The Ruling
On May 8, 2026, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) publicly announced it had fined MLU B.V. — the Netherlands-registered parent company of ride-hailing app Yango, a Yandex-linked operation — €100 million for unlawfully transferring Finnish and Norwegian users' personal data to Russia. The underlying decision is dated April 1, 2026. Alongside the fine, the AP issued an immediate ban on any further transfers of that user data to Russian recipients.
The categories of data in question are some of the most sensitive a service can hold: social security numbers, driver's licence scans, bank account details, precise GPS location histories, photos, home addresses, chat records, and call logs — covering both passengers and drivers. Yango had been collecting and routing this data to Russian entities, including Yandex.Taxi LLC and Yandex LLC, since at least May 2022.
The Case for Enforcement
Regulators defending this fine stand on solid ground. Russia holds no EU adequacy decision under GDPR Article 45 — the European Commission's list of countries recognised as providing essentially equivalent data protection does not include Russia. Absent adequacy, GDPR Chapter V requires exporters to use approved safeguards and verify those safeguards will actually hold in the destination jurisdiction.
Russia's legal environment makes that verification exercise particularly sobering. The Yarovaya Law (2016) compels telecommunications operators and internet service providers to supply encryption keys and communications data to Russian security services on request. The SORM surveillance architecture gives the FSB direct-pipe access to carrier infrastructure. Since September 1, 2023, Russia's Taxi Law has required operators to retain logbooks accessible to security authorities. AP Chair Aleid Wolfsen articulated the core concern directly: "In Russia, personal data is not as well protected as in Europe. This means the Russian government could potentially access this data. That is why sensitive data from both customers and drivers should have been better protected, especially given the absence of an independent privacy regulator in Russia."
The AP's legal grounding was not improvised. The CJEU's Schrems II ruling in July 2020 established that SCCs must be accompanied by supplementary measures whenever a destination country's legal framework would prevent the recipient from honouring those clauses. Russia's surveillance laws are precisely the kind of conflicting legal regime Schrems II had in mind. The European Data Protection Board reinforced this in its Statement 02/2022 on transfers to Russia. Nothing in the Yango decision invents new law.
Two Independent Technical Failures
What elevates this ruling beyond a routine SCC enforcement action are two structurally distinct compliance failures, either of which would have been independently disqualifying.
First: the wrong SCC module. The 2021 EU SCC framework provides four modules covering different data relationship types: controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor. MLU's predecessor entity, Ridetech, applied the controller-to-processor module in its agreements with Yandex.Taxi LLC. The AP found this was simply incorrect. Yandex.Taxi LLC co-determined the purposes and means of processing through software it developed and exclusively controlled, making it a joint controller rather than a processor. Selecting the wrong module is not a clerical error. Under GDPR Articles 44 and 46, the module choice determines the entire legal basis for the transfer. An incorrect module selection renders the SCC structurally invalid from execution — not a curable defect, but a foundational one.
Second: encryption keys stored alongside the data they were supposed to protect. Before November 27, 2023, both the encrypted personal data and the decryption keys resided on Russian servers. This violated Ridetech's own SCCs from September 2021, which explicitly required key storage within the EEA. Encrypting data and placing the decryption key in the same jurisdiction — one whose laws compel disclosure to state security services — provides no meaningful protection. The encryption was functionally nominal.
Ridetech moved the encryption keys to Amazon Web Services infrastructure in Frankfurt in late November 2023. The AP still rejected this arrangement. The authority identified a structural organisational vulnerability that no key migration could cure: a single individual served simultaneously as director of both Yandex.Taxi LLC in Russia and MLU B.V. in the Netherlands, from September 15, 2020 through May 31, 2024. Shared executive control meant re-identification of pseudonymised data remained feasible without significant effort or cost, regardless of where decryption keys nominally resided. The AP ruled that the post-November 2023 arrangement failed on this basis as well.
Enforcement Pattern, Not Outlier
For observers of Dutch AP enforcement, the Yango ruling continues a legible trajectory. The AP fined Uber €290 million in July 2024 for transferring EU driver data to the United States without adequate safeguards under the same Article 44. The AP has demonstrated it will impose material financial penalties against large platform operators for systematic, ongoing transfers that lack genuine — not merely documented — safeguards. Yango had ceased operations in Norway and Finland by 2025, but the fine covers the period of active transfer.
MLU B.V. has disputed the decision and announced it will challenge it through legal channels, arguing that personal data was stored "exclusively within the EU in pseudonymised and encrypted form, making it technically inaccessible to third parties." The AP's finding that shared directorship made re-identification feasible is likely to be the central contested issue on appeal.
The Compliance Lesson Is Architectural
The most important takeaway from this ruling is not about Russian jurisdiction risk — sophisticated multinationals already know Russia is a high-exposure transfer destination. It is about the gap between contractual documentation and organisational reality.
Two messages emerge clearly. First, SCC module selection is a substantive legal determination, not a template choice: organisations must accurately characterise the data relationship before selecting a module, and must revisit that characterisation as the relationship evolves. Second, encryption provides no protection when the exporter and the recipient share executive leadership — key geography is irrelevant if personnel overlap creates effective access regardless. Regulators will pierce corporate separation when the factual record demonstrates shared control.
For companies handling sensitive categories of personal data in jurisdictions where state surveillance regimes could override contractual obligations, the Dutch AP has now made clear that passing scrutiny requires architectural separation that functions independently of the contracts documenting it. The €100 million fine is calibrated to the severity of the actual failings: wrong instruments, compromised cryptography, and entangled governance. The harder compliance challenge it creates is the expectation that organisations will catch these structural mismatches before a regulator does.