EU privacy watchdogs are uniting to confront Uber over the breach of millions of consumers’ data that the ride-hailing app recently reported.
Data protection authorities from seven EU member states will coordinate their legal investigations into the breach, according to a news release that the so-called Article 29 group of privacy watchdogs published on Wednesday (29 November).
The Dutch data protection authority is leading the taskforce. Watchdogs from Italy, Spain, France, Germany, British and Belgium are also part of the group.
Their investigations of Uber’s potential missteps will remain national-level probes, and the authorities could fine the company separately in each country.
Watchdogs from the seven countries decided to coordinate their investigations during a meeting of national privacy watchdogs from EU countries on Wednesday in Brussels.
A spokeswoman for the French data protection authority said the taskforce’s goal is to make sure the different national investigations are consistent “as much as possible”.
The Article 29 group announced last week that it would discuss the case at the meeting, after Uber announced on 21 November that personal data belonging to 57 million of its users “around the world” was breached in 2016.
CEO Dara Khosrowshahi acknowledged that the company did not immediately alert consumers and drivers about the incident.
Uber said it will cooperate with the new taskforce. An Uber spokeswoman said she did not have information about how many of the 57 million users are in Europe.
A spokeswoman for France’s data protection agency said it had not yet identified the number of French people who were affected by Uber’s data breach.
UK data protection agency ICO said on Wednesday that data from 2.7 million user accounts in the UK was compromised by Uber’s security breach. ICO is still waiting for full reports detailing the kind of data that was swept up by the breach. Uber said last week that hackers exposed data including users’ names, email addresses and mobile phone numbers.
The Dutch data protection authority said in a statement on Wednesday that it is still investigating the incident.
A spokesman for the data protection authority in Berlin, where Uber is legally registered in Germany, said the office did not yet have any figures about how many German users were affected.
Privacy watchdogs in Germany’s 16 states oversee how companies comply with data protection rules, and the country’s federal authority is in charge of how public offices respect laws.
Companies will soon face steeper penalties for breaking EU data protection law and failing to report data breaches to authorities.
The sweeping new EU data protection regulation will increase the level of possible sanctions against companies when it comes into effect in May 2018. Under the stricter rules, national data protection authorities can slap firms with fines of up to 4% of their global turnover, or €20 million, whichever is higher.