It's not the same. There're companies which intentionally collect and exploit private data. There're companies which are just behaving negligently with users data. There should be different penalty for intentional and negligent violation.
And there's a lot of room for choosing the fine/punishment. There should be some rules, i.e. fines for intentionally violating privacy of millions of people should be very different from fines for unintentional violation of privacy of 10 people.
