Data transfers: How encryption and SCCs failed to save Yango Taxi from a €100 million fine

f you’re going to encrypt European personal data before transferring it to a high-risk jurisdiction, the golden rule is simple: don't leave the encryption keys on the exact same server.

In this episode, Robert Bateman unpacks a staggering €100 million fine handed down by the Dutch Data Protection Authority (AP) against MLU B.V., the legal successor to the operator of the Yango ride-hailing app. Despite taking a "risk-based approach" and relying on Standard Contractual Clauses (SCCs) and encryption, the company's technical and corporate architecture fundamentally failed to protect the personal data of Finnish and Norwegian users transferred to Yandex in Russia.

Robert breaks down the Dutch DPA’s decision, exploring why regulators are increasingly piercing the veil of technical and legal documentation, and asks the ultimate question: what actually stands up to scrutiny when transferring data to non-adequate jurisdictions?

Key Takeaways & Topics Discussed:

The Yango Case Breakdown: How the Dutch DPA asserted lead supervisory authority over a Netherlands-based entity for data transfers impacting users in Finland and Norway.

Joint Controllers vs. Processors: Why the DPA rejected the exporter's claim that the Russian importer was merely a processor, ruling that the commercial reality of their shared software made them joint controllers.

A Fatal Technical Flaw: How storing encryption keys in the RAM of the exact same Russian back-end server completely undermined the exporter's pseudonymisation and encryption safeguards.

The "Legal Illusion" of Separation: Why shifting the encryption keys to an AWS server in Frankfurt in late 2023 still failed to satisfy the DPA. (Spoiler: Sharing the exact same director across the European exporter and the Russian importer meant the importer still had the executive means to re-identify users).

State Surveillance & SORM: A look into the DPA's analysis of Russian surveillance laws, the SORM system, the FSB, and why the local telecom regulator offered no meaningful independent oversight.

The Bigger Picture: What this massive enforcement action tells us about the limits of SCCs and Transfer Impact Assessments (TIAs) in the face of problematic surveillance laws.

Relevant Resources:

Dutch Data Protection Authority (Autoriteit Persoonsgegevens): Penalty notice issued to MLU B.V. (April 2026)

GDPR References: Chapter V - specifically Articles 44 and 46 (General principles for transfers & Transfers subject to appropriate safeguards).

Thanks for listening to the Privacy Partnership Podcast. Be sure to subscribe for more deep dives into the latest global data protection and privacy enforcement news.