My suspicious is that 95% of "the industry" does not a give a fuck about their customer privacy and instead just wanted something easy to automate.
Plus IIRC there were compliance-as-a-service companies lobbying *for* this rule.
Discussion
Fair enough. They also didn’t bother asking someone from outside the closed circle of lobbyists. Well, but better now then never. I wonder if there will be any real effect in the final regulations.