About GDPR and ESA breach:
"GDPR fines can amount to €20 million or 4% of net revenue, whichever is greater. According to the ESA's 2018 IRS form 990 filing, the organization's net revenue amounted to $35.1 million, making it eligible for the €20 million ($22.2 million) penalty if data protection groups decide to pursue the matter. However, given that the ESA does not have an EU presence, enforcement of GDPR penalties may be difficult.
"The number of individuals affected, the type of information leaked and the appropriateness of the security measures in place at the time of a breach are some of the factors that would be taken into account," he explained. "All of this said, it's still unclear how—if at all—the GDPR would practically be enforced against an entity without an EU-headquarters like the ESA. This represents one of the significant limitations of GDPR. Also, evidence suggests that data protection authorities are being bombarded with complaints and can often only investigate the biggest and most serious incidents due to resource constraints."