Having data outside Canada and internationally is common not just across the financial institutions, but across a full range of companies. The Privacy Commissioner has addressed this in guidance.
It's so commonplace that you deal with it in a variety of ways. First of all, our federal privacy legislation requires that if data is to be housed outside of Canada, it must, through contractual and other measures, be kept as secure as if it were in Canada. There's also a requirement to provide notice to consumers so they're aware of that.