Re: France, Germany and Austria house the most offenders
Not sure about France, but Germany and Austria have a track record of rigorous enforcement, even under the Directive, so it's likely that this affects the position, rather than it being merely due to them having "most offenders".
Here in Blighty, the ICO seems to be concentrating on high profile data breaches and can be surprisingly tolerant of abuses of data subject rights that haven't resulted in data leakage. Here are a couple of examples:
Under DPA 1998 I reported a business that issued "fitness for work" certificates for posting the certificates online for collection, entirely unprotected other than by a unique URL, but was told by the ICO that this was OK unless I could prove that unauthorised access had occurred. The case officer actually suggested I should attempt to do so to prove my point (thereby of course committing an offence under the Computer Misuse Act).
More recently, I have been informed by a case officer (presumably representing the ICO officially) that it's OK for a data controller to conceal processing on the basis of "legitimate interest from a data subject. The actual decision was that "examples" of such processing are "sufficient".
I'm not a lawyer, but it seems to me that as processing on the basis of legitimate interest confers on the data subject a right to object to the specific processing, merely providing "examples" denies the data subject the ability to object to processing that is not used as an "example".
Taking such examples together with the appalling standard of almost all "privacy policies", we don't seem to be taking the GDPR very seriously, and of course it's possible that from February we could even dismantle our parallel compliance under our own legislation.