On November 29, 2017, the EU’s Article 29 Working Party (”Working Party”) announced the establishment of a task force to coordinate the plethora of national investigations throughout the EU into Uber’s 2016 data breach that affected approximately 57 million users worldwide. The task force is being led by the data protection authority (”DPA”) in the Netherlands, where Uber has its EU headquarters, and includes representatives from the DPAs in France, Italy, Germany, Belgium, Spain and the United Kingdom.
The Working Party’s actions serve as a precursor for the one-stop-shop regulatory mechanism to be introduced by the EU General Data Protection Regulation when it comes into force in May 2018. Under the one-stop-shop, the DPA in the jurisdiction of an organization’s main establishment in the EU will lead investigations into alleged violations of law, with involvement from DPAs in EU Member States that also are affected by the violations. Under the present law, however, each national DPA handles enforcement and sanctioning according to the law in their own member state, which will be true in the case of Uber as well.