>>grabeh+(OP)
I'm an attorney who's spent the last year or so working on GDPR compliance for a US SaaS provider some of whose clients have EU employees. My understanding is that it's true that EU enforcement is more in the spirit of "how can we get you compliant?" before doling out fines (vs. the US where it can be more "let's make an example of this company by hitting them with a big fine" and scaring others into compliance). I also agree that the authorities aren't going to be handing out 7 figure fines like candy, both because it's not their historical approach and because they don't have the resources to fight too many of those battles. I want to say I read that the Irish authority's annual budget is around $9M. Theirs is higher than most and Ireland is where most of the US tech giants are established due to tax laws. That said, I think to say that GDPR compliance is simple because it's text is fairly readable or that EU data protection law is simply a matter of transparently respecting people's personal data and not being a bad actor as to privacy is an overstatement. For example, the ePrivacy Directive, most known for prompting all those cookie consent banners, can be incredibly complex to comply with. Each member state has implemented that Directive in different ways. Look at this example
https://ico.org.uk/media/action-weve-taken/mpns/2013732/mpn-... where Honda sent out emails to its 350k database simply trying to confirm continued interest in being on their list and got a 13k euro fine for their troubles. I don't know all the facts, but from the document, it doesn't appear that Honda got the fine because they were recalcitrant or being terrible actors. And if the fine is proportionate to the offense (not to the size of the violator), then 13k euro might be levied against a small company for whom it is a significant penalty (not to mention costs, legal fees, etc. in dealing with it).