the personal data of the Data Subject, if the Data Subject
17
This includes the“ Standard Contractual Clauses” and“ Binding Corporate Rules.” 80
May 2025