is done in another country where these mechanisms aren't as available or enforceable? If your company sends its testing to another firm in another country, then you're entering a whole new level of disclosure. While your bank technically hasn't disclosed data to another institution if the data finds its way into an internal test region, sending it across the world to an unrelated entity is completely different.
Hidden complications can also come in the form of organizational constraints meant to provide additional protection, as usually found within domestic firms. "Chinese walls" and other internal controls limit the exchange of information between departments or companies. But what if you are using a gigantic outsourcing firm that services hundreds of systems for multiple enterprises? It is conceivable that data not meant to be commingled could be.
As an eternal optimist, I do see a silver lining in all of this. It is forcing companies to examine the entire issue around test data. A customer recently described a major project designed to create a test data region from the ground up. Not only did this solve privacy concerns, it also defined the data needed and reused every time, improving coverage and saving tremendous time.
If your company hasn't come to grips with privacy issues yet, I encourage you to do so and fast. It isn't easy to fix, but once the genie is out of the bottle, it may be impossible.