See lawsuits against Google, Facebook, Microsoft, Amazon, and other large tech companies going back the last 20-30 years. This is the type of basic fact that doesn't need a citation in a discussion about GDPR.
In e.g. Belgium, privacy law is very strict and enforced for local corporation. When I read on hacker news how e.g. USA Healthcare providers dig up the old history of their clients to find a reason not to pay, I am horrified. Any West-European privacy regulator would have ended that kind of behavior long before things got this far. Probably just sending a strong 'We dont like this' message without actually starting a lawsuit would do the job.
Don't forget how history hammered into the population how people died and suffered because powerful groups managed to built lists of facts. Think WWII and the jews. Or the Napoleonitic conscription lists.
So if people with this background get confronted with the American Way, they don't like this. Here is a wrong that should be righted is the opinion.
For now, there are no lawsuits I am aware of. If both the large tech companies and the USA government behave reasonably well, I don't expect a big one either. The governmental regulators are simply not ready for them yet, as the GDPR had a big impact on them as well. And they never like having to pay for a drawn-out legal battle.
Maybe they mostly go after American companies because mostly American companies are in violation?
And it's not as if EU companies go without scrutiny. Due to the still-fractured market, most are small enough so their antitrust matters are localized to one country, but if you check the EU website there are still plenty of cases, they're just not sexy enough to make the news - like the a recent case "Commission fines maritime car carriers and car parts suppliers a total of €546 million".
In for instance the "state aid" tax preference cases cited in your link, the EU has also launched investivations into European companies like IKEA and Fiat cars.
I'm sympathetic to the dangerous of discretionary enforcement, but if you're making a dramatic change like this, it's pretty hard to avoid an awkward period while people get compliant or get shut down.
Without any real court cases showing how GDPR will be actually enforced, this 'introductory period' was useless. It could last 4 years instead of 2, and it would not make any difference.
There should have been a phase of mock suits. "Here's what you're doing that's against the new rules, and you have two years to knock it off or lawyer up."
