It would be nice if the EU also looked at which APIs these platforms allow third-party apps to use. For example, Android 4.2.2 removed the API for putting the phone into / out of Airplane Mode, requiring phones to be rooted to run apps like this:

https://apkpure.com/scheduled-airplane-mode-root/com.galaxy....

Not giving users full control over when they broadcast their effective location to the mobile phone network seems like it should also be a GDPR violation.