In EU:

Violators of GDPR (personal data) may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.

Under NIS2 (cybersecurity), financial penalties may be up to either €10 million or 2% of the global yearly revenue, again, whichever is the greater amount.

Yes. The 2018-9 breach and cyberextortion involving Finland's mental-health startup Vastaamo.

- CEO Ville Tapio was convicted criminally under the GDPR.

- The company failed in 2021.

- Finland's NBI tightened criminal code on privacy violations of data subjects, either intentionally or through gross negligence, if they cause damage or significant inconvenience to the data subject.

https://news.ycombinator.com/item?id=40210873