The Dutch Data Protection Authority just handed down a €100 million fine against the operator of the Yango taxi app for unlawfully transferring the personal data of tens of thousands of Finnish and Norwegian users to Russia. The message to every company moving data across borders: encryption and contracts are not enough if the receiving country’s government can compel access.
What Happened
MLU B.V., the Dutch-registered operator of the Yango ride-hailing platform and a subsidiary of Russia’s Yandex Group, transferred detailed personal data to affiliated entities in Russia over a period stretching back to May 2022.
The data wasn’t trivial. For passengers, it included phone numbers, email addresses, GPS location data, chat conversations, login credentials, banking details, and browser fingerprints. For drivers, it went further: names, social security numbers, home addresses, driving licence scans, photographs, bank account numbers, and nationality information.
”In Russia, personal data is not protected as well as in Europe,” said Aleid Wolfsen, chair of the Dutch DPA. “This means the Russian government could potentially access this data.”
Why Encryption Didn’t Save Them
Yango’s defence centred on technical safeguards. The company argued that data was stored “exclusively within the EU in pseudonymised and encrypted form, making it technically inaccessible to third parties.”
Regulators didn’t buy it. They found three critical failures:
The encryption keys lived in Russia. Before November 2023, all data sat on Russian servers with encryption keys stored alongside it — making the encryption meaningless since anyone with server access could decrypt everything.
A single executive controlled both sides. The same individual served as director of both the Dutch exporter and the Russian recipient. Pseudonymisation doesn’t work when one person can reconnect the dots from either end.
The wrong contracts were used. MLU relied on Standard Contractual Clauses designed for controller-to-processor relationships, but the Russian entity functioned as a joint controller. Using the wrong legal mechanism meant the safeguards didn’t apply.
Even after Yango moved data to AWS servers in Frankfurt in late 2023, encrypted data was still being transmitted to Russian entities — and the structural problems remained.
Russia’s Surveillance Laws Made It Worse
The Dutch DPA specifically examined whether Russia’s legal environment offered adequate protection. It concluded that it does not.
Russia’s Yarovaya Law and SORM surveillance system give security services compulsory data access powers. The regulator also determined that Roskomnadzor — Russia’s data protection authority — cannot be considered independent because it answers to a government ministry and only enforces privacy rules against private companies, not against the state itself.
This is significant. Under GDPR, data transfers to countries outside the EU require either an adequacy decision (which Russia doesn’t have) or supplementary measures that genuinely prevent government access. The Dutch DPA’s finding that Russia’s own regulator isn’t independent demolishes the argument that contractual clauses alone can bridge the gap.
The Investigation
The case took years to build. Finnish regulators first flagged concerns in 2021-2022. In August 2023, Finland issued an emergency order prohibiting further transfers. The Dutch DPA formally opened its investigation in December 2023, with Finnish and Norwegian authorities joining as co-investigators.
The €100 million fine was calculated partly using Yandex Group’s reported global turnover of over €12 billion in 2024. MLU has announced it will challenge the decision.
Why This Matters for You
This case sets a precedent that goes well beyond one taxi app. The core ruling is clear: where your data physically travels matters, and no amount of legal paperwork can substitute for genuine architectural protection.
Here’s what to take away:
Contracts aren’t a magic shield. Standard Contractual Clauses are the most common mechanism for international data transfers under GDPR. This ruling confirms they’re not a “set-and-forget” solution — they must match the actual relationship between the parties, and they must be backed by real technical controls.
Encryption only works if the keys are safe. Encrypting data means nothing if the decryption keys are accessible to the same entities you’re supposedly protecting against. True data protection requires keeping keys under independent control, ideally within the jurisdiction you trust.
Corporate structure matters. When the same executives control both the sending and receiving entities, regulators will look through the legal fiction. Shared governance between entities in the EU and entities in surveillance-heavy jurisdictions is now a red flag.
Jurisdiction is architecture. This is exactly why data sovereignty advocates push for keeping data — and its keys — within jurisdictions with strong, independently enforced privacy laws. Switzerland’s Federal Act on Data Protection, for instance, operates under an independent commissioner and has no equivalent to Russia’s Yarovaya Law or the US CLOUD Act.
The €100 million price tag sends a signal that European regulators are done accepting paper compliance. If your data touches a jurisdiction where governments can compel access, you need to prove — not just promise — that your architecture prevents it.