The Tour dā Horizon of Data Law Implications of Digital Twins
4.1.1 POTENTIAL RISKS
In the event, the Data Controllers in the DT ecosystem fail to undertake appropriate compliances under privacy laws such as ā( i) seeking consent of Data Subjects,( ii) ensuring Data Subject rights, or( iii) protecting the personal data, the privacy laws may be violated and penalties may be enforced. For example, personal data collected to create an organ DT, as specified in a notice to the Data Subject, cannot be repurposed without explicit consent.
Sharing this personal data with a third-party should also be based on consent obtained from the Data Subject. Additionally, DT providers acting as Data Controllers must ensure personal data is securely stored and accessible only to authorized personnel, particularly for sensitive data related to health, genetics, and biometrics. Data Subjects may also bring an action against the DT developer / deployer for compensation.
This risk is heightened especially where sensitive personal data is involved. In some jurisdictions, only the Data Controller is held liable under the law, even if the Data Processor is at fault. For instance, under the Proposed Indian Data Law, the Data Fiduciary( akin to a Data Controller) is responsible for compliances under the data law, regardless of whether the processing of the personal data is undertaken by a contracted Data Processor. 24 To mitigate this risk, DT developers / deployers may include an indemnity clause to address breaches or data leaks caused by the Data Processor. This safeguards the DT developers / deployers interests in case a monetary penalty is imposed on them for such incidents.
There is an increasing global concern over subjecting Data Subjects to automated decisions. This may be relevant in the context of Manufacturing DTs or Healthcare DTs, where workers or patients( as the case may be) may be subject to decisions made by AI algorithms. To counter this, it must be ensured that( i) the Data Subjects are explicitly informed about the process of the decision making, and( ii) critical decisions impacting the Data Subject are subject to human review and oversight. For instance, a doctor or medical professional should not place absolute reliance on the diagnosis given by an organ DT and should critically review the diagnosis themselves.
4.1.2 IMPACT
If appropriate compliances under personal data protection laws are not undertaken, Data Controllers in the DT application may be subject to statutory penalties. In most jurisdictions,
24
Section 8( 1) read with Section 8( 5), DPDPA, India. 82
May 2025