The Case
On May 8, 2026, the Autoriteit Persoonsgegevens (AP) — the Netherlands' data protection authority — announced a €100 million fine against MLU B.V., the Dutch-registered operator of the Yango ride-hailing application. The decision, reached jointly with the Finnish and Norwegian supervisory authorities after an investigation begun in late 2023, ordered MLU to immediately halt the transfer of Finnish and Norwegian user data to Russia.
The data at issue was not incidental. Regulators found that MLU had been routing driving-licence scans, social security numbers, home addresses, bank account details, precise geolocation traces, trip histories, photographs, and in-app chat logs to Yandex.Taxi LLC and Yandex LLC — both entities registered in Russia — beginning at least May 2022.
Where the SCC Framework Collapsed
MLU's primary compliance mechanism was Standard Contractual Clauses, the model contracts authorised under GDPR Article 46 that allow data transfers to countries without an adequacy decision. The European Commission has not granted Russia equivalency under Article 45, making SCCs MLU's only available instrument. The AP found that the instrument was wrongly chosen and, even if corrected, would still have been structurally insufficient.
The first failure was module selection. MLU applied controller-processor SCCs when Yandex.Taxi LLC was functioning as a joint controller: it co-determined the purposes and means of processing because it owned the app's underlying software and governed how user data flowed through its infrastructure. Using the wrong module rendered the entire contractual framework legally invalid under Chapter V before any analysis of Russian surveillance law even entered the picture.
The second failure was organisational. From September 2020 to May 2024, a single individual served simultaneously as director of both MLU B.V. in the Netherlands and Yandex.Taxi LLC in Russia. The AP concluded that where the same person controls both data exporter and data importer, pseudonymisation and encryption are functionally hollow — re-identification is foreseeable through organisational access alone, regardless of what the contracts say.
Russia's Legal Architecture as the Underlying Problem
Beyond the contractual defects, the AP's decision rests on a detailed analysis of Russian law that explains why correctly structured SCCs would likely still fail for transfers involving Russian-domiciled group entities.
Three statutes form the core of the problem. The Yarovaya Law (Federal Laws No. 374-FZ and 376-FZ, July 2016) requires internet communications operators to retain user data and supply encryption keys to Russian security services on demand. The SORM system — hardware and software embedded in Russian telecoms and platform infrastructure — gives the FSB technical access to user communications without individual court orders. And from September 1, 2023, Russia's Taxi Law extended mandatory real-time FSB access obligations specifically to ride-hailing platforms: Yandex.Taxi LLC became legally required to grant intelligence services round-the-clock access to trip and user data.
The AP also evaluated Roskomnadzor, Russia's nominal data protection authority. It concluded Roskomnadzor cannot act as an independent supervisory body: it is hierarchically subordinate to the Ministry of Digital Development and is simultaneously tasked with enforcing anti-terrorism surveillance legislation — obligations that structurally conflict with effective data subject rights. EU citizens whose data lands in Russia have no realistic enforcement route against FSB access. Yandex's own transparency disclosures support the AP's risk assessment: the company met 84% of Russian government data requests in the first half of 2020.
The Strongest Case for This Enforcement
The clearest argument for the AP's position is that GDPR Chapter V's "appropriate safeguards" standard has a substantive floor, not a paper one. When a government can reach into a data importer's infrastructure through mandatory key-disclosure under the Yarovaya Law or direct SORM access, a contract requiring that importer to protect EU data becomes legally unenforceable on Russian territory. The importer faces an irreconcilable conflict: comply with SCC obligations or obey domestic statute. The AP's conclusion — that this structural conflict defeats the safeguard entirely — is a defensible extension of the Court of Justice's July 2020 Schrems II ruling (C-311/18), which invalidated the EU-US Privacy Shield on precisely the same grounds. Millions of European users shared biometric documents, home locations, and financial data with an application that routed those records to a jurisdiction where their legal rights are unenforceable.
Proportionality and the Road Ahead
MLU's counter-argument deserves a fair read: the company asserts that user data was stored within the EU "in pseudonymised and encrypted form" and that appropriate GDPR safeguards were in place. As a technical matter, that claim is not obviously wrong. But the Yarovaya Law's key-disclosure obligation cuts through the encryption defence directly: the protection cryptography provides is only as strong as the key-holder's legal ability to decline government demands, and Yandex entities operating in Russia possess no such ability under domestic statute.
The fine is calibrated well below the statutory ceiling. At €100 million, it represents approximately 21% of the approximate maximum — 4% of Yandex's estimated €12 billion in global turnover for 2024, or roughly €483 million. The violation period runs from May 23, 2022 through the date of the formal decision. MLU has announced it will challenge the ruling through appropriate legal channels.
Implications for EU Transfers Broadly
The ruling extends transfer-enforcement doctrine in a specific and practically significant direction: shared executive control between data exporter and data importer can neutralise technical safeguards independently of encryption adequacy. That principle was not central to either the Irish DPA's €530 million TikTok ruling or the Dutch DPA's own €290 million Uber fine, both of which addressed contractual and adequacy deficiencies rather than organisational governance.
For any EU-based company with Russian group entities handling European personal data — and by extension, for companies in any jurisdiction where domestic surveillance law structurally compels data access — the decision poses an urgent question that Transfer Impact Assessments must now answer: does the corporate governance structure, not just the data architecture, satisfy Chapter V? The AP's answer in this case is that it does not when the same individual governs both sides of the transfer. Contracts alone, however carefully drafted, cannot carry that weight.