Do we have any evidence that a company has been forced into a situation like this yet? Where they've been required by the US to turn over data but prevented by the GDPR? I feel like that would've been big news, but surely it's happened already.

The joy of NSLs is that you’re not allowed to talk about them. I have no idea what it would look like, but I imagine there would be nervous lawyers talking to both the US DoJ and their local privacy commissioner, quietly trying to find some solution that doesn’t involve the executives going to jail when setting foot in the US.