I imagine that would only apply to sites which store PII[1]. The database should be located under the same jurisdiction (which doesn't mean every country, since some will have treaties to allow exporting to certain places (EU for example)) as the person whose data it is, and the data should not be transferred through other jurisdictions.

[1]: https://en.wikipedia.org/wiki/Personally_identifiable_inform...

Well, pretty much any website stores an email, name and password. Every startup would need to look at all the bilateral treaties between every major country in the world. This is simply impractical.

If a German user shares data with Facebook, Facebook should not be allowed to give the data to any entities in the US.

You may never give userdata to anyone else or give anyone else access to userdata.

Embedding tracking scripts from third parties is equally problematic. Google Analytics should be globally forbidden.

What if the user shares the data directly with a server in the US? People don't care...

And what if Google Analytics tracks me? 3rd-party tracking needs to be illegal right now.