Most privacy laws today are incredibly overwrought and vague. In this case, face recognition was illegal even if you opted into it. Try being a startup that needs any amount of customer data to operate, and then read the GDPR and realize it's better off to just move to the US.
Regardless, you are missing the point. It is a straightforward calculus that if you craft enough complicated and vague privacy laws, companies are bound to violate it, no matter what they do or how hard they try. All you have to do is craft a set of laws in which any company can always be interpreted as in violation of one.
If I was a state, I would go out of my way to craft these vague, overwrought laws so I could have a reliable source of an extra few billion dollars here and there whenever I needed it. If I was a regulator or legislator, I'd do it for the career clout of "going after the big bad guys." And no one will ever complain, because "big companies are evil and capitalism has never done anything for humanity," so the Overton window can only ever move in one direction.
And this is how we end up with the undeniable technological stagnancy of the EU, where they completely missed the www and mobile revolutions, and will certainly miss the AI revolutions. How many Industrial Revolutions can you miss out on before you fade into irrelevancy, having lost a meaningful portion of your financial/economic/military/technological power? I guess we will find out.
I'm not missing your point, I just don't agree with it. :P
If what you're suggesting were true we would have seen large numbers of EU unicorns based around gathering private data before GDPR that have somehow disappeared ...and we didn't.
GDPR wasn't brought in through calculus to shake down brave data innovators, striving to "make the world a better place".
GDPR came in reaction to large foreign entities taking the piss, stalking us with creepy adverts and dark pattens, refusing to take no for an answer.
