I share your outrage about companies abusing users' data, but we're mixing up several different things:

- the Vastaamo ex-CEO was in fact criminally tried and convicted (even if that conviction was overturned on eventual appeal) and had his reputation destroyed. That compares well for GDPR vs US state privacy laws, which is what I was saying to you. That was my point by saying the US Comcast CEO hasn't been grilled by Congress on those (he has on media mergers, but not his company's business practices). I'm agreeing with you that Congressional grillings aren't consequences in any meaningful sense.

- the Vastaamo hacker was not charged under GDPR, they were charged with criminal offenses: aggravated data breach, aggravated attempted extortion, aggravated distribution of information infringing private life, blackmail, breach of confidentiality and falsification of evidence.

- I was not aware the Vastaamo hacker had been freed after serving part of his sentence (although his conviction was not overturned), but it seems [0] it might have been for implicating other people in the cyberextortion/ransomware ring. And since those people were operating in countries without much rule of law, we'd expect actions were taken that didn't involved courts or journalists. I can't find any press coverage of that part.

[0]: https://www.bitdefender.com/en-us/blog/hotforsecurity/vastaa...