European regulators just issued their first-ever ruling on data transfers to Russia — and the penalty sends a clear message about what “adequate safeguards” actually means.
European data protection authorities have handed down a €100 million fine against MLU B.V., the Netherlands-based entity responsible for the Yango ride-hailing app’s data operations in Europe. The penalty stems from the unlawful transfer of personal data belonging to Yango’s European users to Russia — without the protections required under GDPR.
The decision, issued on May 8, 2026, also includes a prohibition on any further transfers of European Yango users’ personal data to Russia. It marks the first time European data protection authorities have formally ruled on the adequacy of data transfers to Russia specifically — making it a significant enforcement milestone, not just a headline fine.
What Yango Was Doing Wrong
Yango operates as a taxi and ride-hailing platform. In the context of that service, it processed personal data belonging to both passengers and drivers — the kind of data that includes location history, contact details, and trip records.
MLU B.V., which sits within the broader Yandex corporate group, served as the data controller for European users and is headquartered in the Netherlands. An investigation launched in 2023 by Dutch, Finnish, and Norwegian data protection authorities examined whether user data was being transferred to Russia and, if so, whether adequate safeguards were in place to protect it.
The finding was clear: data was being transferred to Russia, and the company could not demonstrate that Russian authorities were being effectively prevented from accessing it.
That last point is the crux of the enforcement action. GDPR does not prohibit international data transfers outright — but it does require that personal data transferred outside the European Economic Area receive a level of protection essentially equivalent to what EU law guarantees. Russia doesn’t meet that standard. Russian intelligence services have broad legal access to data held by companies operating in the country, and the investigation concluded that MLU B.V. had no effective mechanism to counteract that access.
Why This Decision Matters Beyond the Fine
The €100 million penalty is significant on its own. But the broader importance of this ruling lies in what it establishes: a formal, reasoned position from European regulators on what data transfers to Russia mean for GDPR compliance.
Until now, the most prominent transfer adequacy rulings — Schrems I, Schrems II — focused on the United States. The Yango decision extends that legal framework to Russia, and the reasoning is squarely grounded in the surveillance access that Russian law affords to Russian authorities. Any company transferring European personal data to Russian systems or Russian-based infrastructure should treat this ruling as directly relevant to its own compliance posture.
“Companies operating in the EU must guarantee strong protection for personal data by complying with EU data protection rules,” said Finnish Data Protection Commissioner Anu Talus. “It is not permitted to transfer personal data outside the EU if its security cannot be ensured.”
How the Decision Was Made
The Yango ruling was produced through the GDPR’s cross-border cooperation mechanism. Because MLU B.V.’s EU headquarters is in the Netherlands, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) served as the lead supervisory authority. The Finnish and Norwegian data protection authorities participated as concerned supervisory authorities, given that Yango had been operating in both countries.
Under GDPR’s one-stop-shop mechanism, only the lead supervisory authority — or the European Data Protection Board — can issue a permanent ban on a company’s processing activities. The Dutch DPA carried that authority here.
Commissioner Talus also noted that enforcement cooperation is set to become more efficient: new procedural rules governing cross-border cases within the EU take effect in 2026, which should accelerate decision-making timelines for future matters of this type.
One More Detail Worth Noting
MLU B.V. has stated that Yango ceased operations in Finland and Norway in October 2025. The app, however, remains available for download in both countries’ app stores.
The company retains the right to appeal the fine.
The Takeaway for Compliance Teams
This enforcement action reinforces several principles that GDPR-regulated organizations should already have in their compliance programs — but that tend to receive less attention than they deserve:
Transfer impact assessments are not optional. When personal data moves to a third country, the organization responsible for that transfer must be able to demonstrate that it has assessed the legal landscape in the destination country and implemented safeguards that actually work. “We have standard contractual clauses in place” is not sufficient if those clauses are rendered ineffective by the destination country’s domestic law.
Government access rights are part of the analysis. The Yango ruling is explicit: the breadth of Russian intelligence access to data held in Russia was a central reason the transfer was found to be unlawful. Organizations should apply the same lens to any transfer destination where broad government surveillance access is a feature of local law.
Cross-border enforcement is getting faster. The cooperation between Dutch, Finnish, and Norwegian authorities in this case — and the procedural improvements coming in 2026 — signal that the days of cross-border cases stalling in regulatory coordination are ending. Enforcement will move more quickly, and organizations that have deferred hard transfer compliance questions should treat that as a reason to accelerate their own reviews.
The Yango decision is a reminder that GDPR’s international transfer rules have teeth — and that regulators are increasingly prepared to use them.
Stay current on enforcement actions and what they mean for your compliance program. Captain Compliance tracks the developments that matter.
