It's trivial to bulldoze a European start-up by having complaints filed in a bunch of jurisdictions alleging this or that nonsense. It's nonsense, so no fines. But the mandate to investigate means this tiny start-up now has up to twenty-eight national supervisory authorities sending it demands, which can easily overwhelm a small team.

> Disagree on fines based on gains and damages on their own. My understanding is that percentage of global turnover usually is a higher number than gains and damages. I'd prefer it be "the higher of either".

Gains and damages contrates the discussion to the malfeasance at hand. Global-revenue fines are subject to grandstanding. That means lots of headlines and fewer fines actually paid.

You vastly overestimate the responsiveness of data protection authorities. Your complaints will be filed and requests be sent in what, months? Certainly not all at once; and for pretty much all requests, even a small startup will have general answers prepared (or can make them up) they can send out immediately, with clarifications sent later.

Edit: And that's even glossing over the fact that for your bulldozing, you'll have to research how to report your "nonsense" for each individual jurisdiction, in that country's language; and I'd be surprised if they wouldn't want to know which citizen encountered the privacy violation you're trying to report; the people working there aren't stupid, either. All that is to say: I've yet to see such a trivial bulldozing happen.