Putting conditional logic in legislation still benefits big companies, if it still requires legal expertise to unpack all of the complexity added to the law. GDPR is a mess exactly because of this, and so is the UK’s ridiculous OSA. It’s loopholes and malicious compliance all the way down.

Ignoring that, the other problem is enforcement. Is it not unrealistic to have a law that says “if you have a data breach you are subject to a penalty?” And “if you fail to report that breach the penalty can go as far as corporate death or executive incarceration?”

Or even more simply - replace the wrist-slapping fines with criminal charges and imprisonment.