The Tour d’ Horizon of Data Law Implications of Digital Twins
including India 25, EU, 26 Singapore, 27 heavy monetary penalties are triggered for non-compliance. For instance, in the EU, administrative fines can reach up to EUR 10 million or( for undertakings) 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. 28 Similarly, under Proposed Indian Data Law penalties vary based on the contravention, ranging from INR 10,000( approx. USD 118) to INR 250,00,00,000( approx. USD 29.59 million). 29 However, if the personal data is irreversibly anonymized, then the privacy law compliance and penalties would not be triggered.
Additionally, specifically for Manufacturing DTs, the domestic laws may require the DT provider to comply with technical standards such as the“ Automated Systems and Integration – Digital Twin Framework for Manufacturing.” 30 These standards establish a comprehensive framework that, among other provisions, outline the creation of functional entities for data assurance, security support, and access control. 31 Furthermore, they provide guidelines for defining information attributes within a DT 32 and for the functionality of networks and information exchange processes across the DT system. 33
4.2 DATA SUBJECT RIGHTS
Privacy laws in various jurisdictions grant Data Subjects rights vis-à-vis their personal data including, amongst others: the right to access, right to be forgotten, right to portability and right
25
Information Technology Act, 2000(“ IT Act, India”) and the Information Technology( Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, India(“ IT Rules, India”); Digital Personal Data Protection Act, 2023, India(“ DPDPA, India”). [ Please note that the current data protection framework in India is regulated by the IT Act read with the IT Rules. The government has enacted the DPDPA, but has not issued the rules under it and hence, the DPDPA is yet to be enforced. Once the DPDPA is enforced, it would replace the IT Rules.]
26
Chapter 8, EU-GDPR.
27
Section 48J, Personal Data Protection Act, 2012, Singapore.
28
Chapter 83( 4), EU-GDPR.
29
Schedule I, DPDPA.
30
ISO 23247-1:2021 Automated Systems and Integration – Digital Twin Framework for Manufacturing- Part 1: Overview and General Principles. https:// www. iso. org / standard / 75066. html
31
ISO 23247-2:2021 Automated Systems and Integration – Digital Twin Framework for Manufacturing- Part 2: Reference Architecture. https:// www. iso. org / standard / 78743. html
32
ISO 23247-3:2021 Automated Systems and Integration – Digital Twin Framework for Manufacturing- Part 3: Digital representation of manufacturing elements. https:// www. iso. org / standard / 78744. html
33
ISO 23247-4:2021 Automated Systems and Integration – Digital Twin Framework for Manufacturing- Part 4: Information Exchange. https:// www. iso. org / standard / 78745. html
Journal of Innovation 83