[kevingadd]

Just because they're small and weak doesn't mean bad data policies can't cause harm. If you have 100 customers you're the little guy, but if your 100 customers are political activists in authoritarian states, it's kind of a big deal if you leave a .csv file containing their personal info on your http server, isn't it?

In the end whether a penalty is just depends on the significance of the offense and whether the bad actor has reformed. The GDPR does give regulators discretion over whether to issue fines or take legal action, they don't immediately wreck people.

People need to remember that while laws are very rigid in drafting, they typically grant a lot of flexibility to the humans that enforce them... and humans often just opt to ignore them. So you can't just look at the law in terms of what it appears to read as, you have to also look at how it's applied in the real world. That can of course mean that a law like the GDPR has unintended negative impact, but it also means that sometimes the impact is not the negative you'd assume from reading it.