Yango Hit With €100 Million Dutch Privacy Fine Over Data Transfers to Russia

Key Takeaways

• Massive GDPR Penalty: The Dutch Data Protection Authority fined Yango operator MLU BV €100 million over transfers of personal data from Norway and Finland to Russia.
• Sensitive Data Involved: Regulators said the transferred data included driver’s license scans, bank account numbers, social security numbers, trip details, chat conversations, photographs, and precise location data.
• Joint European Investigation: The case was investigated jointly by privacy regulators in the Netherlands, Norway, and Finland after concerns emerged in late 2023.
• Immediate Order Issued: Dutch regulators ordered MLU to immediately stop transferring personal data of users in Norway and Finland to Russia through the Yango platform.

Deep Dive

The Dutch Data Protection Authority said last week that it has fined MLU BV, the Netherlands-based company behind the European version of the taxi app Yango, €100 million for unlawfully transferring personal data from Norway and Finland to Russia.

The investigation began in late 2023 and quickly expanded beyond the Netherlands. Because MLU is established there, the Dutch regulator took the lead role. Privacy authorities in Norway and Finland joined the probe because Yango users in those countries were affected.

According to the Dutch authority, Yango collected and stored large amounts of data belonging to both customers and drivers on servers located in Russia. The material included scans of driver’s licenses, home addresses, contact information, bank account numbers, photographs, social security numbers, detailed trip information, and even the contents of chat conversations inside the app.

Not all personal data carries the same weight. A phone number is one thing. A real-time map of where people travel, tied to identity documents and banking information, is something else entirely.

Under Europe’s General Data Protection Regulation, companies can transfer personal data outside the European Economic Area only if protections are essentially equivalent to those guaranteed within Europe or if sufficient safeguards are in place. The Dutch regulator concluded that MLU failed to meet that standard.

“In Russia, personal data is not protected as well as in Europe,” said Aleid Wolfsen, chair of the Dutch authority. He said Russian authorities could potentially gain access to the information and argued that the sensitivity of the data demanded stronger protections than those the company had implemented.

The regulator also pointed to what it described as the lack of an independent privacy watchdog in Russia. That mattered. European privacy enforcement has increasingly focused not only on where data travels, but on the legal environment waiting for it once it arrives.

MLU has now been ordered to immediately stop transferring personal data belonging to people in Norway and Finland to Russia through the Yango platform.

The size of the penalty reflects more than the conduct itself. European privacy regulators calculate GDPR fines partly using company turnover, and the Dutch authority said it considered the broader financial scale of the parent organization when determining the amount. MLU is part of the Yandex Group, which the regulator said reported global turnover exceeding €12 billion in 2024.

The case lands in a part of the GDPR that has become steadily more politically charged over the last several years. Cross-border data transfers were once treated by many companies as a technical compliance exercise buried somewhere between legal review and cloud procurement. Regulators increasingly do not see them that way, especially when the data involves location histories, transportation records, financial details, and identity documents moving into jurisdictions European authorities consider high risk.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.