Digital Twins, Data Rights, and the Emerging Legal Personality Problem in Industrial AI
Introduction
A digital twin is more than a simulation. It is a dynamic, continuously updated virtual representation of a physical system, process, or asset, maintained in real time through sensor data, operational feedback, and AI-driven modelling. In industrial settings, digital twins are used to optimise manufacturing lines, predict equipment failures, design infrastructure, and manage supply chains with precision that has transformed competitive dynamics in advanced manufacturing.
As digital twins acquire increasing autonomy, the ability to make operational recommendations, initiate procurement processes, automatically adjust production parameters, and interact with the digital twins of other enterprises in automated negotiation, the legal framework begins to encounter a more fundamental problem: the emerging quasi-agency of a system that is neither a person nor a product in the conventional sense.
India’s industrial AI ambitions, articulated through the Make in India programme, the National Manufacturing Policy revisions, and the PLI scheme for technology manufacturing, are creating conditions for rapid digital twin adoption. Simultaneously, the data governance questions that digital twins raise, about data ownership, access rights, IP in twin-generated insights, and liability for twin-initiated actions, remain unaddressed.
Legal Framework
Digital twins generate three legally distinct categories of output: raw operational data collected from physical systems, analytical insights derived from that data by AI models embedded in the twin, and autonomous actions or recommendations taken by the twin. Each category implicates a different legal framework.
The Digital Personal Data Protection Act, 2023, governs personal data processed by digital twins to the extent such data is personal in nature. Industrial digital twins predominantly process non-personal operational data, falling outside the DPDPA’s direct scope. Data ownership as a legal concept remains underdeveloped in Indian law. The National Data Governance Framework Policy, in its draft form, contemplates a regime for non-personal data governance including industrial data, but has not been enacted.
Intellectual property in twin-generated insights presents a complex analysis. The analytical insights produced by a digital twin’s AI models may constitute protectable information if they satisfy the originality requirement. Trade secret protection may offer a more robust pathway for twin-generated operational insights that are commercially sensitive.
Judicial and Regulatory Developments
The European Union’s Data Act, which entered into force in 2024, is the most advanced regulatory framework specifically addressing industrial data, including data generated by connected machines and digital twin systems. The Data Act creates a right for users of connected products to access the data generated by those products and limits on the ability of connected product manufacturers to restrict access to data generated by their machines.
The EU’s European Industrial Data Space initiative is creating standardised frameworks for cross-enterprise data sharing in digital twin networks, allowing manufacturers’ digital twins to interact and share operational data under defined governance rules. Indian industrial companies participating in European supply chains will increasingly need to interface with these frameworks.
Contemporary Issues and Analysis
The legal personality problem emerges most acutely when digital twins act rather than merely model. As digital twins gain the capability to initiate procurement orders, execute maintenance contracts, adjust safety parameters, and interact with regulatory reporting systems, they transition from advisory tools to operational agents. The legal system’s framework for agency requires that an agent have the capacity to bind the principal. When a digital twin executes a commercial transaction on behalf of an industrial enterprise, is the enterprise bound by that transaction?
Under current law, the answer depends entirely on whether the digital twin’s action can be characterised as having been authorised by a human principal with authority to bind the enterprise. A digital twin executing a contract autonomously without a human reviewing and approving each transaction is more than an electronic contracting medium; it is a system making commercial decisions whose scope of authority is defined by software rather than legal instrument.
The question of liability when a digital twin’s autonomous decision causes harm is closely related. If a digital twin managing a manufacturing line decides to override a safety protocol based on its AI model’s optimisation, resulting in an industrial accident, the liability question must identify a responsible party. The enterprise operating the twin is the most obvious candidate, on a respondeat superior or enterprise liability theory. But if the twin’s decision was made on the basis of a model provided by an AI developer whose training was deficient, the liability chain extends upstream.
Comparative and International Perspective
Germany’s approach under its Industrie 4.0 governance framework treats the digital twin operator as the legal responsible party for all twin-initiated actions, requiring that operators maintain human oversight capability at all times and that any autonomous action above a specified commercial threshold be subject to human approval before execution.
Japan’s Society 5.0 digital twin governance guidelines, issued by METI in 2025, require that digital twin systems operating in regulated industries maintain an immutable audit log of all autonomous decisions, accessible to regulators on demand. This auditability obligation is a minimum accountability standard that India should consider adapting.
Practical and Policy Implications
For Indian industrial enterprises, the data rights uncertainty around digital twins creates commercial risk in two directions. On the one hand, contracts with technology vendors may inadvertently transfer or leave ambiguous the ownership of operationally sensitive insights generated by the twin. On the other hand, enterprises generating valuable operational insights through their twins cannot currently protect those insights as property, only as trade secrets through confidentiality obligations.
For insurance underwriters, the autonomous action capability of industrial digital twins presents an underwriting challenge: existing industrial liability policies assume that operational decisions are made by identifiable human employees or through defined automated systems whose parameters are fixed. A digital twin whose operational decisions are emergent from AI modelling falls outside these policy assumptions.
Suggestions and Reforms
India should enact a Non-Personal Industrial Data Act that defines data generated by industrial connected systems including digital twins as a new asset category subject to defined access rights, sharing obligations, and portability requirements. The Act should specify that operational data generated by machinery owned by an enterprise belongs to that enterprise, while insights derived from that data by third-party AI platforms are jointly owned subject to contractual allocation.
A Digital Twin Operator Accountability Framework should be developed by the Ministry of Heavy Industries in consultation with the Ministry of Electronics, specifying that operators of industrial digital twins with autonomous action capabilities must maintain human oversight for all commercially significant or safety-relevant decisions, maintain an immutable audit log, and carry minimum liability insurance covering autonomous decision-related losses.
Conclusion
Digital twins are not a future technology. They are a present industrial reality, and the legal questions they raise about data rights, autonomous agency, and liability allocation are already generating disputes that the existing framework handles poorly or not at all. India’s industrial AI ambitions will be better served by a proactive legal framework that clarifies ownership, specifies accountability, and enables confident commercial deployment than by a regulatory vacuum that forces enterprises and courts to improvise in the face of complex and consequential uncertainty.