The various shields for EU->US datatransfer, agreed before and after GDPR, have been found incompatible with GDPR even if only potential. It's just that nobody has sued anybody yet, as the industry silently scrambles to look for alternatives.

There is the law, and then there is enforcement of the law, and the latter has not fully happened yet.