"These large rich tech companies" are not the ones getting breached. The likes of Google and Microsoft take security seriously already. The problem is the likes of Equifax and Capital One and government databases with poor security that nonetheless contain all kinds of sensitive information that they shouldn't be aggregating and retaining to begin with and they certainly shouldn't be required by law to collect and store, even though they frequently are right now.

Also:

> and google suddenly getting religion about you being able to mass-download your data.

They had that even before the GDPR.