"The Data Protection Review Court is a mechanism put into place by the US to give European citizens the same right of redress they'd have at home."
There's a very simple principle that would sort this out. Irrespective of where the data is wrongfully accessed the redress should be between the data subject whoever accepted the data initially and in the jurisdiction of the data subject as if it had happened within that jurisdiction. While a business can't reasonably be held responsible for the actions of some other jurisdiction they can be held responsible for exposing data to such actions. How they do that is their problem but if the incentives are there they'll do it.