You got it in a nutshell
Point eight of the Data Protection Principles states
"Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."
The ECJ has said that the USA does not comply.
Point 9 of the checklist says
" If not, can you put in place adequate safeguards to protect the rights of the data subjects whose data is to be transferred?"
We know that the US authorities (NSA, FBI, etc) can demand access to any data held in the US, and that data holders such as Facebook. Microsoft, Apple etc will obey their masters, so the only way to protect this data is to use strong encryption and refuse to give the keys. This is illegal in the USA and they can try to extradite you from the UK if you try it. UK authorities have shown themselves happy to comply with similar extraditions.
I expect not much will happen until an activist like Max Schrems takes the next step and starts proceedings against the Data Protection Manager of one of these companies. A bit of jail time may focus their minds on the need to de-USA data storage.