The Dutch Data Protection Authority, together with the Norway and Finland DPAs had launched an investigation into MLU B.V., the operator of the Yango taxi app in Europe. As a result of the investigation, they found that:
- People's personal data such as home addresses, licence scans, account numbers, trip histories, chat messages and precise locations, was stored on Russian servers.
- EU Standard Contractual Clauses were NOT sufficient safeguards: the clauses themselves were incorrectly put in place and did not reflect safeguards in real life. Russia had access to encryption keys and the lack of safeguards against government access made the transfers unlawful.
As a result, MLU B.V., was fined €100 million by the Dutch DPA.
Why is this significant?
- This is a major enforcement action about data transfers to Russia, and will set the standard for how other companies should view data transfers to high risk jurisdictions.
- It's not enough to just put SCCs on paper: they have to be enforceable in practice.
