The technology group Yandex has been hit with a significant penalty after regulators concluded that personal information from its international taxi service was routed to Russian servers without adequate protections. A Dutch-registered arm of the company, MLU B.V., has been fined €100 million following a joint decision by data protection authorities in the Netherlands, Finland and Norway. The inquiry, which began in 2026, focused on whether data belonging to users of the Yango taxi service operating in Finland and Norway was being transferred to Russia and whether those transfers exposed personal information to undue access.
Investigators determined that user information had been moved to Russian locations without satisfactory safeguards and that the company did not convincingly show that access by Russian authorities was effectively prevented. As a result, regulators demanded that such data transfers cease immediately. The decision underscores the heightened scrutiny placed on cross-border flows of personal data, especially where geopolitical risk and differing legal regimes are involved. The ruling also highlights how companies registered in one jurisdiction can still be accountable under EU data protection rules when serving users in the region.
What the probe found
The joint inquiry examined technical and organizational measures surrounding how ride data was stored and transmitted. Authorities concluded that the transfers to Russia lacked sufficient legal and technical guarantees. Investigators flagged failures to demonstrate that access from Russian authorities had been prevented, and they found that data was not isolated by country of origin. The regulators therefore ruled that the practice violated applicable data protection standards and issued the substantial fine along with an order to immediately stop the transfers.
Data flows, storage locations and prior reporting
Independent reporting in 2026 revealed that information from both the domestic Yandex Go taxi service and its international counterpart Yango was present in data centers located in the Moscow, Ryazan and Vladimir regions of Russia. Before the full-scale invasion of Ukraine, some Yango data was also stored at a facility in Mantsala, Finland. Sources described how data was duplicated across Yandex’s various centers with no strict separation between trips originating in Russia and those taken abroad. Regulators used those findings to probe whether such duplication could create uncontrolled access risks.
Regulatory measures and immediate consequences
Following the investigation and media reporting, Finland’s Office of the Data Protection Ombudsman issued an emergency order suspending transfers of any Yango taxi customer data to Russia. The coordinated decision with Dutch and Norwegian authorities culminated in the fine and the stopping order. Authorities emphasized that the transfers posed a tangible risk because they were not accompanied by adequate cryptographic and legal safeguards that would prevent access by third parties, including state actors. The ruling is a clear signal that cross-border replication of user records into jurisdictions with different legal standards will face close examination.
Company response and appeal plans
MLU’s press office told Russian business media that the company intends to appeal the regulators’ decision. The firm asserts that the personal data of EU users was held exclusively inside the EU in a pseudonymized and encrypted form, which it argued would make the information technically inaccessible to outside parties. In public statements, Yandex’s representatives have also maintained that information about taxi rides can only be requested by law enforcement in the country where the ride took place, disputing the notion of broad cross-border access.
Implications for cross-border data governance
This case illustrates broader tensions between corporate data architectures and national regulatory frameworks. Companies operating international services must reconcile the technical convenience of duplicating data for resilience with the legal requirement to prevent unauthorized access. Regulators are increasingly willing to use fines and emergency orders to enforce principles of data minimization and to demand demonstrable safeguards when data moves beyond EU borders. For firms, the decision reinforces the importance of transparent documentation of where data resides and how access by foreign authorities is restricted.
What companies should take away
Organizations that process personal data across multiple jurisdictions should ensure they can produce clear technical and legal evidence that foreign access is limited. Measures such as strong encryption, verifiable pseudonymization, and rigorous contractual and organizational controls are likely to be scrutinized. The Yandex outcome serves as a reminder that regulatory expectations for cross-border data flows are evolving, and that companies must prepare to justify their architectures to data protection authorities across the jurisdictions where they operate.