Can't say I'm really surprised.
A few years back I was embroiled in a corporate mire around the DPA which related to processing sensitive personal data "offshore" and particularly (and challengingly) in the USA.
There were in theory (and in law) protections and safeguards in place but you just got the impression (whatever they said) that businesses in the USA didn't take it at all seriously and were destined to fail.