The Fine and What It Signals
On June 19, 2026, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) imposed a €100 million penalty on MLU B.V., the Netherlands-based European operator of the Yango ride-hailing app, for unlawfully transferring personal data of EU, Norwegian, and Finnish riders and drivers to Russia. The fine — issued following a joint investigation with Finnish and Norwegian supervisory authorities that began in late 2023 — is the largest ever issued by the AP for cross-border data transfer violations. It signals something important: GDPR's Chapter V transfer rules, long treated as a box-ticking formality, now carry genuine enforcement weight.
What Was Transferred — and Where It Ended Up
The data categories at issue are not trivial. Investigators found that MLU transferred driving licence scans, bank account numbers, social security numbers, home addresses, real-time location pins, trip histories, chat conversation logs, and photographs to Yandex-affiliated entities in Russia. Yandex had shut its Finnish data centre in the aftermath of the Ukraine war, routing all international Yango user data to three Russian server farms in Moscow, Ryazan, and Vladimir. According to an internal Yandex document reviewed by Meduza, there was "no material or logical division" between domestic Russian user data and international user data — meaning every Yango ride taken in Helsinki or Amsterdam lived on the same infrastructure accessible to Russian law enforcement. Company employees were reportedly instructed not to disclose this to international customers.
Why the Legal Safeguards Failed
MLU argued it had implemented Standard Contractual Clauses (SCCs) — the EU's standardised transfer mechanism under Article 46 GDPR, designed for situations where no adequacy decision exists. The AP rejected this defence on three compounding grounds.
First, MLU applied the wrong SCC module. It used clauses designed for a controller-to-processor relationship, but Yandex.Taxi LLC — which owned the software and co-determined what data was collected and how — was in reality a joint controller. The correct controller-to-controller module requires meaningfully different obligations. The mismatch rendered the SCCs legally ineffective before examining any other facts.
Second, during the period under investigation, encryption keys were physically stored on the same Russian servers as the encrypted data. Encryption without key separation provides no meaningful protection; anyone with server access also has the keys. MLU later moved encryption keys to AWS Frankfurt, but the underlying data continued flowing to Russia, creating what the AP described as a residual re-identification risk.
Third, a single executive simultaneously directed both Ridetech (MLU's subsidiary and the formal data exporter) and Yandex.Taxi LLC (the Russian data recipient) through May 2024. Shared governance between exporter and importer — where the same individual controls both sides of a "transfer" — makes the structural independence that SCCs assume purely theoretical.
The Russian Legal Context: Why This Wasn't Just a Technicality
The AP's decision is not merely a procedural gotcha. Russia does not hold an adequacy decision under the GDPR, and the EU has never recognised it as providing equivalent data protection. In July 2022, the European Data Protection Board published a formal statement warning organisations that transfers to Russia require particularly robust supplementary measures and face a high likelihood of failing the "essentially equivalent protection" test required by the Court of Justice's Schrems II ruling.
That risk became concrete in September 2023, when Russian Prime Minister Mikhail Mishustin signed an order granting the Federal Security Service (FSB) round-the-clock access to data aggregated by taxi services — including IP addresses, names, phone numbers, banking information, trip origins and destinations, and user comments. AP chair Aleid Wolfsen was direct: "In Russia, personal data is not as well protected as in Europe. This may allow the Russian government to gain access to this data." Finnish Data Protection Ombudsman Anu Talus went further: "Personal data cannot be transferred outside the EU if its security cannot be ensured." The Norwegian DPA noted "an acute risk to privacy as Russian authorities could potentially monitor the movements of Norwegian citizens via Yango."
Steelmanning the Other Side
It is worth acknowledging the strongest case for Yango. MLU is a Dutch company — not a Russian state entity. It operated commercially across more than 20 countries, offering competitively priced mobility services. Compliance with GDPR's transfer rules is genuinely complex, particularly for intra-group technology architectures built before the post-Schrems II SCC reform of 2021. Companies that built on Yandex infrastructure before the Ukraine war faced an abrupt deterioration in their legal position that was partly caused by external geopolitical events, not only internal choices. Proportionality matters: at €100 million against a €483 million maximum (4% of Yandex's reported ~€12 billion 2024 revenue), the AP exercised restraint.
The Limits of Contractual Compliance
Even granting all of that, the case illustrates a fundamental problem that proportionality arguments cannot resolve: contractual safeguards are legally inert when destination-country law effectively overrides them. SCCs assume an arms-length relationship and meaningful data subject recourse against the recipient. Neither condition holds when the recipient's government can compel disclosure by law, the exporter and recipient share governance, and the data is co-mingled with domestic data on servers inside the jurisdiction. Alston & Bird's analysis of the decision put it plainly: SCCs are "not a set-and-forget solution," particularly for intra-group arrangements.
This matters beyond Russia. Any organisation transferring sensitive personal data to a jurisdiction with broad government surveillance powers — and there are many — now has a concrete enforcement precedent showing that formal SCC adoption without substantive operational alignment is insufficient.
What Companies Must Do
The ruling imposes an immediate operational obligation on MLU: cease all Yango data transfers for Norwegian and Finnish users to Russia. For the wider industry, it reinforces several hard requirements that have existed on paper since Schrems II but are now backed by nine-figure penalties: match your SCC module to your actual data relationship; maintain encryption key separation with effective access controls; assess destination-country law on an ongoing basis, not once at contract signing; and treat shared governance across exporter and importer as a structural red flag requiring independent legal review.
The AP's decision, combined with its earlier €290 million Uber fine in 2024 for US driver data transfers, positions the Netherlands as a consequential GDPR enforcement jurisdiction. That the Dutch DPA — coordinating across three national authorities — found the same fundamental flaw across two separate major platforms in consecutive years suggests this is not regulatory overreach. It is a consistent application of rules that the industry has had years to absorb.