Privacy protection in digital databases does not demand that data should not be collected, stored or used, but that there should be guarantees that the data can only be used for pre-approved and legitimate purposes. We argue that a data protection law based on traditional understanding of privacy protection and detection of privacy infringements is unlikely to be successful, and that what is required is a law based on an understanding of the architectural requirements of authorisation, audit and access control in real-time. Despite the protection principles being sound, privacy protection in digital databases has been less than effective, anywhere, mainly because of weak enforcement methods.