Re: Unpopular Opinion
To continue the car example, there are two elements involved. One is liability in criminal law - that is only the responsibility of the car thief. The other would be civil liability. Again, that is the car thief's responsiiblity, but of course we know most thieves never pay for the cars they steal.
Therefore of course, we usually insure our cars against theft. The insurer will pay the value for the stolen car or its damages, but only if the insured hasn't been negligent or sloppy. If you leave it unlocked with the keys in then you won't get covered. But leaving it in a dark alley in a dodgy part of town is usually not grounds to refuse payment (I think - depends on the policy I suppose - foreign travel to some countries is excluded).
Taking this together, I agree with the original poster - this is like the police fining the car owner (or say the friend of the owner who was using the car) - I guess the question is, has the friend done the DP equivalent of leaving the keys in the ignition, or just parked it somewhere dodgy? I guess in the former case a fine is legitimate, BUT it still is (to me) a very blunt tool to set a liability.
In theory there is already negligence law which could allow an individual person to sue a data holder for negligently letting it leak out. But the victim would have to show some kind of loss. The scale of these fines suggests this link is absent (360 quid per person involved) - weird to set it by reference to the global revenue. Maybe one victim lost nothing, and another had 1,000s of pounds run up on their card. Each person should get their respective sum lost.