One big easy line to draw is personal+individual versus commercial+corporation. There should be sweeping privacy laws that individuals can use to prevent information about them (including government issued identifiers) from being recorded, processed, and stored. Then for private vs private, a de minimis exception for individuals doing it noncommercially on a small number of people.
Delivery trucks are operated by corporations so don't have privacy protection (although the individuals driving them would from things like facial recognition). Traffic patterns can be studied without the use of individual identifiers. Law enforcement is moot because the juicy commercial surveillance databases won't be generated in the first place, and without them we can have an honest societal conversation whether the government should create their own surveillance databases of everyone's movements.
These aren't insurmountable problems. GDPR gets these answers mostly right. What it requires is drawing a line in the sand and iterating to close loopholes, rather than simply assuming futility when trying to regulate the corporate surveillance industry.
Delivery trucks are operated by corporations so don't have privacy protection (although the individuals driving them would from things like facial recognition). Traffic patterns can be studied without the use of individual identifiers. Law enforcement is moot because the juicy commercial surveillance databases won't be generated in the first place, and without them we can have an honest societal conversation whether the government should create their own surveillance databases of everyone's movements.
These aren't insurmountable problems. GDPR gets these answers mostly right. What it requires is drawing a line in the sand and iterating to close loopholes, rather than simply assuming futility when trying to regulate the corporate surveillance industry.