Re: EU response.
Consider the scale of the problem. If Privacy Shield is ofificially not up to snuff for protecting EU citizens' personal data, here are some of the organisations that would be operating illegally:
* Facebook, Twitter, Snapchat, Whatsapp, and every other US-based social media site
* All US-based web-based suppliers of goods and services that collect any personal data. (Hint: when you order something, and you supply your name and address for delivery -- that's PII.) So, yes, AFAICT Amazon would be operating illegally.
* All vendors of IRL products, Got an Apple computer? You have an account on whatever the Apple big-brother-in-the-cloud system is called. Boom, that's illegal. Got a Ford car bought from new? You'll be on their customer database for marketing purposes as well as things like product recalls.
And so on and so forth.
Purely digital products and services are probably still a small fraction of the total value of US - EU trade; but I bet there's a digital element to most of them, even if it's only product registration or storing software license information or a support contracts.
In the real world, though, as when Safe Harbor [sic] was struck down, no-one will take a blind bit of notice -- until some enterprising lawyers realise there's a lot of money in class actions. And when GDPR comes in, fines are up to 4% of the parent organisation's turnover. So in the case of Ford, Says here their revenue in 2015 was $140Bn globally, so in principle they could be on the hook for up to $5.6Bn in fines.
It's going to be interesting to see whether the pragmatic "you can't shut down trade with the US" approach beats the "but the law!" argument, or vice verse.
Biting the hand that feeds IT
