By expanding the definition of what constitutes personal data—and by extension, what constitutes a breach of personal data—and applying a standardized notification requirement to the entire EU, the GDPR appears to have generated a much larger data set of reported incidents and thereby significantly widened our window into what types of breaches are occurring. The vast majority of companies are still not being fined for failing to protect their customers’ data, and the vast majority of fines are still too small to register with the companies that are being penalized. (Arguably, even 50 million euros is a fairly trivial sum to Google, which brought in $136.8 billion in revenue in 2018. For comparison, 50 million euros is equivalent to roughly $57 million, or 0.04 percent of Google’s 2018 revenue.)