I'm shrugging a bit, because we have very different experience regarding what the law did, as I worked on projects and privacy and handling of personal data was taken pretty seriously. (Sure, my sample size is small.)

Separating good traffic (and emails and sites) from bad is an inherently hard problem. I'm not surprised that a big generic supranational regulatory body did not solve it. But I think they found and okay balance between regulatory burden and efficacy.

(And even though I understand that the enforcement had to be left to various agencies of the member states, the absolute sluggishness and total lack of proactivity was bad for morale. Even though I'm aware it had to go through the courts too. But that's a communication problem and I expect the fucking supranational regulator to be able to articulate what the realistic expectations are and where are we compared to them, and what's keeping us from getting there, and so on. Post-legislation monitoring and follow up is very important, and all regulatory bodies are atrociously unaware of the harm their skill deficiency causes in today's complaint-driven cumulative resentment-based populist politics/propaganda.)