European law tends to talk about the maximum available penalty under the worst possible situation. It then gives a list of factors to be taken into account. I'm not sure why that's a bad thing.

Look at the US COPPA, with potentially $41,000 per violation. Why isn't this more scary for American website operators? https://www.ftc.gov/tips-advice/business-center/guidance/com...

> A court can hold operators who violate the Rule liable for civil penalties of up to $41,484 per violation. The amount of civil penalties a court assesses may turn on a number of factors, including the egregiousness of the violations, whether the operator has previously violated the Rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties, and the size of the company. Information about the FTC’s COPPA enforcement actions, including the amounts of civil penalties obtained, can be found by clicking on the Case Highlights link in the FTC’s Business Center.

I mean, any US website that's compliant with COPPA should find GDPR to be a doddle.

https://corporate.findlaw.com/law-library/ftc-imposes-larges...

Surely US law also has fines proportionate to what has happened. E.g. EPA has hit large companies with multi-million fines for systematically polluting water over a long time, but if your small company makes a small mistake that's not the same. GDPR explicitly has a list of criteria to assess when determining the fine, and there's no reason to believe courts won't hold regulators to that.

For past experience with German privacy regulators (as an example, since our old law was fairly strict too), I'll quote a recent comment of mine:

From what I know, the German DPAs (they are organized on state level) hand out like 2 fines per month each, generally way below the maxima (under old German law, the max was 300000 €), and concluding the majority of cases without a fine. E.g. from the Bavarian DPA (german doc: https://www.lda.bayern.de/media/baylda_report_07.pdf, page 151):

in the years 2015-2016 they had 173 proceedings that involved potential fines. 52 of those resulted in fines. 34 of those fines were <1k€, 13 were <10k€.

Even in the worst case scenario you have the option of going out of business and filing for bankrupcy if you are incorporated in the EU and do get hit by a 20M fine. The EU can certainly try to take that amount from the company, but if it's a Ltd. or Gmbh. or equivalent its liability is limited by its shares.

Or you can incorporate outside of the EU (Guernsey or soon enough the UK perhaps?) and ignore the GDPR. At which point we'll just wait and see if the EU has any teeth outside its jurisdiction and how it will enforce this law.

I posted this above, but the old maximum fine from the ICO was £500k which was never used. The same people worried about being put out of business by the $20M max I guess were okay with close to the ~$750k max? For a lone website operator the new maximum is effectively no different than before.

https://government.diginomica.com/2017/08/10/ico-maximum-fin...