[majewsky]

> This way, a malicious actor can buy thousands of GDPR requests and DDoS anyone but big companies like Google.

FWIW, request letters like this have been possible in Germany for multiple decades, and I haven't heard of any DDoSing of companies yet. Here's a representative e-mail template whose lineage goes back to 1998:

German: http://www.ulm.ccc.de/old/chaos-seminar/spam/spam-bsdg-auffo...

English: https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...

I have sent similar letters in the past and always received prompt answers.