Today, the Office of the Privacy Commissioner of Canada posted a "Fact Sheet: Privacy and Outsourcing", which leads to two resources depending on whether you're looking at the public sector (Privacy Act) or the private sector (PIPEDA).
The fact sheets are mostly a collection of useful links and resources, though there are some general statements. The one the I find most interesting is the following:
Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally they should do it at the time the information is collected. Once an informed individual has chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred.
When personal information is in the hands of a third-party service provider operating on foreign soil, it is subject to the laws of that country and no contract can override that. This could mean, for instance, that the organization may be obliged to respond to a subpoena or other mechanism that would give law enforcement officials access to personal information.
This has consistently been the position of the OPC, starting with a PIPEDA finding from 2005 when the Commissioner said that a bank should (not must) advise customers that the processing of data will be outsourced to a US service provider. I have to note, though, that PIPEDA doesn't contain any actual obligation to provide such notice. So I'm not sure where the obligatory language from the OPC's new fact sheet comes from.
In any event, the fact sheets do provide useful information about the OPC's take on cross-border outsourcing.