And yet, many European companies do routinely send data to the US, primarily in the context of using US-based service providers. They pretend that disclosing this transfer to the customer and pointing out that the ECJ has deemed US data protection as unacceptable allows them to do it anyway. In practice this may be true, but that’s only because the theory of what the GDPR requires is so rarely enforced in meaningful ways.