GPS Adv. Govind Preet Singh Technical Legal Counsel

AI Governance & Regulation / EU, India, US

Simulation and Digital Twins — Identity Without Consent

22 May 2026

Creating a behavioral digital twin without the subject's knowledge

Ai governance regulation — Simulation and Digital Twins — Identity Without Consent
Key takeaways
  • Creating a digital twin without consent may constitute processing of personal data for profiling purposes under GDPR Article 21.
  • Synthetic data derived from a digital twin may still re-identify the subject — membership inference is a legal risk, not just a technical one.
  • The case for mandatory consent before digital twin creation is strengthening in EU regulatory guidance.
Risk signals
  • Digital twins created from customer data without explicit profiling consent.
  • Synthetic datasets released without membership inference testing.
Action items
  • Obtain explicit, informed consent for digital twin creation.
  • Run membership inference attacks before releasing any synthetic behavioral dataset.
  • Treat digital twin outputs as personal data subject to all applicable privacy obligations.

A behavioral digital twin is a parameterised model of a specific person. Running scenarios through it without their knowledge is not research — it is modeling a person's identity without consent.

Key Analysis

Creating a digital twin without consent may constitute processing of personal data for profiling purposes under GDPR Article 21.
Synthetic data derived from a digital twin may still re-identify the subject — membership inference is a legal risk, not just a technical one.
The case for mandatory consent before digital twin creation is strengthening in EU regulatory guidance.

Risk Signals

Digital twins created from customer data without explicit profiling consent.
Synthetic datasets released without membership inference testing.

Action Items

Obtain explicit, informed consent for digital twin creation.
Run membership inference attacks before releasing any synthetic behavioral dataset.
Treat digital twin outputs as personal data subject to all applicable privacy obligations.

LinkedIn

Technical Deep Dive

Read the technical deep dive

See the implementation walkthrough on govindpreetsingh.com

Read on govindpreetsingh.com →
Appointment

Request a consultation

This is a lightweight intake endpoint for now. It is structured so the practice management system can later take over scheduling, conflict checks and matter creation.

Submitting this form does not create an advocate-client relationship. Please avoid sending confidential details until engagement is confirmed.