The Tour d’ Horizon of Data Law Implications of Digital Twins
materials designated as state secrets beyond the country’ s borders without approval from competent authorities. 45
In addition to this, specific restrictions imposed on the transfer of personal data in the relevant jurisdictions must also be taken into account. For instance, the Proposed Indian Data Law empowers the government to restrict the transfer of certain specified categories of personal data to a foreign state or an entity or person controlled by such foreign state. 46 Further, identified“ significant” data fiduciaries( akin to Data Controllers) may be required to process identified categories of personal data within the territory of India. 47 These additional restrictions, once implemented, would need to be carefully considered to ensure compliance and seamless operational continuity.
4.4.2 IMPACT
Given the large datasets used in DT applications, the DT developers / deployers will need to identify the compliances and transfer restrictions for each type of data within the Input Datasets. Additionally, data transfer agreements with Data Processors must be executed to ensure alignment with these compliance obligations. This is a compliance burden. From an implementation perspective, even if there are higher restrictions for transfers of certain datasets and not for others, the entire DT application would be affected.
4.5 DATA STORAGE & SECURITY
DT utilizes cloud computing technology to integrate data between the physical products and the virtual replica. Hence, we understand that data related to the DT may be stored in a cloud. The cloud computing technology may be owned, operated and managed by the DT provider or may be outsourced to a third-party. Here, most DT providers offer cloud computing solutions as a part of the DT. However, there may be situations, where storage is outsourced. In addition to this, there is a requirement to notify a designated authority in the event of a data breach / leak. In some jurisdictions such as EU 48 and India 49, the Data Subject should also be notified. Further, some jurisdictions such as India also have cyber security incident reporting requirements even if no personal data is affected.
4.5.1 POTENTIAL RISKS
Cloud storage solutions may be susceptible to cyber-attacks resulting in leaks and / or breaches of data. All Use Cases would be at a risk of such a threat. However, the sensitivity of the data lost
45
Article 26, Law of the People ' s Republic of China on Guarding State Secrets( 1988).
46
Rule 14, DPDP Rules, India.
47
Rule 12( 4), DPDP Rules, India.
48
Article 34, EU-GDPR.
49
Section 8( 6), DPDPA, India. Journal of Innovation 87