These things will never change if the only penalty the company/agency gets is "send a message to your users saying you are sorry and that it won’t happen again".

So, you want the French government to fine the French government so the French government uses French taxpayer money to pay the French government for the French government's mistake?