I rather think it gets a lot of hate because it leaves a lot to the discretion of the regulators. Overall, the SMEs I talk to don't have a problem with regulating data (most think it will pop the gangrenous ad-tech bubble). It's the lack of predictability that bothers them.
"You're making efforts to comply with the regulations, but could you have a look at how you're storing this and that?"
vs
"You're not compliant with the regulation so we have to impose a fine"
Are you really saying you'd prefer the second?
People are rightfully worried about "you followed the law completely but we don't like it so massive fines!".
You make reference to a legal system that precisely defines what is or isn't legal, and then give an example of a company who were legal, but who got prosecuted / sued anyway, and who lost.
Law is not just the acts and statutes, it's case law too. We have strong guiding principles in GDPR, and we have mostly clear direction for what is or isn't acceptable. And now we wait for regulation to happen.
> so massive fines!".
No. "We don't like it, so here's a letter telling you what we don't like, with suggestions for current best practice". At that point you either change to come into compliance, or you write back and explain why you think you are in compliance. European regulators (at least the ones in the UK) try to avoid fines. The UK's ICO has never used their maximum fine, and there have been some serious data breaches in the UK.
The heart of the issue is that you're talking about trends rather than what's actually written in the law, i.e. legally binding.
Many of us are not comfortable staking our livelihoods on trends.