I’m glad to see that Microsoft and other tech giants are fighting the US from seizing data in the cloud.
If Microsoft were to comply with the US government’s hybrid warrant-subpoena for data stored on Australian soil, they will be in breach of the Australian privacy act of 1988 and APP 8.
Interestingly, if they were to comply with this for data on a South African citizen, regardless of where the data is stored, they may be in breach of the South African POPI act section 72.
8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient):
(a) who is not in Australia or an external Territory; and
(b) who is not the entity or the individual;
the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.
Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C, to have been done, or engaged in, by the APP entity and to be a breach of the Australian Privacy Principles.
16C Acts and practices of overseas recipients of personal information
(1) This section applies if:
(a) an APP entity discloses personal information about an individual to an overseas recipient; and
(b) Australian Privacy Principle 8.1 applies to the disclosure of the information; and
(c) the Australian Privacy Principles do not apply, under this Act, to an act done, or a practice engaged in, by the overseas recipient in relation to the information; and
(d) the overseas recipient does an act, or engages in a practice, in relation to the information that would be a breach of the Australian Privacy Principles (other than Australian Privacy Principle 1) if those Australian Privacy Principles so applied to that act or practice.
(2) The act done, or the practice engaged in, by the overseas recipient is taken, for the purposes of this Act:
(a) to have been done, or engaged in, by the APP entity; and
(b) to be a breach of those Australian Privacy Principles by the APP entity.
(6A.4) An act or practice does not breach an Australian Privacy Principle if:
(a) the act is done, or the practice is engaged in, outside Australia and the external Territories; and
(b) the act or practice is required by an applicable law of a foreign country.
According to the Australian Privacy Policies (APP 11) entities must destroy or de-identify information when it no longer needs that information for a purpose that is permitted under the APPs.
Now I wonder if it is possible for an individual to cause their personal information to be destroyed under this principle.