If you divide causes into "accidental" and "intentional", and assume "caused by incompetence" belongs into the "accidential" catagory, then the comment "We don’t need [X]. We need sane penalties for [Y] caused by incompetence" can be read as arguing against penalties for intential actions.
If they meant the opposite of that, then that's a really weird way to express it.
So what did they mean? GDPR is basically what they said, plus that you have to show you have made a meaningful effort to stop data breaches from happening before they happen. Is that bad?
Intentional data breach is basically the business model where you sell private information without getting meaningful consent from your users. Do you think that is okay because you need that to stay competitive with US companies?
