You are right, and you are wrong.
Yes, the ECJ doens't have direct influence over the US Senate. But it does have a say about what is legal and not legal with European's data. And it has said, until the US gets its house in order, it is illegal for US companies to store data about Europeans on its servers.
So, no, they can't tell the US Senate what to do. But, until the US Senate does something, the flow of data between the EU and US is disrupted.
Also, it isn't about a conflict between spies and "businesscritters", as you put it. It is a conflict between spied and business weighed against an individual's right to privacy and control over their data. The EU, and especially Germany, put the individual's right to privacy above all else - even to the detriment of the authorities, for example the have to be exceptional circumstances, before the police can issue a photo of a suspect that is wanted and they can't use the persons full name either, let alone issuing private address information; for example a "Stefan Peterson, from 42 High Street, Hanover" would be "Stefan P. from Hanover" in the news and his face would be blurred out.
It becomes comical. There was a search for a killer last year, for 3 days a blurred photo was shown on the news, then the police went to court and managed to get it cleared that his image could be shown in the press, in order to help track him down. So, for 2 days his image was then shown in the clear. He was arrested after 2 days and the press could only use the blurred out image again. Consequent, but also a little crazy.
I am responsible for any data I have on other people, I have to ensure it is not handed to third parties without the written permission of the identifiable persons or a valid EU warrant. That means that if I store it on a US owned cloud service and they hand the data over to the NSA, FBI etc. or they sell the data to a third party, I am legally responsible for the data breach.
That makes using any service which has a presence in the USA a non-starter. It is financial suicide, as long as the CLOUD Act, Patriot Act and FISA Courts and National Security Letters can be applied to the "European" data.
Biting the hand that feeds IT
