Hybrid Explainable AI and Knowledge Graph Framework for Dynamic Multi-Jurisdictional Privacy Law Compliance

Abstract

Global data privacy laws, such the EU’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and India\'s Digital Personal Data Protection (DPDP) Act, are constantly changing and vary by jurisdiction, making compliance extremely difficult. Current AI-based compliance technologies are frequently opaque, poorly linked with functional IT systems, and sluggish to adjust to changes in the law. In order to facilitate auditable, low-latency compliance management, this article suggests a hybrid Regulatory AI (RegAI) system that integrates natural language processing, explainable AI(XAI), and a privacy-ontology-driven knowledge graph. The system uses two input modes: (i) text-text comparison and (ii) text-URL comparison of official legal documents. It also performs clause-level mapping, ingests regulatory texts and updates, and compares old and new versions of legislation. For GDPR, CCPA, and DPDP Act compliance reasoning, the knowledge graph is the only source of truth. Accuracy, transparency, and latency are evaluated experimentally using realistic regulation change scenarios. The possibility of dynamic, explainable compliance automation is demonstrated by the results, which show high clause-mapping accuracy, comprehensible explanations for compliance judgments, and near-real-time processing of legal modifications.

Introduction

The text presents a research study on a Regulatory AI (RegAI) framework designed to improve data privacy compliance management across major laws such as the GDPR, CCPA, and India’s DPDP Act.

It begins by explaining that global data privacy regulations are complex, frequently changing, and difficult for organizations to manage manually. Existing AI-based compliance systems often suffer from three key problems: they are black-box models (lack explainability), inflexible when laws change, and difficult to integrate with real IT systems. To address this, the study proposes a hybrid RegAI system that combines knowledge graphs (KGs), natural language processing (NLP), and Explainable AI (XAI).

The framework works by:

• Encoding legal rules from different privacy laws into a formal knowledge graph
• Using NLP techniques to map and compare clauses across different versions and laws
• Calculating a change ratio to measure how much laws have been modified
• Applying SHAP-based explainability to show why a clause is marked as changed or compliant
• Supporting both text-to-text and text-to-URL inputs for legal analysis

The system architecture includes modules for regulation ingestion, clause mapping, knowledge graph storage, explainable AI, and compliance decision-making. It is designed to be scalable, auditable, and suitable for integration into enterprise compliance workflows.

The literature review shows that previous research has used knowledge graphs, NLP, and large language models for legal analysis, but most approaches:

• Focus on single laws or single tasks
• Lack multi-jurisdiction comparison
• Do not provide strong explainability for decisions

The proposed system addresses these gaps by combining all three (KG + NLP + XAI) into one unified framework.

In experiments, the system achieved:

• 88% accuracy in clause mapping and classification
• 0.88 average similarity in aligned clauses
• 0.82 seconds latency per update
• Effective detection of legal changes across GDPR, CCPA, and DPDP Act

SHAP explanations and knowledge graph links allow users to understand exactly why a clause was marked as changed, improving transparency and trust. Experts can trace decisions back to specific legal concepts and clause relationships.

Conclusion

Our hybrid RegAI approach shows how dynamic, explainable, and multi-jurisdictional regulatory change management may be supported by combining a privacy-ontology-driven knowledge graph with NLP-based clause mapping and post-hoc explainability. According to experimental data, the system computes a change ratio of 0.33 for the examined situation and achieves 88% accuracy, 0.82 second latency, and an average similarity of 0.82 on clause alignment tasks. The approach provides the following advantages over current AI-enabled privacy policy and DPA analysis tools: Comparable accuracy to well-known deep learning and machine learning techniques for GDPR compliance verification. A more comprehensive transparency layer that improves interpretability in comparison to black-box models by integrating SHAP explanations with KG reasoning routes. New quantitative measures that are adapted to the evolution of regulations, including clause-level change ratios, can help legal teams prioritize impact analysis during updates. These findings imply that a KG-centric, XAI-augmented architecture is a feasible route toward practical, real-time compliance support in settings that are concurrently subject to the DPDP Act, GDPR, and CCPA. In order to facilitate dynamic, multi-jurisdictional privacy compliance, this article provides a hybrid RegAI architecture that combines a privacy-ontology-based knowledge graph, NLP-driven clause mapping, dual input modes for legal updates, and SHAP explanations. While NLP and XAI components offer precise, transparent, and fast regulatory change detection, the KG serves as the authoritative compliance knowledge base that permits auditable reasoning. The framework provides a route towards operational, explainable, and scalable regulatory change management for GDPR, CCPA, DPDP Act, and beyond. It is based on and expands upon previous work on KGs, NLP, and AI-based completeness checks.

References

[1] K. Joshi, L. Elluri, and A. Nagar, “An Integrated Knowledge Graph to Automate Cloud Data Compliance,” IEEE Access, vol. 8, pp. 216,603–216,619, 2020. [2] L. Garza et al., “PrivComp-KG: Leveraging Knowledge Graph and Large Language Models for Privacy Policy Compliance Verification,” arXiv:2404.18085, 2024. [3] O. Amaral Cejas et al., “NLP-Based Automated Compliance Checking of Data Processing Agreements Against GDPR,” IEEE Trans. Softw. Eng., vol. 49, no. 9, pp. 3913–3946, 2023. [4] L. Elluri and K. Joshi, “A Knowledge Representation of Cloud Data Controls for EU GDPR Compliance,” in Proc. IEEE World Congress on Services, 2018, pp. 65–68. [5] T. Chhetri et al., “Data Protection by Design Tool for Automated GDPR Compliance Verification Based on Semantically Modeled Informed Consent,” Sensors, vol. 22, no. 7, 2022, Art. no. 2649. [6] P. Falcarin et al., “Legal Requirements Compliance Using NLP and Knowledge Graphs,” in Proc. 2025 IEEE 33rd Int. Requirements Engineering Conf. Workshops (REW), 2025. [7] B. Boi and C. Esposito, “Using Knowledge Graphs to Ensure Privacy Policies in Decentralized Data Collection Systems,” in Proc. 2023 Int. Conf. Research in Adaptive and Convergent Systems, 2023, pp. 105–112. [8] A. Tauqeer et al., “Automated GDPR Contract Compliance Verification Using Knowledge Graphs,” Information, vol. 13, no. 10, 2022, Art. no. 468. [9] D. R. Torrado et al., “Large Language Models: A New Approach for Privacy Policy Analysis at Scale,” Computing, 2024. [10] L. Elluri, A. Nagar, and K. Joshi, “An Integrated Knowledge Graph to Automate GDPR and PCI DSS Compliance,” in Proc. IEEE Int. Conf. Big Data, 2018, pp. 1280–1289. [11] R. Sonani and L. Prayas, “Machine Learning-Driven Convergence Analysis in Multijurisdictional Compliance Using BERT and K-Means Clustering,” arXiv:2501.12345, 2025. [12] O. Amaral et al., “AI-Enabled Automation for Completeness Checking of Privacy Policies,” IEEE Trans. Softw. Eng., vol. 48, no. 7, pp. 2480–2517, 2022. [13] R. Amos et al., “Privacy Policies Over Time: Curation and Analysis of a Million-document Dataset,” in Proc. Web Conf. 2021, 2021, pp. 36–48. [14] L. Elluri, K. Joshi, and A. Kotal, “Measuring Semantic Similarity Across EU GDPR Regulation and Cloud Privacy Policies,” in Proc. 2020 IEEE Int. Conf. Big Data, 2020, pp. 1405–1414. [15] M. I. Azeem and S. Abualhaija, “A Multi-solution Study on GDPR AI-enabled Completeness Checking of DPAs,” Empirical Softw. Eng., vol. 28, no. 6, 2023, Art. no. 127. [16] A. R. Alshamsan and S. A. Chaudhry, “Detecting Privacy Policies Violations Using Natural Language Inference (NLI),” in Proc. 2022 IEEE Asia-Pacific Conf. Computer Science and Data Engineering (CSDE), 2022, pp. 1–6. [17] I. Wagner, “Privacy Policies Across the Ages: Content of Privacy Policies 1996–2021,” ACM Trans. Privacy Secur., vol. 26, no. 2, pp. 1–44, 2023. [18] L. Garza et al., “PrivComp-KG: Leveraging KG and LLM for Compliance Verification,” in Proc. 2024 IEEE Int. Conf. Trust, Privacy and Security in Intelligent Systems, and Applications (TPS-ISA), 2024. [19] K. U. Echenim and K. P. Joshi, “Automating IoT Data Privacy Compliance by Integrating Knowledge Graphs With Large Language Models,” IEEE Access, 2024. [20] G. A. Chintoh et al., “Challenges and Conceptualizing AI-powered Privacy Risk Assessments: Legal Models for U.S. Data Protection Compliance,” Int. J. Frontline Res. Multidiscip. Stud., vol. 2, no. 1, 2025

Copyright

Copyright © 2026 Kalyani K. Thakare. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.