The Tour d’ Horizon of Data Law Implications of Digital Twins
to correct and update. These rights may be exercised against the Data Controller and the Data Processor( in some jurisdictions).
4.2.1 POTENTIAL RISKS
The quantity of data that the Data Collector or Data Processor may handle in Healthcare Use Cases are high. Here, considering the high volume of personal data( such as historical data) and sensitivity of the data( such as genetic data), it would be difficult for the Data Collector or Data Processor( as the case may be) to enable a Data Subject to exercise the above-mentioned rights due to operational difficulties. Furthermore, individual rights pose different challenges. For instance, jurisdictions such as EU 34 and Brazil 35 provide the Data Subject with the right to portability. In the EU, this right allows Data Subjects to receive their personal data from a Data Controller in a machine-readable format and transmit it to another Data Controller. Additionally, they can request direct transmission between Data Controllers, where feasible. However, jurisdictions such as Canada and India, do not provide for such portability rights to Data Subjects. In a cross-jurisdictional context, this may act as a hindrance for the Data Subject to exercise their rights. As mentioned above, historical data from multiple Data Subjects may be used to create the DT and accessing and porting this data may be a challenge for the Data Controller.
Similarly, the Proposed Indian Data Law grants a unique right to Data Subject- the right to nominate another individual who may exercise the Data Subjects Rights in the event of death or incapacity. From an operational perspective, Data Controllers are burdened with ascertaining the validity of nomination.
4.2.2 IMPACT
The high volume and sensitivity of healthcare data may make it challenging for Data Controllers and Processors to enable Data Subject rights, especially in cross-jurisdictional contexts. While jurisdictions like the EU and Brazil provide portability rights, others, such as Canada and India, do not, which may create operational and compliance hurdles for DT operations involving multiple jurisdictions.
Further, it is the obligation of the Data Controller to ensure that the Data Subject is not deprived of control over their personal data, especially in the context of Healthcare DTs. Here, the collection of personal data should be based on explicit consent of the Data Subject and there should be clear mechanisms in place to ensure that the Data Subject can exercise the rights granted under the relevant jurisdictions. Even if there is a difference in the rights granted to the Data Subject( such as the example of data portability), it should at minimum be ensured that common rights such as the right to access and correct the personal data are made available to the Data Subject.
34
Article 20, EU-GDPR.
35
Article 18, Lei Geral de Proteção de Dados, Federal Law no. 13,709 / 2018, Brazil(“ LGPD, Brazil”). 84
May 2025