The Tour d’ Horizon of Data Law Implications of Digital Twins
has the right to withdraw their consent and has exercised this right. However, personal data may be retained after the withdrawal of consent if the law mandates the retention of that specific category of data for a specified period of time.
4 LEGAL IMPLICATIONS AND RISK MANAGEMENT
The legal risks and implications under data laws would depend on the type of data and the jurisdiction. Firstly, the legal risks and compliances associated with personal data is typically higher than non-personal data. Furthermore, if data used in the DT application is“ sensitive personal data” under local data laws, the DT application may be subject to higher compliances. Secondly, it must be noted that data laws are country-specific, hence, DT application should be assessed on a jurisdictional basis. Key legal nuances under data laws to keep in mind are detailed below.
4.1 VIOLATION OF PRIVACY
If personal information of an individual is collected to create a DT, privacy laws are triggered. Further, certain jurisdictions such as Australia 18, EU 19, Saudi Arabia 20 further categorize certain types of personal data as sensitive personal data( such as health data, genetic data, etc.), in which case, higher compliances would be triggered. Under the currently applicable Indian data protection law(" Current Indian Data Law "), only sensitive personal data or information is subject to regulatory compliance, while other categories of personal data remain outside its scope. 21 However, India is transitioning from the Current Indian Data Law to a new data protection framework(" Proposed Indian Data Law "). 22 The Proposed Indian Data Law eliminates the distinction between sensitive personal data and personal data, applying its provisions uniformly to all personal data, which is broadly defined as any data that identifies an individual or relates to an identifiable individual. 23
18
“ sensitive information”, Section 6, Privacy Act, 1988, Australia.
19
Article 9, Regulation( EU) 2016 / 679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95 / 46 / EC( General Data Protection Regulation)(“ EU-GDPR”).
20
Article 1( 11), Personal Data Protection Law( Royal Decree No.( M / 19) dated 09 / 02 / 1443 AH corresponding to 16 / 09 / 2021), Kingdom of Saudi Arabia(“ PDPL, Saudi Arabia”).
21
Information Technology Act, 2000(“ IT Act, India”) and the Information Technology( Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, India(“ IT Rules, India”)( collectively“ Current Indian Data Law”).
22
Digital Personal Data Protection Act, 2023, India(“ DPDPA, India”) and the Draft Digital Personal Data Protection Rules, 2025(“ DPDP Rules, India”)( collectively“ Proposed Indian Data Law”). [ Please note that the DPDPA, India has not been enforced as of the date of writing this article. The Indian government has issued the DPDP Rules, India for public consultation. Once the rules are finalized, DPDPA, India and DPDP Rules, India would come into enforce and would replace the Current Indian Data Law.]
23
Section 2( t), DPDPA, India. Journal of Innovation 81