I never said GDPR is arbitrary legislation. In fact, I called it a good thing in my initial post.
My point is that without legislation companies generally are not going to do things that don’t make them profit directly or indirectly. Aggregating user data for users to see is not something that really generates revenue and so companies prior to GDPR didn’t really do this en masse.
Your argument rests on the idea that the GDPR was an unforeseeable (arbitrary) requirement, rather than a straightforward implementation of a predictably-relevant Schelling point. While businesses won't go out of their way to do things that don't generate revenue, it's not unreasonable to think they will do some basic forward-looking due diligence. When storing personal information on a whole bunch of people is a core part of your business, it's reasonable to expect that eventually those people will want some control over the records kept on them.
My point is that without legislation companies generally are not going to do things that don’t make them profit directly or indirectly. Aggregating user data for users to see is not something that really generates revenue and so companies prior to GDPR didn’t really do this en masse.