They did: the Finnish CEO was criminally charged and convicted (under GDPR); that never happens in the US. (I wasn't aware it was overturned on appeal in 12/2025, neither is Wikipedia currently).

They did face consequences. That ex-CEO (and CTO) also essentially had their reputations shredded, and their behavior was publicly scrutinized (have you ever seen the Comcast CEO grilled by Congress? I haven't). Sure, it would be better if they had actually gone to prison. But my point is GDPR has to teeth, unlike US state digital privacy laws.