Re: Just the cost of doing business
There are three plausible jurisdictional theories that can be employed here:
1. The offense occurred wherever the corporation is headquartered, in this case the USA. Since the ICO is involved, I surmise this is not the theory being employed in this instance.
2. The offense occurred wherever the data was being stored, almost certainly also the USA.
3. The offense occurred wherever someone lives (or is a citizen) whose data was not properly protected.
I'm assuming that the basis for UK jurisdiction here is theory (3), in which case I fail to understand how the ICO can properly punish a USA corporation for failing to protect the data of (for example) USA citizens stored in the USA. We rightly raise hell when the USA government tries to assert global jurisdiction, and I fail to see any real distinction here. That for example California has not fined them billions of dollars as well is a mystery to me as it certainly seems that they would have the power to do so under the same jurisdictional theory, and for entirely separate offenses from those committed against citizens of EU member states.
That said, I do amend my claim to include all citizens of EU member states, since the ICO was acting in that context. Either way, it should be well into double digit billions of whatever currency unit we're discussing.