It should be a different objective - To hold citizen data in the EU as a default
It would seem much simpler to me that the EU mandates that EU citizen data is processed by EU resident businesses OR, for those businesses from outside the EU that choose to operate in this market, they do so accessing EU citizen data stored here.
To afford the better protections of our data we should all seek, the default and primary choice should be that EU citizen data is held in storage facilities actually in the EU, with 'sensitive data a rest' and ALL data 'in-flight' being encrypted.
A data processor from within or external to the EU would have the same access regime to negotiate and would therefore be auditable and accountable within the EU and they would also need to be granted access, with auditable key management, to encrypted data.
Citizens should have the right to insist that their data is processed in the EU, again by primary default, meaning that businesses from outside the EU should establish and use facilities in this region, if they choose to operate here. That way would prevent EU business 'off-loading responsibility' through, all too often, opaque 3rd-parties whilst massively curtailing the huge abuses exercised by U.S. authorities on EU citizens.
EU storage and data processing businesses might get a boost from this; offering a more secure data management and processing regime would be a strong play in 'The land of the Free' and I suspect in other countries, too.
If the EU wants to exercise control, it needs to take control and stop wasting money and effort, floundering on the rocky shores of "Safe Harbor" and failing to land any usable catch...