I rather think it gets a lot of hate because it leaves a lot to the discretion of the regulators. Overall, the SMEs I talk to don't have a problem with regulating data (most think it will pop the gangrenous ad-tech bubble). It's the lack of predictability that bothers them.
"You're making efforts to comply with the regulations, but could you have a look at how you're storing this and that?"
vs
"You're not compliant with the regulation so we have to impose a fine"
Are you really saying you'd prefer the second?
People are rightfully worried about "you followed the law completely but we don't like it so massive fines!".
That seems largely independent of how precise/vague the laws are, if you're expecting the enforcing party to find a way to get you regardless.
The 'defence' here seems to be that you can make a decent argument that you've taken appropriate measures to conform with your [reasonable] interpretation of the rules.
The regulator can object (and possibly penalise you) if they think you're not acting in good faith, or you have a grossly unreasonable interpretation of those rules. You can object to an unfair interpretation of the rules by the regulator as well.
Either way, if The Powers That Be want you nailed to a wall, they'll find a way, this particular regulation or not.
“You’re making efforts to comply, but even though this isn’t spelled out, we need XYZ done”
vs
“You’ve complied with all the requirements that have been spelled out”
You make reference to a legal system that precisely defines what is or isn't legal, and then give an example of a company who were legal, but who got prosecuted / sued anyway, and who lost.
Law is not just the acts and statutes, it's case law too. We have strong guiding principles in GDPR, and we have mostly clear direction for what is or isn't acceptable. And now we wait for regulation to happen.
> so massive fines!".
No. "We don't like it, so here's a letter telling you what we don't like, with suggestions for current best practice". At that point you either change to come into compliance, or you write back and explain why you think you are in compliance. European regulators (at least the ones in the UK) try to avoid fines. The UK's ICO has never used their maximum fine, and there have been some serious data breaches in the UK.
The heart of the issue is that you're talking about trends rather than what's actually written in the law, i.e. legally binding.
Many of us are not comfortable staking our livelihoods on trends.