"Today, digital evolution must no longer be a customer compromise between privacy and security. Privacy is not a product to be sold, it is a valuable asset to be protected.”

INTRODUCTION
With the exponential growth of digitization everywhere, the need to secure data is high. The focus of governments around the world has shifted from regulating cyberspace to protecting the rights of citizens. Although most developing countries such as India are still in the early stages of drafting legislation, many developed countries such as the United Kingdom, Australia and the United States have already set the bar in this area. The US has industry legislation and several federal privacy laws, the UK Data Protection Act 2018 has its roots in the EU GDPR and Australia's privacy framework is enumerated from the OECD Principles.

US DATA PROTECTION
The US follows a sectorial approach to data protection legislation. There is no overarching federal data protection law. Federal law instead protects data within sector-specific contexts. These statutes only apply to specific sectors such as "health, education, communication, financial services, in the case of data collection, for children".

In other words, most privacy laws in the United States restrict data processing based on the context in which the data is used (e.g., healthcare, banking, education). Privacy regulation in the United States is fundamentally highly contextual, sector-based, common law, federal and state laws and mostly rely on private law or explicit agreements later enforced by federal or state laws. The Federal Trade Commission (FTC) is in charge of federal law enforcement, but federal prosecutors are also involved in protecting consumer privacy.

The Fair Information Practices Principles, which provide a standard set of principles that have formed the basis for many privacy and data protection laws around the world world, including those in the United States, the European Union, and elsewhere, were first established in 1973 by an advisory committee of the United States Department of Health, Education, and Welfare and were later included in the United States of America. State Privacy Act of 1974.

Fourth Amendment
The boundaries of privacy rights in the US are enumerated in the Fourth Amendment of the US Constitution. Protects individuals from "unreasonable searches and seizures" by the government. In Katz v. United States, the Supreme Court held that the government's warrantless wiretapping of a person making a telephone call from a payphone exceeded the defendant's subjective expectation of privacy, which could be justified by impeding societal norms.

Fourth Amendment privacy claims invokes what is known as the reasonableness standard and expectation of privacy test. Therefore, US privacy claims are judged by the standards of an "objective third party," a person of "reasonable sensitivity."

The US Supreme Court has also upheld individual privacy rights on issues such as birth control, same-sex relationships, and abortion, as penumbra rights derived from or implied by the Constitution. These rights have also been referred to as "unenumerated" privacy rights.

Privacy Tort
Most states have adopted privacy torts that provide basic privacy rights in the United States, either through common law or legislation, or through interpretation of their state constitutions. false light. These torts secure four distinct individual rights, all of which revolve around the “right to be left alone,” as Samuel Warren and Louis Brandeis famously put it in an 1890 article in Law. The reasonableness threshold established in American common law, as well as in the First Amendment, both limited the scope of privacy torts.

Industry Laws
The most distinctive feature of US privacy and data protection law is the scope or area of ​​regulation. US privacy laws/regulations are generally sector-specific. For example, different regulations apply to businesses processing data of government agencies and private companies. Furthermore, businesses that are located in several sectors of the economy or process different types of data are governed by different rules.

Industry-specific laws define the appropriate level of protection for discrete/various data processing functions , from consumer transactions to law enforcement and health record keeping. In short, sectoral regulations treat threats to privacy and data protection as specific to certain types of data processing industries. or technology.

The various sector-specific data protection laws are described below:

• Health Insurance Portability and Accountability Act (HIPAA)
• Controlling the Assault of Non-Solicited Pornography and Marketing Act, 2003
• The Fair Credit Reporting Act (and the Fair and Accurate Credit Transactions Act (Pub. L. No. 108–159) which amended the Fair Credit Reporting Act)
• Electronic Communications Privacy Act, 1986
• Computer Fraud and Abuse Act, 1986
• Family Education Rights and Privacy Act, 1974
• Children’s Online Privacy Protection Act, 1998 (COPPA)
• Gramm-Leach- Bliley Act, 1999 (GLBA)

Federal Trade Commission
The Federal Trade Commission (FTC) regulates the processing of personal data in the United States and plays an important role in protecting the privacy of American consumers. It does so primarily through Section 5 of the Federal Trade Commission Act, which has the authority to maintain independent oversight of unfair and deceptive business practices and to adopt coercive measures against them.

The FTC has the power to issue injunctions and civil penalties against businesses that violate customers' privacy rights and now "dominates enforcement of privacy rules." While the FTC has been credited with influencing the behavior of large corporations, it has also been chastised for failing to respond to highly criticized actions that have created privacy concerns, such as Facebook's online monitoring methods.

The FTC is the primary enforcement agency for federal privacy laws such as GLBA, FCRA, and COPPA. In recent years, it has taken a more active role in protecting consumer privacy by issuing consent decrees in settlements with companies accused of violating privacy laws.

California Consumer Privacy Act (CCPA)
California's implementation of the CCPA, a comprehensive privacy law that critics have dubbed "California's GDPR," is by far the most significant recent privacy development in the United States. The CCPA has broad influence due to California's size and the fact that it is home to Silicon Valley, and businesses across the United States and around the world are assessing what it means for them.

The CCPA went into effect on January 1, 2020 and immediately became the most comprehensive privacy or data protection law in the country. The CCPA applies to for-profit entities doing business in California that collect or determine the processing of personal information and fall into one of three size categories. It imposes strict obligations on businesses that collect personal information from California residents to publish privacy policies. It requires businesses to provide California residents with the ability to access and delete their personal information, as well as the ability to prevent the sale of their information to third parties.

It prohibits companies from selling personal information about children under 16 without their express consent. The CCPA creates a private right of action for certain data breaches caused by a company's failure to follow and maintain acceptable security policies and procedures. The California Attorney General is authorized to enforce the requirements of the CCPA with statutory fines of up to $7,500 per violation.

DATA PROTECTION IN UK
Prior to 2016, the primary data protection legislation in the UK was the Data Protection Act 1998 (DPA 1998). The DPA Act 1998 was enacted to implement the EU Data Protection Directive (DPD) 1995 into UK domestic law. In 2016, the EU General Data Protection Regulation (GDPR) was enacted, which repeals the DPD. The UK Government has transposed the General Data Protection Regulation (Regulation (EU) 2016/679) into UK domestic law (forming the 'UK GDPR') following the UK's Withdrawal from the European Union.

To reflect its status as UK domestic law, the UK has made a number of technical amendments to the GDPR (for example, changing references to "Member State" to "United Kingdom"). The Data Protection, Privacy and Electronic Communications (Amendments and Other Provisions) (Withdrawal from the EU) Regulations 2019 have been used to make these changes. At this point, all substantive obligations of controllers and processors under the UK GDPR and the EU GDPR are essentially the same.

The Data Protection Act 2018 ("DPA") remains in force as the national data protection law to complement the UK GDPR regime. It addresses issues previously permitted by derogations and exceptions to the EU GDPR (for example, strong public interest reasons for the processing of special category data and context-specific exceptions to GDPR elements such as data subject rights). This new data protection regime under the GDPR and the DPA 2018 are largely similar to the one it replaced, although some changes have been introduced.

The DPA 2018 is divided into six main parts: general processing, law enforcement processing, intelligence processing, the UK Data Protection Authority, Information Commissioner’s Office (ICO), enforcement and supplementary and final provisions.

The Privacy and Electronic Communications (EC Directive) Regulation 2003 (as amended by the Privacy and Electronic Communications (EC) Directive (Amendments) (2011 Regulation) (PECR) governs direct marketing, but also the processing of location and operational data and the use of cookies and similar technology. The European Commission has issued a draft of the proposed regulation on privacy and electronic communications (ePrivacy Regulation), which is supposed to replace the existing directive on privacy and electronic communications. to comply with it in a post-Brexit scenario.

The key changes in the proposed ePrivacy Regulation will be:

1. Make it more difficult to obtain consent to cookies.
2. Attempt to transfer the burden of obtaining consent to the use of cookies to website browsers.
3. make it more difficult to obtain consent for direct marketing and require it to meet the GDPR standard; however, existing exemptions are likely to remain.

The Data Protection Act 2018 governs the use of personal data by organisations, businesses or the government. The Data Protection Act 2018 contains four parts which create four different 'data protection regimes' in the UK:

1. The first part is structured around the European GDPR, complementing and adapting it to UK domestic law.
2. The second part goes beyond the EU GDPR and modifies it in certain cases to apply differently to UK law.
3. Part Three creates a new and separate regime for law enforcement agencies.
4. Part Four creates a new and separate regime for UK intelligence services.

The Data Protection Act 2018 also adopts central EU GDPR definitions such as:

• Personal data meaning “any information relating to an identified or identifiable living individual.
• Processing means “an operation or set of operations performed on information” such as collecting, recording, storing, making available, combining, etc.
• Data subject in the sense of "a living individual to whom the personal data relate".
• Administrator and processor meaning "a natural or legal person, public authority, agency or other entity that alone or jointly with others determines the purposes and means of personal data processing.

Data protection policy
The DPA has set out certain principles known as the "data protection principles". They are:

• The first principle of data protection is that the processing of personal data for any law enforcement purpose must be lawful and fair.
• The second principle states that the purpose for which the data is collected must be specific, legitimate and explicit.
• The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed
• The fourth principle provides for the deletion or correction of inaccurate personal data.
• The fifth principle of data protection is that personal data processed for any of the purposes of law enforcement must not be kept longer than is necessary for the purpose for which they are processed.
• The sixth principle of data protection is that personal data processed for any of the purposes of law enforcement must be processed in a way that ensures adequate security of personal data using appropriate technical or organizational measures

Information Commissioner’s Office
The DPA stipulates the Information Commissioner’s Office (ICO) as the main data protection authority in UK. The Act frames the role, jurisdiction, function and powers of the ICO. The DPA 2018 is enforced by the ICO and, the ICO has powers of enforcement in relation to organisations complying with the data protection requirements in the GDPR.

The ICO has independent status and is responsible for:
maintaining the public register of controllers supporting good practise by providing data protection advice and guidance and working with organisations to enhance their data processing practises through audits, advisory visits, and data protection workshops ruling on complaints taking regulatory actions.

Rights of the Data Subject
Data subjects have a set of rights to govern how their personal data is processed that are similar to those in the EU GDPR. Controllers are required to disclose information on actions done in response to requests within one calendar month by default, with the controller having a limited ability to extend this period by two months if the request is onerous.

Right of access

Right to rectify
Right to erasure ('right to be forgotten')

Right to restriction of processing
In certain cases, data subjects have the right to restrict the processing of their personal data.

Right to data portability
The data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used, and machine-readable format where the processing of personal data is legitimised either on the basis of the data subject' sassent to processing or where processing is essential for the performance of a contract.

Right to object

• Enforcement Agencies
  The ICO has a range of enforcement powers under the DPA 2018, including monitoring and enforcement of the GDPR and the DPA 2018 in the UK. Such monitoring and enforcement powers include the power to issue:
  information notices: requiring controllers and processors to provide the ICO with information that the Commissioner reasonably requires in order to assess compliance with the GDPR or DPA 2018.
   

Assessment notice: requiring the controller or processor to permit the ICO to carry out an assessment of whether the controller or processor is in compliance with the GDPR or DPA 2018
notice of intent: where, after conducting its investigation, the ICO issues a notice of intent to fine the controller or processor in relation to a breach of the GDPR or the DPA 2018. Such a notice sets out the ICOs areas of concern with respect to potential noncompliance of the GDPR or the DPA 2018 and grants the controller or processor the right to make representations. After such representations have been carefully considered, the ICO reaches its final decision on any enforcement action in the form of an enforcement notice.

enforcement notices: such notices are issued where the ICO has concluded the controller or processor has failed to comply with the GDPR or the DPA 2018, setting out the consequences of non-compliance, which could include a potential ban on processing all or certain categories of personal data; and penalty notices: if the ICO is satisfied that the controller or processor has failed to comply with the GDPR or the DPA 2018, or has failed to comply with an information notice, an assessment notice or an enforcement notice, the ICO may, by written notice, require a monetary penalty to be paid for failing to comply with the GDPR or the DPA, 2018. Under the GDPR, such monetary penalties can amount to €20 million or 4 percent of annual worldwide turnover.

Though the status of data protection laws in UK post-Brexit is still uncertain, its expected that EU GDPR would have legal effects in UK until the UK government introduce legislation repealing the provisions and legal effect of the GDPR in UK law and amend the provisions of the DPA 2018, as the GDPR came into force before UK’s scheduled departure from EU

DATA PROTECTION LAWS IN AUSTRALIA
In Australia, information privacy is secured by a combination of Commonwealth, State, and Territory legislation, each of which provides a set of privacy standards based on the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Information (OECD Principles). Information privacy protection in Australia has been described as a "patchwork."

Although all pertinent laws are based on the OECD Principles, there still are substantial variances in how they are applied from jurisdiction to jurisdiction, and there are certain overlaps between Commonwealth and State legislation (especially in the area of health privacy). A Commissioner oversees each of Australia's information privacy regimes.

In general terms, Privacy Commissioners are charged with addressing privacy issues - usually through a conciliation procedure. The Information Commissioner has a responsibility at the ommonwealth level in commencing enforcement procedures that can result in fines of up to $A2,100,000.00.

The Privacy Act 1988 (Privacy Act) is the principal piece of Australian legislation protecting the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information in the federal public sector and in the private sector. Privacy Act protects the personal information i.e., information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not. It gives sensitive information a heightened level of protection.

The Privacy Act is intended to regulate the handling of personal information through a set of information privacy principles that govern various aspects of information handling, such as principles that limit the collection, use, and disclosure of personal information, principles that make information controlling more transparent, and principles that necessitates organizations to maintain personal information secure. In the context of those categories of personal information that also qualify as "sensitive information," the restrictions on collection, use, and disclosure are more stringent.

The Privacy Act applies to Australian Privacy Principles (APP) entities and extends to all of Australia's external Territories. An APP entity means an agency or organisation. The Privacy Act also applies to an act done, or practice engaged in, or outside Australia (and Australia's external Territories) by an organisation, or small business operator, that has an Australian link (in other words is considered an APP entity).

The Privacy Act provides 13 Australian Privacy Principles which mandates on government and private organisations collecting, handling, storing, using and disclosing personal information to follow certain guidelines and guarantees certain rights to the individuals to access and correct personal information. The Australian Privacy Principles are:

Australian Privacy Principle 1-open and transparent management of personal information.

Australian Privacy Principle 2-anonymity and pseudonymity.
Individuals must have the option of not identifying themselves unless this is impracticable.

Australian Privacy Principle 3-collection of solicited personal information
Information may be collected only if it is reasonably essential for the organisation’s functions or operations and must be collected only by lawful and fair means.

Australian Privacy Principle 4-dealing with unsolicited personal information When an organisation receives unsolicited personal information, it must consider whether it could have gathered the information itself under the APPs within a reasonable time. If not, the organisation must destroy or 'de-identify' that information.

Australian Privacy Principle 5-notification of the collection of personal information
An organization collecting personal information must take reasonable steps (if any) to make the individual aware of a number of mandated issues at or before the time of collection (or as soon as practical thereafter); for example: the organization's identity; the purpose of the collection; the types of organizations to whom the personal information may be disclosed; whether the organizations is likely to disclose the information to over seasr ecipients (and, ifso,to which countries); and that the organization's privacy policy contains certain information (e.g., how to make a complaint). When personal information is gathered indirectly ratherthan directly from an individual, an organization must take reasonable steps to ensure that theindividualis aware of the same issues.

Australian Privacy Principle 6-use or disclosure of personal information
Personal data shall be used or disclosed solely for the reason for which it was obtained (the primary purpose).
Personal data may be used or disclosed for a secondary purpose in the following circumstances:

• the secondary purpose is related to the primary purpose, and the individual would reasonably expect it to be disclosed or used in this manner;
• the individual has given agreement to that disclosure or use;
• or another exception applies (e.g., that the use or disclosure is required by Australian law).

Australian Privacy Principle 7-direct marketing
If an organisation has personal information about an individual, it must not use or disclose that information for direct marketing purposes. An organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing in the circumstances given in APP 7.2.

Australian Privacy Principle 8-cross-border disclosure of personal information
The sharing of information to a person who is located outside of Australia is governed by APP. In some instances, an organisation may be held accountable under Section 16C of the Privacy Act for a breach of the APPs by an overseas recipient of personal information supplied by that organisation.

Australian Privacy Principle 9-adoption, use or disclosure of government related identifiers
Unless an exception applies, (e.g., the adoption, disclosure or use is required or authorized ban Australian law) an organization may not use or disclose an identification assigned to an individual by a government agency as its own identifier of the individual; or reveal or use an identifier assigned to an individual by a government agency as its own identifier of the individual.

Australian Privacy Principle 10-quality of personal information
An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity collects is accurate, up-to-date and complete.

Australian Privacy Principle 11-security of personal information
If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:

• from misuse, interference and loss; and
• from unauthorised access, modification or disclosure.

Australian Privacy Principle 12-access to personal information
In general, an organisation must provide an individual with access to any personal information maintained about him or her upon request. There are several exceptions to this general rule, such as where providing access to personal information would have an unreasonable impact on other people's privacy, or when limiting access is mandated or authorised by Australian law.

Australian Privacy Principle 13-correction of personal information
If the entity is satisfied that the information is erroneous, or if the individual requests it, the entity shall take reasonable steps to correct the information. According to the Guidelines, "appropriate... deletions" may be among the reasonable procedures to be done. Individuals, on the other hand, do not have an express legal right to have erroneous data removed. In fact, under Australian law, there is currently no right to have data removed.

If an organisation refuses to rectify personal information, it must explain why and inform the individual who sought the correction of the methods available to file a complaint.

The Office of the Australian Information Commissioner is the authority under the Privacy Act to regulate data protection in Australia.288 It is the authority responsible for enforcing the Privacy Act.

On March 12, 2014, significant changes to the Privacy Act took effect in a variety of areas, including direct marketing, privacy collection statements and privacy policies, the collecting of unsolicited personal data, the dissemination of personal data beyond Australia, and credit reporting. Significant penalties can now be applied for "severe" or "repeated" breaches of data subjects' privacy.

Certain organisations are excluded from the duty to comply with the APPs under the Privacy Act. Small business owners (those with an annual turnover of less than A$3 million in the previous financial year) are normally exempt from the Privacy Act. There are also exemptions for domestic use, media organisations and political representatives. There is no general exemption for not-for-profit organisations.

Acts or practises that are directly related to a current or prior job relationship and involve an employee record held by the employer are exempt from the applicability of the Privacy Act. In effect, this implies that the Privacy Act does not apply to many of an organization's operations involving its own personnel. The sharing of personal information (other than sensitive information) between companies in the same corporate group is exempt from the application of the Privacy Act. However, even when information is transferred within group companies, the restrictions regarding the disclosure of personal information outside of Australia continue to apply.

As part of its response to the Australian Competition and Consumer Commission's (ACCC) Digital Platforms Inquiry final report (DPI Report), the Treasury announced commitments to improve consumer protection and rights under privacy laws, as well as increasing penalties for violations. The ACCC published the DPI Report on July 26, 2019, which included 23 recommendations aimed at addressing the influence of digital platforms on consumer rights and competition in the media and advertising industries. The recommendations included increasing penalties, regulating social media privacy, right to erasure, consumer data protection etc.

The report also suggested the widening the definition of ‘personal information’ “Clarifying the definition of ‘personal information will update the Privacy Act in line with current and future technological developments relating to the scope of technical information collected, used and shared about individuals in the digital economy and is particularly important in light of the large and increasing volume of technical information collected from individuals in Australia”. Furthermore, the proposed reforms would allow Australians to request that online platforms stop using or disclosing their personal information, with greater protections if the person is a minor or deemed vulnerable.

CONCLUSION
Although, in a preliminary examination, the scholars might consider America’s privacy protection framework weak than the European approach, however, in some aspects, the American framework offers more protection than the European counterpart. Swire and Kennedy-Mayo argue that “U.S. protections are stricter in seven ways:

1. oversight of searches by independent judicial officers:
   • probable cause of a crime as a relatively strict requirement for both physical and digital searches;
   • even stricter requirements for government use of telephone wiretaps and other real-time interception;
   • the exclusionary rule, preventing prosecutors’ use of evidence that was illegally obtained, is supplemented by civil suits;
   • other legal standards that are relatively strict for government access in many non-search situations, such as the judge-supervised “reasonable and articulable suspicion” standard under ECPA;
   • transparency requirements, such as notice to the service provider of the legal basis for a request;

lack of data retention requirements for internet communications; and lack of limits on use of strong encryption.”

“In contrast to the European Union’s data protection approach, which in many ways represents the gold standard of privacy protections, the dominant approach in the U.S. is grounded in consumer protection regulations.” The Privacy Principles under the Australian law and Data Protection Principles under the UK legislation can be considered as a powerful means of protection of data privacy. However, the sectoral legislation in US has an advantage as almost everything is covered in a more efficient manner, though it is complex and costly.

REFERENCES:

1. Australian Government- Federal Register of Legislation, https://www.legislation.gov.au/Details/C2021C00242
2. David Watts and Pompeu Casanovas, Privacy and Data Protection in Australia: a Critical overview (extended abstract), (visited on 25/08/2021)
3. https://www.w3.org/2018/vocabws/papers/watts-casanovas.pdf
4. Directive 95/46/EC, https://eur-lex.europa.eu/legal- content/EN/TXT/HTML/?uri=CELEX:31995L0046 (last visited on 6/10/2021, 10:30 pm)
5. Micheal Morris and Emily Cravigan, The Privacy, Data Protection and Cyber Security Law Review- Australia, (last visited on 23/08/2021)https://thelawreviews.co.uk/title/the-privacy-data-protection-and-cybersecurity-law- review/australia
6. One Trust Data Guidance, Comparing Privacy Laws: GDPR v. Australian Privacy Act, https://www.dataguidance.com/sites/default/files/gdpr_v_australia.pdf (last visited on 22/08/2021 11:00 am)
7. Privacy Act 1988, https://www.legislation.gov.au/Details/C2014C00076 (last visited on 22/08/2021 10:00 am)
8. Robert Hasty Et.al, Data Protection Law In USA, Advocates for International Development, https://www.neighborhoodindicators.org/sites/default/files/course- materials/A4ID_DataProtectionLaw%20.pdf (visited on 22/08/2021)
9. Sec’y Advisory Comm. On Automated Personal Data Sys., U.S. Dept. of Health, Educ.&Welfare, Records, Computers, and the Rights of Citizens (1973) https://aspe.hhs.gov/report/records-computers-and-rights-citizens. (visited on 21/08/2021)

STATUTES AND BILLS:

• California Consumer Privacy Act, 2020
• Children’s Online Privacy Protection Act, 1998
• Computer Fraud and Abuse Act, 1986
• Controlling the Assault of Non-Solicited Pornography and Marketing Act, 2003
• Electronic Communications Privacy Act, 1986
• European Convention on Human Rights (ECHR), 1950
• General Data Protection Regulation, 2018
• Gramm-Leach- Bliley Act, 1999
• Health Insurance Portability and Accountability Act (HIPAA), 1996
• Privacy Act 1988
• The Fair Credit Reporting Act, 1970

CONVENTIONS:

• American Convention on Human Rights ,1967
• American Convention on Human Rights, 1969
• Convention on the Rights of Child, 1989
• Convention on the Rights of Persons with Disabilities, 2007
• European Convention on Human Rights (ECHR), 1950
• International Convention on the Protection of the Rights of All Migrant Workers and Members of Their Families, 1990
• International Covenant on Civil and Political Rights (ICCPR), 1966

Award Winning Article Is Written By: Mr.Shray Tiwari, Amity Law School, Amity University, Lucknow, Uttar Pradesh
Email: shray.tiwari56@gmail.com

Authentication No: AP310528241462-15-0423