Sorry I meant by the service you're signing into, any of their 3rd party trackers, or in case of a data breach. This sets it apart from e.g. gmail's username+servicename@gmail.com, or a wildcard on a private domainname which only you ever use.
In some countries, it's fiscal liability - such as paying hefty fines. In others, that are not so friendly, the HR representative who receives/processes the legal request and/or whomever the country wishes to charge could very well land in jail[0].
In a choice between strictly maintaining your privacy and fines/jail time, most - if not all - companies will sell you down the river (if given a feasible chance that it doesn't entirely ruin them, say for example, if they weren't purely in the privacy trade) to save their own hide[s] (e.g.: see the whole PRISM scandal and its fall-out).
I'm sure there's logging or other AD property (think something like sidHistory[0]) to keep track of this.
Companies don't like being liable for not being able to provide data under order[s].
[0] - https://docs.microsoft.com/en-us/windows/desktop/ADSchema/a-...