That's not necessarily the case. Consider two firms one that has $1 billion in revenue and one that has $100 million in revenue. You'd argue that the bigger firm is getting off easier with a $20 million fine vs the smaller firm's $10 million because the fine is 2% instead of 10%.
OTOH, consider that the bigger firm is made up of a collection of 10 services, each earning $100 million. The breach is only in one business unit - is the global revenue a fair metric if the breach is not global?
It will be interesting to see how this is enforced against giant corporations when (inevitably) some small piece of data is missed on some small service in a business unit nobody at the c level has ever heard of.
OTOH, consider that the bigger firm is made up of a collection of 10 services, each earning $100 million. The breach is only in one business unit - is the global revenue a fair metric if the breach is not global?
It will be interesting to see how this is enforced against giant corporations when (inevitably) some small piece of data is missed on some small service in a business unit nobody at the c level has ever heard of.