First of all, just to clarify, on fines PIPEDA only applies in the context of commercial activities, so there is always a revenue attached to the personal information.
Secondly, using a percentage, in my view, would be precisely the proportionate and, therefore, fair manner to impose equivalent penalties to all organizations.
Regarding harm, harm is not indicative of fault. You can have a hugely harmful hack; for example, let's take Carbanak. Carbanak hit 100 financial institutions for billions of dollars and the Kaspersky auditors went through it and found the most unbelievably sophisticated hack behind it and stated that they could not find any flaw in the security systems of the 100 banks that were hacked. It was just really bad luck. Therefore, we should not correlate harm and guilt.
Finally, I believe that the best place to assess and award damages is the courts.