The Tour d’ Horizon of Data Law Implications of Digital Twins
For other Use Cases, it is likely that there may be contractual obligations with indemnity clauses to mitigate losses caused due to inaccurate outcomes from the DT.
5 CONCLUSION AND TAKE AWAYS
To conclude, we propose a few risk mitigation measures to ensure the smooth, efficient and secure operation of DT technology in the Use Cases mentioned above.
5.1 HUMAN OVERSIGHT
The decisions provided by a DT are automated. Hence, there should be vigilant human oversight before such decisions are implemented on the physical product. This becomes especially relevant in the Use Case of Healthcare where automated decisions related to the diagnosis of an ailment may be implemented on a patient. Furthermore, the DT provider should have a designated‘ Data Protection Officer,’ as required in multiple jurisdictions, to ensure that any complaints from Data Subjects are addressed promptly and effectively.
5.2 EXPERTS AS A RESOURCE
The creation of a DT should not be an entirely automated process. It is suggested that inputs from experts in the required field are taken for the creation of the concerned DT. A hybrid approach should be adopted to combine human knowledge and machine learning to create DTs. An expert’ s insight would be valuable to curate the“ correct process recipe” for the DT. For instance, the construction of energy efficient building needs the aid of human knowledge and experience in extreme terrains. Experts can accurately determine the data that might be required for such a project. Experts act as a check for the actions proposed to be taken to create a DT [ 13 ].
5.3 DATA CCASSIFICATION
Depending on the type of DT being created, an analysis should be undertaken to understand the category of datasets involved such as non-personal data, personal data and sensitive personal data. Identification and classification of data would aid in data compliance by various stakeholders involved.
5.4 ENTITY CLASSIFICATION
To further mitigate risks and to ensure compliance with applicable laws, all stakeholders— such as the DT provider, service provider, storage provider, back-end service provider, and consumerfacing entities( e. g. hospitals offering precision medicine services in collaboration with a DT provider)— must assess their roles as Data Controllers or Data Processors under the relevant jurisdiction. This assessment should account for the nature of the data involved, for instance; whether it pertains to human health( sensitive personal data) or machine health( non-personal data). Proper identification of roles ensures that each stakeholder fulfills its legal obligations under applicable laws, thereby strengthening compliance frameworks and reducing liability risks.
90 May 2025