Well, it's a little grey, right? There's a contract. The contract is usually worded in very broad language saying that they need to protect the information in accordance with applicable laws.
They just want the business. They want the contract. They'll sign it. At the end of the day, what kind of encryption are they using? Where is the information going to be stored? All these facts are not necessarily taken into account, so I like this section from the Quebec law, which creates an additional obligation on the part of the transferor.