To play devil's advocate: that might become the going strategy. They're gonna be profitable as hell until they get fined and aren't allowed to continue after all...
But then it's just a matter of closing that enterprise down and creating a new one. They can keep apis stable and give the big corporations plausible deniability as "the contractor said they're compliant"
this part wont work w/ GDPR - this is not the US. I've mentioned it someplace else - the contracts with the contractors have quite explicit clauses about liabilities about data breaches/leaks as the fines would still be applied to the main entities.
With regard to GDPR, personal data is a liability and it should be handled with appropriate care.
