That enforcement is pretty much enough for Eu businesses to observe GDPR.
And its way more than enough for large foreign tech companies like FAANG to have obliged with it waaaaay earlier.
Enforcement generally happens upon reporting. So your garden-variety startup or corp somewhere in the US or another corner of the world is unlikely to get reported unless they start to get sufficient userbase in the Eu.
I once requested under GDPR my personal data on a well known dating app. It contained all messages ever sent as well as GPS positions for years (try it yourself). I then requested that data to be deleted permanently and they refused.
I didn't take it to court because I didn't want my dating history to be dragged out in court.
I will not dispute that we need more enforcement, but it definitely exists and helps. For example, Google recently changed their "cookies" dialogue from "More options" to "Reject all".
Agreed about Google, but not only did it tame 4 years for such an obvious breach to be corrected, but I also don’t believe they were even fined for this particular violation - they decided to start complying after the IAB consent flow ruling.
They’ve basically been allowed to willingly and maliciously breach the regulation for 4 years.
Facebook appears to still be getting away with breaching the regulation on so many levels.
