Uber faces regulatory scrutiny after CEO Dara Khosrowshahi said the company covered up a data breach last year that exposed personal data from around 57 million accounts.

The chair of the group of European data protection authorities – known as the Article 29 Working Party – said on Thursday the data breach would be discussed at its meeting on Nov. 28 and 29.

While EU data protection authorities cannot impose joint sanctions, they can set up task-forces to coordinate national investigations.

When a new EU data protection law comes into force next May, regulators will have the power to impose much higher fines – up to 4 percent of global turnover – and coordinate more closely.

Uber paid hackers $100,000 to keep secret the massive breach.

The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and license numbers of 600,000 U.S. drivers, Khosrowshahi said. Uber declined to say what other countries may be affected.

For more on the Uber data breach, see Fortune’s video:

“We cannot but voice our strong concern for the breach suffered by Uber, which was reported belatedly by the U.S. company. We initiated our inquiries and are gathering all the information that can help us assess the scope of the data breach and take the appropriate steps to protect any Italian citizens involved,” said Antonello Soro, President of the Italian Data Protection Authority on Wednesday.

The British data protection authority also said the concealment of the breach raised “huge concerns” about Uber‘s data policies and ethics.

Long known for its combative stance with local taxi regulators, Uber has faced a stream of top-level executive departures over issues from sexual harassment to data privacy to driver working conditions, which led its board to remove Travis Kalanick as CEO in June.