The GPDR is not criminal law. But ignoring that, regulators barely pursue GPDR violations.
Consider the swaths of dark patterns surrounding cookie terror banners. The GPDR language is extremely clear that none of them are legal, but virtually nobody is ever punished.
While the GDPR does not directly prescribe prison sentences, it absolutely enables countries to establish criminal offences for severe data protection violations, and they will clearly extradite!
In Europe we have the GDPR which does exactly this