> The trouble started when lawyers correctly noticed that these are incidentally capable surveillance systems even though that isn't how we use them or what they were designed for.

Many systems were not explicitly designed for surveillance, and are. Because many systems collect too much data to begin with.

Hence the problem: people who collect too much data claim that GDPR is complicated, complex, convoluted, impossible to comply with... instead of changing what data they collect, and how.

Additionally, people confuse the complexity of human endeavours with the complexity of the law. GDPR itself is neither complex nor complicated. It doesn't try to carve out exceptions, rules, and regulations for every possible activity humans may attempt. Then it would become impossible to understand or comply with.

As is, it has enough carveouts for industries which require more data than strictly necessary, called "legitimate interest" (which still doesn't allow you to just use this data willy-nilly). E.g. banks collect significantly more data about customers than strictly necessary (because KYC, fraud, security etc.), and store that data for significantly longer amount of time than allowed by privacy-related laws (because they are governed by bank laws of respective countries). It doesn'tmean they can sell that data or spy on users.

Same here. It's not on the law to tell you exactly how to operate your "industrial-scale operation". It's on you to fix your shit, stop collecting more data than necessary, have data protection in place, delete data after a reasonable time, anonymize data etc.