I wonder if this is true for me as a EU citizen. Per the GDPR, companies can use personal data without consent when there is a legal requirement, but I think they can't just hand it out without consent when they just feel like it.
Maybe that is where the warrant comes in, to make it plausible that it is required?
I guess we'll find out when they arrest the first EU citizen based on this data.
The GDPR states that there is a list of purposes which allows member states law to restrict the scope of the GDPR[0]. One of these purposes is "the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security".
German law uses this to allow "non-public" controllers/processors (aka companies) to give data to German (and EU) law enforcement[1]. The police still needs to specify legal grounds, e.g. the investigation of a concrete alleged crime, and "drag net" investigations are generally not legal. The controller/processor has no obligation to give data to the police if they just ask, but it can if the police request is narrow enough and names the legal grounds. If there is a court order, that's another matter, then the company is obligated to provide the data.
But what about the US law enforcement wanting data about some German citizen within the scope of the GDPR and German law? A service provider is not allowed to give US law enforcement such data[2][3], but in this case the US law enforcement will usually use the mutual legal assistance treaty (MLAT) between the US and Germany to ask the German police for help, and the German police will then essentially ask for the data and (provided there are legal grounds) the service provider is allowed to pass data to the German police, which passes it back to the US law enforcement.
Legislation in other EU member states is mostly quite similar.
[3] But it really becomes complicated when the service provider is under US jurisdiction (in this example). Then the service provider is caught between competing law of two different jurisdictions and is in the unfortunate position to decide what law to break.
IANAL but the answer appears to be no. Even an actual warrant doesn't count. Legal processing has to be required by the law of an EU member state, US court rulings don't count
That's not to say I know how a Google would react to a US warrant about an EU citizen (especially given the CLOUD act https://en.wikipedia.org/wiki/CLOUD_Act) but from what I can tell it's not permitted under GDPR
Maybe that is where the warrant comes in, to make it plausible that it is required?
I guess we'll find out when they arrest the first EU citizen based on this data.