The short answer--and I think for some the rather depressing answer--is that there are no absolute assurances. I think the current environment, where our personal data does traverse national borders with ease, to the point that your information is in different parts of the world, often without your direct knowledge, is a reality of this current globalized world.
I don't think, though, that means we take the proverbial Scott McNealy approach. He's the former CEO of Sun Microsystems, who said you have no privacy, get over it. There are people who can choose to say they don't want that information shared, but in a sense they forfeit, or they are forced to surrender, some of the benefits the globalized world provides.
I think most Canadians are comfortable with a certain amount of risk. Sometimes they're aware of it; many times they're not. But they recognize that there are benefits to even some of the outsourcing you've just described. They're comfortable knowing that does create a certain risk. But I think that then creates an obligation, from a regulatory law perspective, to create as many safeguards as we can within the realm of ensuring that we maintain some of these efficiencies.
Law doesn't become irrelevant in the scenario you've just described; it becomes more relevant than ever. It becomes more important than ever to ensure that our privacy legislation, while not providing anyone with an absolute certainty about protection of their privacy, at least provides some measure of assurance that those who are good actors know they have certain obligations in order to ensure they're complying with the law. And we have to ensure that the law sets the right kinds of obligations.