Europe’s national privacy regulators have joined forces to tackle Uber over the way it handled its monumental data breach last year.
Each EU country has its own data protection authority (except for Germany, where each state has its own). When trying to take on U.S. giants such as Google (googl) and Facebook (fb) over their flouting of European privacy law, the regulators learned a few years ago that it was best to coordinate their investigations for maximum impact.
So, on Wednesday, the regulators decided to form a task force to deal with the Uber breach, in which the company covered up the fact that hackers had stolen the details of 57 million users around the world.
The Dutch data protection authority will take the lead, as Uber’s international headquarters are sited in Amsterdam. Regulators from Belgium, Germany, France, Italy, the Netherlands, Spain and the U.K. will also take part.
They won’t have joint fining powers, though—that’s still going to be a national matter. Under the current EU data protection directive, each country can set its own maximum fines for data protection transgressions. Although fining powers will be drastically increased under a new regulation that will come into force across the EU in May, fines are still relatively low, certainly from the perspective of a well-funded U.S. tech giant.
Under the U.K.’s data protection act, the maximum fine is £500,000 ($673,000). Concealing a data breach isn’t explicitly illegal under that legislation, but failing to properly protect the data is illegal, and the concealment may exacerbate the fine.
In the Netherlands, where concealing a breach is illegal, the maximum fine is €820,000 ($970,000). And in Italy, the only EU country to have announced a full-blown investigation into the Uber incident before Wednesday, the fine may be more than $1 million, with the amount being related to the number of Italians who were affected.