US companies operating servers in the EU must comply with EU data protection laws regarding information on those servers.
More accurately, US companies processing personal data of EU citizens must comply with EU data protection laws. It just so happens that locating the servers in the EU is among the easiest ways to comply with that.
Right, because the personal information is being transmitted outside the EU. Even if it's from a browser in the EU to a server in the US, that still counts. It's still an activity taking place in the EU.
The Brazilian case isn't about data transmission though. WhatsApp isn't in breach of any rules about that. It's about court ordered access to records stored on an server in a specific geographic location - The USA. Now if the Brazilian government passed a law requiring WhatsApp to record all data on servers in Brazil that would at least be possible to comply with.
More accurately, US companies processing personal data of EU citizens must comply with EU data protection laws. It just so happens that locating the servers in the EU is among the easiest ways to comply with that.