Blog‎ > ‎

Identity-Privacy

Subscribe to posts

MS fights US cross border data seizure laws

posted Jun 17, 2014, 7:52 PM by Jake Vosloo   [ updated Jun 17, 2014, 7:55 PM ]

I’m glad to see that Microsoft and other tech giants are fighting the US from seizing data in the cloud.

If Microsoft were to comply with the US government’s hybrid warrant-subpoena for data stored on Australian soil, they will be in breach of the Australian privacy act of 1988 and APP 8.

Interestingly, if they were to comply with this for data on a South African citizen, regardless of where the data is stored, they may be in breach of the South African POPI act section 72.

References:

Extract from the APP 8 from the Privacy Amendment (Enhancing Privacy Protection) Act 2012

8.1  Before an APP entity discloses personal information about an individual to a person (the overseas recipient):

(a)    who is not in Australia or an external Territory; and

(b)   who is not the entity or the individual;

the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C, to have been done, or engaged in, by the APP entity and to be a breach of the Australian Privacy Principles.

16C  Acts and practices of overseas recipients of personal information

(1)  This section applies if:

(a)  an APP entity discloses personal information about an individual to an overseas recipient; and
(b)  Australian Privacy Principle 8.1 applies to the disclosure of the information; and
(c)  the Australian Privacy Principles do not apply, under this Act, to an act done, or a practice engaged in, by the overseas recipient in relation to the information; and
(d)  the overseas recipient does an act, or engages in a practice, in relation to the information that would be a breach of the Australian Privacy Principles (other than Australian Privacy Principle 1) if those Australian Privacy Principles so applied to that act or practice.

(2)  The act done, or the practice engaged in, by the overseas recipient is taken, for the purposes of this Act:

(a)  to have been done, or engaged in, by the APP entity; and

(b)  to be a breach of those Australian Privacy Principles by the APP entity.

 Extract from the Australian Privacy Act 1988:

  (6A.4)  An act or practice does not breach an Australian Privacy Principle if:

(a)    the act is done, or the practice is engaged in, outside Australia and the external Territories; and

(b)   the act or practice is required by an applicable law of a foreign country.

 

South African POPI Act 2013 pdf...

Destroy personal information

posted Jun 17, 2014, 5:09 PM by Jake Vosloo

According to the Australian Privacy Policies (APP 11) entities must destroy or de-identify information when it no longer needs that information for a purpose that is permitted under the APPs.

Now I wonder if it is possible for an individual to cause their personal information to be destroyed under this principle. 

References:

11.25 Where an organisation ‘holds’ personal information it no longer needs for a purpose that is permitted under the APPs, it must ensure that it takes reasonable steps to destroy or de-identify the personal information. This obligation applies even where the organisation does not physically possess the personal information, but has the right or power to deal with it. ‘Holds’ is discussed in more detail in paragraphs 11.4–11.6 above and Chapter B (Key concepts).

11.26 Where an organisation holds personal information that needs to be destroyed or de-identified, it must take reasonable steps to destroy or de-identify all copies it holds of that personal information, including copies that have been archived or are held as back-ups.

11.27 An organisation should have practices, procedures and systems in place to identify personal information that needs to be destroyed or de-identified (see APP 1.2, Chapter 1).

APP 11 requires agencies to take reasonable steps to protect information from 
interference, in addition to protection against misuse, loss, and from unauthorised 
access, modification or disclosure. 
Unlike IPP 4, APP 11 contains no obligation for an agency to protect information disclosed 
to third parties providing services to the agency. The only equivalent provision under the 
APPs is in APP 8, where an agency that discloses personal information to an overseas 
recipient, must take reasonable steps to ensure that the overseas recipient does not 
breach the APPs in relation to the information. APP 8 is discussed further under IPP 10 
and 11. 
Under APP 11, agencies must take reasonable steps to de-identify or destroy personal 
information if: 
• it is no longer needed for any purpose for which the information may be used or 
disclosed under the APPs 
• the information is not contained in a Commonwealth record, and 
• the agency is not required by or under an Australian law or a court/tribunal order, 
retain the information.10 
No such express obligation exists in the IPPs. 


1-2 of 2