Fortunately since I'm in the UK the legal position is rather more enlightened. The default is that any processing of personal data is not allowed and they have to justify it and explain their justification.
Of course even if they flagrantly ignore the rules and carry on while treating any fines as a cost of doing business - which is hardly unusual in GDPR world for certain big tech companies - there is only so much you can do as one individual and you still need the regulators to step in and enforce the rules with meaningful sanctions.
Of course even if they flagrantly ignore the rules and carry on while treating any fines as a cost of doing business - which is hardly unusual in GDPR world for certain big tech companies - there is only so much you can do as one individual and you still need the regulators to step in and enforce the rules with meaningful sanctions.