So, we have a pretty strong commitment to protecting HIPAA (US)
Since we receive some PHI/PII data from many organizations.
I've learned recently of a case where some PII data (this not under our control) ,was transferred to a consultancy that was not in our approved list - actually overseas. During the investigation it was uncovered that the the consultancy actually bid out the data processing to another organization in a (ahem) non-friendly.
Between the various parties that tap into our infrastructure already (janitors, states, agencies, nations, super-gallactics), and just shuffling these bits around the world - can we actually prevent leakage of everything?