> These laws can only be used by the EU commission against specific companies.

In the UK at least, the GDPR was incorporated into UK law (where it remains, essentially unmodified, even after Brexit). So it is certainly not necessary to get the EU commission involved to enforce the law. In the UK, the ICO is the relevant regulator. There are other national regulators that enforce the GDPR, such as the French CNIL.