You make reference to a legal system that precisely defines what is or isn't legal, and then give an example of a company who were legal, but who got prosecuted / sued anyway, and who lost.
Law is not just the acts and statutes, it's case law too. We have strong guiding principles in GDPR, and we have mostly clear direction for what is or isn't acceptable. And now we wait for regulation to happen.
> so massive fines!".
No. "We don't like it, so here's a letter telling you what we don't like, with suggestions for current best practice". At that point you either change to come into compliance, or you write back and explain why you think you are in compliance. European regulators (at least the ones in the UK) try to avoid fines. The UK's ICO has never used their maximum fine, and there have been some serious data breaches in the UK.
The heart of the issue is that you're talking about trends rather than what's actually written in the law, i.e. legally binding.
Many of us are not comfortable staking our livelihoods on trends.