The CNIL was created in the 1970s. The main thing the GDPR has done is give it a lot more teeth. So in effect data privacy has been the law for over 40 years now. Ignorance of the law is not an excuse, not for such large corporations in particular.