It’s a form of regulation. We could also put the sysadmin and the CIO to death every time there is a data breach but we, as a society, have decided that is too extreme. We could also choose to simply wag our fingers and hope the shame they feel will prevent a repeat. Fines seem to strike a balance.