That's hardly even a speeding ticket for Uber. As long as the fines are this low companies of sufficient size simply treat this as a cost of doing business.
It appears that the maximum fine is 4% of a corporation's global earnings[1] which could be a lot of money, but still "just a cost of doing business" at the same time.
Uber is somewhere around $10b gross revenue, so $400m fine for every breach. Sure it's "just a cost of doing business". It also means that it's better to spend $200m beefing up their security to reduce from 1 data breach every year to one every 5 years.
Marriot revenue is $23b, so that's a potential $920m fine.
IHG (say), who invest in security and don't have a breach, get to charge less for their hotels, or make more profit.
I thought the same thing, but I was corrected here on HN: if you read the same exact like you posted, it says "a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater", so the they ARE allowed to fine you EUR 20 million.
Much more than "just a cost of doing business" for the majority of companies.
Fining the company does nothing for the user whose data got leaked. Identity theft isn't a matter of degree; deterring future leakage has zero value. Either there's enough information on the black market to impersonate someone, or there isn't.
