The thing is if this was a civil case you have to prove some damages had be done by the leak. A random person leaking my email in CC - that happens a lot - is not even necessarily annoying but for sure don't cause any damages.
But how is that different from any of the other privacy violations that are regulated? I doubt many of us could prove any damages from Amazon listening in on conversations made by our kids, or Google not properly disclosing that its tracking our search clicks and GPS location for better ad targeting.
In fact, I'd argue that leaking an email that exposes a private association with a mailing list to other unknown people has much clearer potential for damage than any of the privacy issues that big companies get fined for. And yes, CC leaks do happen (not a lot, in my experience), but I'm personally upset about it every time - much more so than when I find out Google didn't get my consent before recording half of my internet activity. Just because the violation is something that "happens a lot" because it can be done by accident by a careless individual doesn't mean it's less serious.
+1. Privacy violations sure do cause damages, they're just very difficult to attribute. When someone suffers identity theft, which ones of the dozens of leaking sieves with their data most enabled it?
Can you clarify what you mean by "The thing is"? Are you saying that's good, bad, or something else?
If a behavior is harmful and we want to stop it, but it's difficult to prove direct damages and therefore civil suits have been ineffective at curbing the behavior, then it seems like a reasonable public policy to impose fines on engaging in the behavior without requiring actual damages be proven in court.
(And if it's easy to innocently accidentally engage in the behavior, it seems reasonable to first issue warnings, and then impose fines if the behavior continues repeatedly.)
Whether there are damages depends on the context. In 2015 an HIV clinic in London used the to: field instead of bcc: on a patient newsletter, thus exposing the names of 700 patients, many of whom knew each other due to the small geographic area being served (https://www.theguardian.com/technology/2016/may/09/london-hi...). They were fined GBP180K (under the pre-gdpr regime, incidentally, so this isn't a new risk for businesses).
