Technically Meta got fined on the basis of the DMA, not the GDPR (which I still don't fully understand). It's illegal according to my own interpretation of the GDPR too, but enforcement is seemingly non-existent.
All these fines are coming, but corporate lawyers stall as much as they can. Then, they appeal first-instance court decisions to stall some more. And they do get fined, 3-7 years down the road. Then, they change tactics just enough to violate a different law. If they were to change the nature of the crime more often, they'd open themselves to more prosecution.
But big tech can handle a few government penalties every decade. It even creates moat - artificial barriers to market entry. The multiplicity of penalties is insurmountable for new market entrants, but pocket change for the established ones. For example, the UK Online Safety Act is putting all the small social media sites out of business in the UK, but it won't change moderation standards at Facebook. Ergo, it has become Meta's moat. "If a fine is set for a crime, then it's only a crime for poor people".
Tech is full of clever and fast people who run circles around slow-moving government bureaucracies (even judicial). These courts need to resolve these cases every week. If it's 1 week for first-instance, 1 week for appeals, that's the pace that would stop big tech. Twenty-seven fines with a bite a year would have the intended effect.
But we're talking about a "landmark" GDPR win in this thread that took about 5 years. And the fines so far are less than 500 euros per data collector (250k euro fine / 600+ companies in IAB). It will not even warrant a footnote in GAAP financial statements at the end of the year for these companies; they'll just put it in operating expenses (along with the 1,500 euro office coffee machine, 3x more expensive than the privacy violations). A small blogger collecting analytics data incorrectly may not have much to eat in the month they get fined 500 euros (not that they will have had much to eat in the months of expensive court proceedings), but of course, they also risk the full extent of the penalties.
The actual options are: either you pay with your data or with your wallet. Which makes sense since, you know, journalists like to eat and eating costs money.
But it is illegal to pay with your data. That is the whole point. There shouldn’t be a choice to make here. Journalists should be able to eat and you should be able to read articles without being spied on.
