It is actually permitted to share information outside the country, provided that it's done in accordance with lawful agreements and specific conditions. Under the European model, for example, laws and mechanisms have to be equivalent to what exists in Europe. In Canada, the law requires that it be equivalent to what exists here, where the sharing of information may potentially be contract-based.
That's why we recommend that the legislation include a requirement to specify retention practices and safeguards, as well as apply the necessity and proportionality test, before data are shared with organizations in other countries. The goal is to prevent the data from being vulnerable to a cyber-attack.