Wow, I've not heard this idea before and I think it is very interesting! How would you set this amount though? Does the company/user/government set it? Would the same data have different amounts depending on the company? How would that system handle users with multiple accounts?

I think we should exempt this from double-jeopardy: the fines are considered purely-punitive, and are in addition to any civil or criminal penalty issued by the courts. This will help ensure that organisations can't just price data breaches in to "move fast and break things" and have no further liability, and that people who've experienced damages much greater than the standard fine don't lose their chance to get suitable compensation.