European Data Protection Authority Fines Yango €100M

The Dutch Autoriteit Persoonsgegevens (AP) has imposed a €100 million (about $109 million) fine on MLU B.V., the Dutch entity that operates the Yango ride‑hailing app in Europe. The penalty stems from the unlawful transmission of extensive personal data—driver licences, home addresses, payment details, GPS traces and even chat logs—to servers in Russia. The investigation, conducted jointly with Norway’s and Finland’s data‑protection authorities, found that the transfers violated the EU’s General Data Protection Regulation, which permits cross‑border flows only when comparable safeguards exist.

The sanction is anchored to Yandex Group’s 2024 global turnover of roughly €12 billion ($13 billion), illustrating how GDPR fines scale with corporate size. For Yango, the immediate order to halt data flows to Russia forces a rapid redesign of its backend architecture and may push the service out of the Nordic market altogether. The financial hit, while sizable, is modest relative to Yandex’s revenues, yet the reputational damage could accelerate the company’s retreat from Europe or trigger a restructuring of its Dutch subsidiary.

Yango’s case underscores a growing willingness among European regulators to enforce data‑privacy rules against non‑EU tech players. Companies that rely on offshore processing must now audit their data pipelines, implement EU‑standard contractual clauses, or face multi‑digit fines. The decision also sends a clear signal to other Russian‑origin platforms operating in the bloc: without an independent Russian data‑protection authority, the risk of state access makes compliance untenable. Firms that prioritize privacy by design will be better positioned to avoid similar penalties.