They’re not fucked, GDPR is all nice and dandy until it comes to States oppressing people, France has been steadily building DNA files of undesirables and foreigners and they can. ARCOM (formerly HADOPI) harvests insane amounts of personal data but it’s all been made legal because it’s against piracy and piracy is evil so it’s fine. Enforcement of GDPR violations in France is a bad joke, CNIL won’t do shit. They actively conspire with advertisers to make it easier for them to data mine legally, they only fine an infinitesimal fraction of violations, and they’re extremely slow and useless.

Their official excuse is a lack of budget but when the number* of fines you levy is a few dozens even when you get hundreds of complaints about extremely basic stuff like not complying with deletion requests and websites calling Google and other US companies without needing to, the excuse wears pretty thin pretty quickly, there’s ample and very clear precedent, they just don’t care.