Why Privacy Laws Fail or Succeed: Cost, Architecture, and Governance under the DPDP Act in Comparative Perspective
Varun N. Rao1, Narendra Vijayasimha1*
Abstract
The enactment of India’s Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant transition toward a consent-centric and accountability-based privacy framework. However, comparative experience from the European Union (GDPR), the United States (CCPA/CPRA), Brazil (LGPD), and Singapore (PDPA) demonstrates that the effectiveness of privacy laws depends less on statutory text than on how implementation challenges are addressed in practice. This study examines four recurring implementation constraints – cost of compliance, cross-border data transfers, data mapping, and ambiguity in non-consensual processing bases, and evaluates their implications for India’s DPDP regime. Methodologically, the study adopts a qualitative comparative legal and policy analysis, synthesizing regulatory enforcement decisions, court judgments, empirical economic studies, and technical governance literature across jurisdictions. The findings indicate that privacy compliance consistently evolves into an architectural problem, driven by fixed infrastructure costs, fragmented data environments, and uncertainty around lawful processing bases. India’s DPDP Act mitigates some risks, particularly ambiguity around “legitimate interest”, but remains vulnerable to compliance cost inflation, cross-border uncertainty, and data-inventory failures. The study concludes that effective DPDP implementation requires regulatory recognition of privacy as a systems-governance challenge. It recommends architecture-aware compliance models, automation of consent and data-flow controls, and risk-based regulatory guidance. These measures can enable India to avoid the structural failures observed in earlier regimes while supporting innovation and scalable compliance.
Keywords:
Digital Personal Data Protection Act (DPDP Act); Privacy Compliance Architecture; Cross-Border Data Transfers; Data Mapping and Governance; Comparative Privacy Law
