Even if you achieved perfect compliance with law-abiding organizations, that does nothing to protect you against any individual organization which does not abide by local laws.

Consider any hacker from a non-extraditing rogue state.

Consider any nation state actor or well-equipped NGO. They are more motivated to manipulate you than Starbucks.

Consider the slavish, morbid conditions faced by foreign workers who manufacture your shoes and mine your lithium. All of your favorite large companies look the other way while continuing to employ such labor today, and have a long history of partnering with the US government to overthrow legitimate foreign democratic regimes in order maintain economic control. Why would these companies have better ethics regarding AI-generated output?

And consider the US government, whose own intelligence agencies are no longer forbidden from employing domestic propaganda, and whom will certainly get internal permission to circumnavigate any such laws, while still exploiting them to their benefit.

Ok, so what protects you from these folks? What positive measure can be suggested here - that is better than the measures I suggest and subsumes them?

The solution is not to watermark anything, because it is futile. Teach your citizens that anything that can be machine generated, will be machine generated. Where exactly is the problem here?

> How many breaches of privacy by large orgnaizations occur in the EU? When they occur, what happens?

Malicious non-compliance is still common IME. Enforcement is happening but has been focused on the very large egregious abuse so far only.