Fines are meant to discourage behaviour found unacceptable by society[0]. That obviously fails to work if the net outcome of a ‘discouraged’ action is still positive even after taking into account the fine (and compensation for damage, if any).
So, really, the (first) fine was not high enough. For a very similar reason, non-trivial fines[1] are usually given as a percentage of turnover or daily fines.
[0] Note that jail time also serves to rehabilitate the offender in case of serious crimes. That obviously doesn’t really work with companies, and unfortunately, carelessness with other people’s data is not considered a serious crime in many places.
Yeah, that's why I think exponential grow in fines for repeated offenses by a company is a good idea, it will eventually be net negative for the company so they will stop doing it.
Because you can't know the net positive in advance; is way too dependent of the context and that includes the size of the company.
It also discourages the searching of flaws in the system because even if you get away with it once (net-positive) you know the next time the fine will make unviable.
BTW this is similar to how already the civil justice system works in many countries, where after repeated minor offenses you go to jail.
[0] Note that jail time also serves to rehabilitate the offender in case of serious crimes. That obviously doesn’t really work with companies, and unfortunately, carelessness with other people’s data is not considered a serious crime in many places.
[1] Basically anything above a parking ticket.