[eqvinox]

I don't think it'd actually be a GDPR case in EU; it's more of a wiretapping case - note some of the victims communication was revealed. (GDPR violations might be a secondary charge, but wiretapping would be way more significant.)

That said it really depends on the exact legal framework (which I have no clue about) and eagerness of a prosecutor to make a case. Hence my "maybe".

FWIW I have a side job at a small community ISP in the EU and the GDPR was a no-op for us. The requirements for anyone operating in the telco space were already stricter. If I remember correctly the GDPR fines are higher though, whereas wiretapping (& co.) laws are much more likely to land you personally in jail.

(I was being intentionally vague with "privacy laws"; I do include wiretapping charges in that but, again, I don't know the US legal situation.)