Data locality in legally compatible jurisdictions is the most fundamental form of protection there is. Without concepts such as Safe Harbour and data locality, handling of PII would be farcical amongst MNCs.
Re: Demands on Encryption? The most prominent mention of encryption is in Article 32(1)(a), which mentions the “pseudonymisation and encryption of personal data” as measures that organisations can adopt.
However, it is important to note that encryption is not compulsory. Instead, the GDPR takes a risk-based approach, meaning that the decision to encrypt data depends on the sensitivity of the data, the risks involved, and the potential impact on data subjects.
Backing up demands with fines is about the only way consumer protections are realised as corporate mandates rather than friendly advisory. Name me another comparable legislation that achieves its goals without resort to punitive measures for non-compliance?
In short, you would far better understand the intent, purpose, and reality of GDPR if you engaged with it as a piece of vital EU consumer protection legislation, rather than some sort of draconian shake-down of American Capitalist practices.
In reality, GDPR is a jobs program for eurocrat auditing and consulting firms combined with an effort by Facebook and Google to prevent European competition. Note that GDPR fines are big enough that they can crush a small company, but small enough that Google wouldn't care.
The notion that this is either a consulting gig fix or an effort to prevent European competition is naive and farcical in the extreme. The three highest fines for Meta (1.2b, 405m, 390m) total €2 Billion. More than every other GDPR fine combined.
https://www.enforcementtracker.com/
Note that GDPR fines for individuals and SMEs are in the 3 to 5 figure range, and come under very basic grounds following repeated warnings. The intention is not to 'crush' anything, least of all SMEs in a globalised marketplace.
This is quickly evident when you look through the fines, whereby the only entity that wasn't a major company with hundreds of millions in turnover to break a fine of €5 million was a Croatian Debt Collector with absolutely appalling violations of basic data control - including processing minors, processing people with no debt at all, and monitoring things down to progression of terminal illnesses.
https://azop.hr/debt-collection-agency-eos-matrix-d-o-o-impo...
The most common by far is Art. 5 and 6 - Insufficient legal basis for data processing, followed by Art. 28 (3) and Art. 32 - Insufficient technical and organisational measures to ensure information security.
These are basic compliance requirements, mirroring something like PCI but for personal as opposed to cardholder information. Framing this as some lobbyist wet dream of Goliath vs David is just so much FUD.
In time the average american consumer will understand the monetary value of their PII and usage metadata and demand adequate protections - which effectively is all that GDPR does. Given the actions of the current cabinet, I feel we are in fact accelerating towards this inevitable outcome.