EU GDPR enforcement

Dutch DPA's €100M Yango Fine: Standard Contractual Clauses Cannot Override Russia's Surveillance Architecture

The AP found encryption keys stored on Russian servers, the wrong SCC module applied, and a shared director creating re-identification risk — exposing how formal compliance fails under authoritarian law.

GDPR's Third-Country Transfer Crackdown People of Internet Research · EU €100M Yango fine (2026) Dutch DPA imposed on MLU B.V. for … €530M TikTok fine (2025) Irish DPC fined TikTok for EEA dat… €290M Uber fine (2024) Dutch DPA fined Uber for transferr… €483M Statutory max possible 4% of Yandex's ~€12B 2024 global r… peopleofinternet.com

Key Takeaways

The Fine and What Triggered It

On April 1, 2026 — publicly announced May 8 — the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) imposed a €100 million fine on MLU B.V., the Netherlands-based holding company that operates Yango, the international ride-hailing app descended from Russia's Yandex group. The AP simultaneously issued an immediate ban on any further transfer of Finnish and Norwegian users' personal data to recipients in Russia. The penalty is believed to be the second-largest ever levied by the Dutch DPA, after its €290 million fine against Uber in July 2024 for similar cross-border transfer failures.

The investigation launched in 2023, conducted jointly with the Finnish and Norwegian data protection authorities, uncovered layered failures affecting a wide range of personal data: GPS location logs, home addresses, driving licences, bank details, social security numbers, and chat records from Yango's Nordic users. The decision carries case reference 2025-005323 and was signed by AP chair Aleid Wolfsen.

Three Failures, One Fine

The AP identified three interlocking structural problems — not one.

The wrong SCC module. Yango's European operating entity, Ridetech International B.V., signed Standard Contractual Clauses with Russian group entities using the controller-to-processor module — the transfer tool used when one party merely acts on instructions from another. But Yandex.Taxi LLC was co-determining the purposes and means of processing through its algorithm ownership and software infrastructure, making it a joint controller under the GDPR, not a processor. Applying the wrong SCC module rendered the contractual protections required by Articles 44 and 46 GDPR inapplicable from the outset. The formal signature on an SCC counted for nothing when the underlying relationship was mischaracterised.

Encryption keys on Russian soil. Until November 27, 2023, user data and the encryption keys required to read it were both stored on servers in Russia. Encryption provides no meaningful protection when the keys that unlock it sit in the same jurisdiction as the authorities seeking access. The AP found this arrangement made the claimed safeguards practically ineffective. After November 2023, keys were migrated to Amazon Web Services in Frankfurt — but encrypted data continued flowing to Russian entities. The AP found a further vulnerability: the same individual held director-level positions at both Ridetech and Yandex.Taxi LLC, creating a foreseeable re-identification pathway through governance structure rather than technical analysis alone.

Russia's surveillance laws cannot be contracted away. The AP concluded that no private contractual arrangement — SCC or otherwise — could neutralise Russia's statutory surveillance architecture. The Yarovaya Law (Federal Laws No. 374-FZ and 376-FZ of July 6, 2016) requires companies to supply encryption keys to Russian security services on demand. SORM — the System for Operative Investigative Activities — mandates physical installation of hardware in company infrastructure enabling the FSB to extract data without notifying the company or the subject. The Russian Taxi Law (in force September 2023) separately requires detailed logbooks — addresses, timestamps, driver and vehicle details, customer phone numbers — retained for at least six months. Roskomnadzor, Russia's nominal data regulator, was found not to be an independent authority within the meaning of Article 45(2) GDPR, meaning no institutional check on government access exists.

A Doctrine Taking Shape Across Europe

The Yango decision does not arrive in isolation. In May 2025, the Irish Data Protection Commission fined TikTok €530 million for unlawful transfers of EEA user data to China, where parallel statutes — the National Intelligence Law, Anti-Terrorism Law, and Cybersecurity Law — similarly enable government access without independent judicial oversight. The structural logic of both decisions is the same: when the destination country's national security apparatus has lawful, unreviewable access to data, Standard Contractual Clauses cannot provide the "essential equivalence" the Court of Justice demanded in its 2020 Schrems II ruling.

Together with the Uber fine, European DPAs are converging on a consistent enforcement doctrine: companies must assess the legal reality of the destination country, not merely execute the paperwork. An SCC filed in a folder is not a compliance programme.

The Steelman Case for Regulators

The regulators have a defensible case. Ride-hailing apps collect some of the most sensitive data that exists — real-time location linked to identity, home addresses, financial instruments — tied to individual movement patterns across months or years. When the destination country's legal system can compel access to that data without independent judicial review, the harm is concrete and often irreversible. Schrems II explicitly placed the burden on companies to verify that SCCs will actually function in practice. Yango had multiple years to conduct that analysis and, the AP found, failed to do so adequately. The investigation was partly triggered by a 2023 Meduza investigation revealing that user data was stored in data centres in Moscow, Ryazan, and Vladimir.

Where the Concern Lies

The legal reasoning is not the problem. The problem is what this enforcement standard does to corporate planning. The AP's finding that shared executive governance — one director across two entities — alone creates a re-identification risk that defeats pseudonymisation sets a threshold that is genuinely difficult to operationalise at scale. Many legitimate multinational groups run shared leadership across EU and non-EU subsidiaries. If structural governance creates a GDPR violation whenever data flows involve high-risk third countries, the compliance burden for intra-group transfers grows very large, with unclear guidance on what restructuring is sufficient.

MLU B.V. has announced plans to challenge the fine. Its stated position — that data was stored exclusively within the EU in pseudonymised and encrypted form — will be tested in Dutch administrative courts. Given the technical complexity of the encryption-key timeline and the governance argument, that challenge is substantive, not frivolous.

What This Means for Companies in Authoritarian Markets

The combined lesson of Yango, TikTok, and Uber is now unambiguous: Standard Contractual Clauses are a floor, not a ceiling. Companies transferring EEA data to jurisdictions without an adequacy decision must conduct genuine Transfer Impact Assessments that engage with surveillance law specifics — not template risk summaries. They must ensure encryption keys are not under de facto control of the receiving entity, including through shared governance. And they must map intra-group data flows against actual controller/processor determinations, not legacy arrangements. For Russian-origin companies with EU subsidiaries still touching Russian infrastructure, the AP has set a near-zero tolerance threshold. Whether that is a proportionate response to Russia's legal architecture — or a legally dressed geopolitical judgement — the courts will now decide.

Sources & Citations

  1. Alston & Bird Privacy Blog — Dutch DPA Fines Yango €100M
  2. EDPB — Irish DPC TikTok €530M Fine (May 2025)
  3. Irish DPC — TikTok Decision Press Release
  4. EDPB — Dutch DPA Uber €290M Fine (2024)
  5. Alston & Bird — SCC Module and Encryption Key Analysis
  6. PPC.land — Yarovaya Law and SORM Deep Dive
  7. Meduza — Yandex subsidiary fined for Yango data transfers