Or we could just start punishing companies for massive and widely damaging data leaks. AFAIK about GDPR, it wouldn't prevent this. These things keep happening because nothing bad happens to companies that let it happen.
GDPR prevents this by putting rules in place that you, as the owner of the data, need to show that you're protecting it responsibly.
The threat of the gigantic fine is what gets people into compliance to prevent this from happening.
Lots, possibly even the majority of companies in Europe beefed up their IT security procedures because of this, and I wouldn't be surprised if almost everyone that sits at a keyboard in Europe didn't get called into a meeting to talk about how important it is for them to keep their customer's data private and ways to do that.
Without something like this in place, companies can just not even care about users data.. because 'oops, we did nothing to protect it' is still a valid excuse.
GDPR specifies fines up to 4% of annual global turnover or 20 million euros, whichever is greater. That seems like plenty enough bite, if it were enforced.
> If this were true then why have upper limits at all?
Because while the rulemaker believes that there is a range of potentially reasonable judgments based on particular circumstances, they do not believe that range is unbounded.
> The only reason I can think of is to protect large corporations.
The fixed minimum upper limit of $20 million is actually probably to prevent (or limit the effect of) large corporations using smaller subsidiaries and fancy accounting for GDPR-risky activities, rather than the upper limit protecting large corps.
The threat of the gigantic fine is what gets people into compliance to prevent this from happening.
Lots, possibly even the majority of companies in Europe beefed up their IT security procedures because of this, and I wouldn't be surprised if almost everyone that sits at a keyboard in Europe didn't get called into a meeting to talk about how important it is for them to keep their customer's data private and ways to do that.
Without something like this in place, companies can just not even care about users data.. because 'oops, we did nothing to protect it' is still a valid excuse.