Back in 2018 I was writing the controls which allowed British American Tobacco to manage the risk of GDPR and evidence (prove in documented format), that they were operating GDPR within the rules.
I got into an argument with the legal counsel for telling the truth. I put the real possible exposure to GDPR in terms of fines into the presentation. She had been lowballing it in a HUGE way. The real exposure was £80m, and £40m respectively depending on which part you breached.
She gave me a really hard time and told me that even £10m wold be a disaster and "anyway", based on existing laws, nobody was going to see more then £10m in fines.
That didn't age well. 2 months after I left BA was hit with a £128m, fine. Since then Google has been hit with over €740m. But now we have a new high. Meta was just slammed with a €1.2bn fine for moving customers data outside of the EU and into their US datacentres.
This can only go on for so long. Meta says they are monitoring the current negotiations between the US and the EU on this situation and will comply with anything they agree. However if no agreement can be made, they may need to pull services.
Just imagine the "public service" GDPR will have given to the people if Meta were to pull Facebook, Whatsapp and Instagram from the EU. If only for a week. Theoretically the UK would have to be pulled too as we operate the same laws given that we didn't repeal them.
These fines have now reached such a level that they start to look like taxes.