[graemep]

Yes and no. AFAIK it provides controls to ensure a certain level of privacy (with serious flaws IMO).

AFAIK it does not do much, if anything to punish breaches caused by incompetence. I have not heard of of any cases where companies were fined for breaches.

Not the whole of Europe. The EEA and the UK has legislation based on it what has not yet diverged significantly.

[TrickyRick]

https://www.enforcementtracker.com/

Here's a long list of them

[graemep]

Not really. That links to a list of all enforcement actions.

If you search for "technical" you get "organisational and technical measures", and most are organisational rather than technical.

If you search by the word "hack" which seems to be the seems to be the usual terminology used there for vulnerabilities being exploited. There are 18 of these of 2182 entries. Not even one per EU country since 2018. Given how common data breaches are it is a tiny number.

Most of them do not give details, but those that do suggest the fines are levied only in extreme cases (for example allowing unauthenticated internet access to medical data: https://www.enforcementtracker.com/ETid-1015 ) or for certain types of failure (e.g. not having MFA). Most do not give details.

its better than I thought, but still far too little, and all the cases where any details are given it is for only a very narrow range of failures.

[TrickyRick]

The search function isn't that good, "Insufficient technical and organisational measures to ensure information security" are basically all data leaks.

Here's a few famous ones, most of which are of course a few years old since government agencies tend to move slow but more recent ones will get what's coming for them.

https://www.theguardian.com/technology/2022/nov/28/meta-fine...

https://ico.org.uk/media/action-weve-taken/mpns/2618524/marr...

https://en.wikipedia.org/wiki/British_Airways_data_breach#Co...

https://www.bbc.com/news/technology-54931873

[graemep]

Yes, but, as I said, a lot of them are organisational data leaks due to people's actions, not due to technical flaws.

The news stores are more encouraging. Thanks.

[speedgoose]

I remember this case in France: https://www.lemonde.fr/societe/article/2019/06/18/la-cnil-in...

A GDPR related 400 000€ fine because a company was storing confidential data without authentication using sequential IDs, _and_ they didn’t care when they were warned about the issue.