Are there real consequences in any country?

Yes. The 2018-9 breach and cyberextortion involving Finland's mental-health startup Vastaamo.

- CEO Ville Tapio was convicted criminally under the GDPR.

- The company failed in 2021.

- Finland's NBI tightened criminal code on privacy violations of data subjects, either intentionally or through gross negligence, if they cause damage or significant inconvenience to the data subject.

https://news.ycombinator.com/item?id=40210873

	▲	dylan604 16 minutes ago \| parent [-]
		But now that it has happened once, will they ever do it again? A lot of innocent people lost their jobs because of not fault of their own. I'm putting this in the context of the NCAA punishment given to SMU frequently referred to as the death penalty. The NCAA has since said they would not do that again as there was a lot of unanticipated collateral damage from that punishment decision