GDPR doesn't rule out using servers in other jurisdictions. It just rules out using servers in jurisdictions with shitty privacy laws, e.g. the US. If all countries were to adapt similar laws there wouldn't be a problem.
You are correct that the US copypasting GDPR into it's own law would be an absolute triumph. But that's not what I'm worried about. The problem I'm worried about is multiple countries having conflicting data localization requirements.
One of the specific cited concerns with off-site hosting is that it exposes user data to foreign intelligence agencies. This is a valid concern, but it's not unique to the US. It's not like EU member states don't have their own spymasters: they absolutely do, and they are just as atrocious to democratic norms as American ones are. In fact, most EU member states would rather trust the US than each other, that's why their politicians negotiated the Privacy Shield agreement that ultimately got shot down.
If the US were to have a data localization requirement, it would almost certainly be incompatible with the EU's data localization requirement. Then everything I mentioned in my prior comment would apply: the need to shard users at best, and a need to firewall users off from one another at worst.
Exactly. As far as I can tell, the only problem that most European courts cite is the CLOUD Act. If that law were updated, I suspect many of these rulings would get reversed.
