I think the GDPR's mixed approach is the good one, regardless of the percentage, because even at 4%, I think it's still calculated based on the number of citizens affected by potential breaches of confidentiality and depending on the area.
We know that there are fewer citizens in Canada than in the European Union. On the other hand, it is important not to have a simple percentage, because 4% of a small structure, for example a start-up company, is not much. The company might want to take the risk with its investors and tell them to go ahead. If anything were to happen, at most, it could be about 4% of $500,000. That’s peanuts. That’s why it has to be doubled.
For example, in France, until 2016, the maximum amount was $150,000 for the first fine and $300,000 afterwards. It did not work. France has just raised this to a single amount of $3 million. This was adopted almost at the same time as the Regulation, which in my view also reflects the number of citizens concerned within the boundaries of a certain territory.