> Basically every US company operating in the EU is breaking GDPR post-Privacy Shield right now: it's illegal to transfer data of EU residents to US data centers.
This is not true and the devil is in the details. It's illegal to transfer "personal data" of EU residents. The definition of personal data under the GDPR is what US companies would consider PII or personally identifiable information and not all companies collect PII. In fact, I would argue most companies go out of there way to not store PII.
Not all companies store IP addresses. Or email addresses for that matter. And whether or not an email is PII depends on a lot of factors for your company but alone an email address is not legally PII.
>So basically everything uses pii even if it is only for bot and ddos protection
If I use Cloudflare for example, as DDoS mitigation, I am not storing PII, Cloudflare is and thus Cloudflare has to deal with the legalities of that.
Even just transferring is not allowed without consent. And if you are the "controller" (ie. you are using Cloudflare to serve your customers) you would take the fine, not Cloudflare. And IP and email are PII.
This is not true and the devil is in the details. It's illegal to transfer "personal data" of EU residents. The definition of personal data under the GDPR is what US companies would consider PII or personally identifiable information and not all companies collect PII. In fact, I would argue most companies go out of there way to not store PII.