No law can protect the personal information of a citizen who is outside the country. All countries have the authority to govern what goes on within their own borders. In light of the importance of trade in the Canadian context and the many situations that could arise, the idea is to find a solution that can be adapted to various situations. I think the solution provided for in PIPEDA is that anyone who exports the personal information of Canadians must require that the person to whom the information is sent, even if he or she is in a different country, will comply with Canadian standards. In Canada, that individual is responsible for what happens. This is handy, because if there is a problem with my information in the United States, for example, and if I have these contracts, I have some recourse in Canada, which is more realistic.
I think that when the Quebec law was amended recently, a standard was introduced whereby data are to be exported only if care is taken to ensure that local standards apply to the export of information.