This is no different than anything else. All sorts of unethical and exploitative arrangements are helpful for small firms’ bottom line, but easier to handle properly with larger scale.

Dumping toxic byproducts in the river. Forcing employees to work unpaid overtime. Keeping fraudulent books and evading taxes. Selling illegally dangerous products. Not following local building codes. Facilitating third-party fraud or money laundering...

Being a small business should not be license to do whatever you want, irrespective of the harm to customers, business partners, or others in the society.

In the case of data protection specifically, companies (perhaps especially small companies) are very cavalier with all sorts of data including personally identifiable information, financial information, communications, ...., and this causes serious harms when that data is misused directly or stolen by/leaked to/sold to someone who misuses it.

If a company cannot afford to stay in business while treating data carefully, then perhaps they should not be in business.

You're assuming that treating data carefully and complying with the law are the same thing. You can easily do the former and not the latter. More to the point, you can easily have already been treating data carefully and still have the compliance burden of paying lawyers to verify that fact put you out of business.

So what you're really saying is, if a company cannot afford to stay in business while navigating a legal framework designed for companies the size of Google, then perhaps they should not be in business. The result of which would be to have only companies the size of Google.

The same goes for any other kind of regulatory compliance.

No small company has to pay lawyers to validate that they are complying with GDPR. It’s just that if it turns out they weren’t, the fines for violations can be quite steep, so a risk-averse company is going to be proactive about it.

There are many types of regulations which are much stricter with more up-front costs than GDPR, which companies of every size manage to cope with (or sometimes don’t, and go out of business). The technology industry has just gotten used to not being held accountable when it harms people, so now that some sensible consumer protection regulation comes down (some) people are freaking out.

> The same goes for any other kind of regulatory compliance.

I don't think anybody disagrees with that. All regulatory burdens harm small businesses -- which is why they should all be minimized to the greatest extent possible.

> No small company has to pay lawyers to validate that they are complying with GDPR. It’s just that if it turns out they weren’t, the fines for violations can be quite steep, so a risk-averse company is going to be proactive about it.

And investors are risk-averse, so investors want to see compliance, so they're forced into the choice between going out of business due to the compliance burden or going out of business as a result of an inability to get investment without showing compliance.

> There are many types of regulations which are much stricter with more up-front costs than GDPR, which companies of every size manage to cope with (or sometimes don’t, and go out of business).

Two wrongs don't make a right. Nor do a hundred.

> The technology industry has just gotten used to not being held accountable when it harms people, so now that some sensible consumer protection regulation comes down (some) people are freaking out.

The technology industry is Intel and Samsung. Chips rather than bits. Plenty of regulation there -- environmental, patents, government contracts, etc.

But now we're talking about regulating information. It's not a particular industry, it's a thing all people do all day long. It's regulating people talking and writing stuff down. The number of people subject to whatever burden you impose is effectively everybody, so the burden inherently has to be small or when you multiply it by everybody everywhere it becomes an absurdity. If it's too complicated then either nobody complies with it and it's useless (and dangerous) or you crash the world by making everybody try to.

Not what I would call a kneecapping, or even a burden.

Compliance cost at the place I work in the UK was negligible. We have personal data on every customer, had to make some one time code changes, and ongoing costs are essentially zero. Frankly, compliance was trivial and little different to Data Protection - which was also trivial to comply with.

If you're data mining everyone to death and selling it off to multiple unnamed third parties, compliance may well be more challenging. Hardly surprising as that's one of the things it's trying to constrain.

By your logic complying with financial regulations is a large compliance burden too that kneecaps small companies.