Ah yes, the ambiguity of laws that haven't been tested or that are dependent on the whim of the regulatory agency. Plus it is very typical to see something like a 50m fine that gets contested in courts and negotiated down over the years to say, 500k.
I think this issue prevents a lot of real progress and explain the divide between those saying corporations aren't regulated vs those saying there is too much regulation. They're both right, but they're both talking past each other. There is way too much regulation that can't be followed, enforced, or even understood. At the same time a reaction to corporate abuses is to want to add new regulation, but that just keeps the circle going. I suppose the solution is to drastically reduce regulation, but make it extremely clear and reduce ambiguity about the consequences, penalties, and enforcement. I won't hold my breath for this to happen.
It is nothing to large companies, but as far as I can tell, there is nothing that would stop a company from being fined multiple times for the mishandling of each person's data. I doubt there will ever be a case where a company is fined millions for each person's data being stolen, but it does mean that 17 million is not technically the cap.