There should be sth closer to an 'iron fist' approach, though. GDPR is a general data protection law. It's the lowest common denominator for all of industry. Industries that are particularly invasive to privacy are to be (and currently are) regulated with more specific legislation that adds to GDPR. Some provisions of DMA and DSA, for example, add more regulatory cost to Big Tech and Big Tech solely. ePrivacy is also lex specialis to GDPR, and further hampers adtech privacy invasions.
There must be more GDPR enforcement. Not just against the primary culprits.
Maybe, but EU doesn’t actually have a way to enforce it directly. Instead, countries adopt their laws to the requirements and they enforce it. You end up with something that represents the character of every country, this usually means laws followed and enforced in the north and west, not so much in the south east.
There must be more GDPR enforcement. Not just against the primary culprits.