The new law allows the Russian security service to monitor taxi customers continuously. Supervision of Yangon belongs to the Dutch authority, says the Finnish Data Protection Commissioner.
Taxi app The user data of all Yangon customers – including Finns – is stored in Russia, says an independent Russian-speaker news service Meduza according to the information they received.
Read more: Urgent decision: Transfers of Yango customers’ personal data from Finland to Russia will be stopped
At the beginning of September, a new one will enter into force in Russia taxi actbased on the related regulation, the security service FSB gets round-the-clock access to information in Yangon.
Yango, which operates in several countries, is a taxi application of Yandex, an IT giant with a Russian background but registered in the Netherlands. Meduza has obtained internal messages from Yandex, in which employees are inquiring about how the information of Yangon’s foreign customers is protected from the FSB.
Medusa in the messages seen, the management representative said that Yangon’s data is stored in Russia. He asked employees to avoid discussions with customers about the location of data centers.
“All Yangon databases are in Russia. There is no physical or logical partition [kansainväliseen ja venäläiseen osaan]”, a Yandex representative replied, according to Meduza.
The Russian Duma approved the taxi law in December. In July, the Prime Minister Mikhail Mishustin signed the related regulationwhich from the beginning of September gives the FSB continuous access to taxi data.
HS told about Russia’s future taxi law in Yandex in his story in the beginning of July.
Three A representative of Yandex, interviewed by Meduza anonymously, has confirmed that all taxi data is now stored in Russia in data centers in Moscow, Ryazan and Vladimir regions.
Yandex’s only data center outside of Russia is located in Mäntsälä. According to those interviewed by Meduza, there is currently no information about Yangon stored there.
In its July article, HS told about Yandex oy’s response to the data protection commissioner in 2019. In it, the company confirmed that Yangon’s user data will be transferred from Finland to Russia.
“Personal data collected by Yandex.Passport [Yangoon] upon registration, are transferred to Yandex LLC in Russia. The information is used for identification, registration and billing,” the company said in its written response.
According to the company, this information includes the user’s name, e-mail address and payment card, as well as optionally a telephone number, photo, date of birth, country of residence and city. This user account information is used in all Yandex services in different countries.
Regarding the storage of the actual taxi data, Yandex oy urged the data protection commissioner to ask the Dutch subsidiary Yandex.Taxi BV (now Ridetech International BV), whose business they belong to.
It is not known whether the data protection commissioner has inquired about the matter in the Netherlands.
“
According to Meduza’s source, the company initially considered storing foreign taxi data only in Finland.
Lithuania the cyber security center already said in 2018 that Yango transfers data to Russia.
Estonia and Latvia banned the operation of Yangon last year for information security reasons. Lithuania has restricted the download of the application. In Finland and Norway, however, the service has been allowed to operate normally.
In March of last year, the Yandex taxi service comment service shutdown in Latvia. It said that the company “has never denied that the service’s algorithms can utilize servers located in Russia just as well as a data center in Finland”.
The two employees interviewed by Meduza say that the information about taxi trips taken abroad and in Russia is kept together and it is technically not easy to separate them. According to them, previously there were backups of the data in both Finnish and Russian data centers, so that the operation of the service would be secured in the event of disruptions.
According to Meduza’s source, the company initially considered storing foreign taxi data only in Finland, but the idea was rejected as expensive and difficult to implement.
So To be able to use the Yangon taxi app, you must accept the User Agreement and the Privacy Policy. According to Yangon’s privacy policy in Finnish, the company can transfer user data to parties in different countries.
“Some of these countries do not ensure the same level of protection of data or registered rights as the country where we offer the application,” the practice says.
Even then, the company promises to ensure “compliance with your rights and the protection of your personal data during and after the transfer”.
According to Meduza, two days before Russia’s large-scale attack on Ukraine, Yango removed from its privacy policy the mention that customer data would be processed in the Mäntsälä data center.
According to the data protection policy, Yango collects information from the customer, for example, about the IP address, the device ID and the addresses searched by the user.
Yandex said years ago that it had received thousands of requests for information from the Russian authorities, most of which had been answered.
Yandex former CTO Hrihor Bakunov estimates to Meduza that the company can provide the FSB with copies of the taxi data or send a selection of data according to the instructions given by the security service.
Bakunov considers the FSB’s access to information a risk, especially for Russians who have fled abroad if they use Yango.
In the first half of 2020, Yandex said it received 15,000 requests for information from the Russian authorities and responded to 84 percent of them.
In 2019, the authorities used the taxi data provided by Yandex to Meduza’s supplier Ivan Golunov in the drug case. Former police officers tracked down Golunov using taxi data provided by Yandex and framed him for drug trafficking. After widespread protests, Golunov was released and the former policemen were convicted of the crime.
Yandex had also handed over information about Golunov’s taxi trips in Latvia to the authorities.
in Europe when operating, Yandex is committed to complying with the European Data Protection Regulation, i.e. GDPR. According to it, the user can terminate his consent to the processing of personal data and request the deletion of the data.
about what happened at Yandex in January data leak based on this, the company has developed a way to delete data in accordance with GDPR. However, it appears from the leak that Yandex does not delete all data but keeps, among other things, some “technical and historical data”.
According to Russian legislation, the company must keep taxi data for six months.
in Finland the data protection commissioner’s office has not been aware of Russia’s new taxi law, said the data protection commissioner Anu Talus for HS last Thursday.
According to Talus, however, the issue of data security in Yangon has raised concerns. Matters related to the company have been “started”, but their processing has been slowed down by finding out whose jurisdiction Yango belongs to.
It has recently become clear that the competent authority is the Dutch data protection authority, because Yangon’s parent company is Dutch, Talus says.
“If certain conditions are met, it is possible to handle the matter locally [Suomessa].”
According to Talus, there may be new information on the matter after his vacation in September.
“
A possible ban on data transfer should be taken to a national court.
Russian the taxi law could be a basis for banning the transfer of data to Russia, says Talus.
First, however, the authority would have to assess and decide whether Russia is a data secure country. According to Talus, such a solution has not been made in the EU. A possible ban on data transfer should be taken to the national court, which would have to request a preliminary decision from the EU court.
According to Talus, Yangon’s operations in the Baltics have not been banned by the data protection authority, but the decision has been made at a “political level”. He cannot say whether a political decision would be possible in Finland.
In Estonia, Yangon was banned by the government, in Latvia by the road traffic authority.
After the interview, Talus informs that the data protection commissioner has now made an interim decision on the matter in an urgent procedure. According to the decision The transfer of customer data used in the Yango taxi service to Russia is prohibited.
The decision is valid for three months.
According to the announcement made by the Data Protection Commissioner on Wednesday, the temporary decision does not need to be taken to a court hearing.
According to the Data Protection Commissioner, it is able to monitor the ban on data transfer by inspecting the target’s information systems.
Holland’s the data protection authority Autoriteit Persoonsgegevens replies to HS that “Dutch and Finnish data protection authorities are working closely together to clarify their jurisdiction and decide on their next steps so that the right of Finnish and other EU citizens to data protection is realized”.
At the same time, the Dutch authority says that it cannot comment on matters related to an individual company or the ongoing investigation.
The Yangon press service informed HS in the afternoon that the company is “reading the data protection commissioner’s decision”.
According to Yangon, despite the taxi law, the information about taxi trips outside of Russia would not end up in the hands of the Russian authorities, as Russian legislation does not apply to the company’s foreign operations.
According to Yangon, its Dutch parent company Ridetech BV takes great care to ensure that it complies with the EU Data Protection Regulation and legislation and deletes its customers’ data if they request it.
According to the company, the Russian authorities can only request information through the Dutch authorities, for example for Interpol purposes.
Enforcement agency has seized Yandex’s assets and shares in Finland, because the company’s owners are on the sanctions list. However, the company can continue to operate normally.
Yandex oy, or the current Global DC, has challenged the freezing of assets in the Helsinki district court.
Helsingin Sanomat has received material related to Yango from Meduza’s editor Svetlana Reiter.
Updated 12.14: The data protection commissioner was not aware of the Russian taxi law until he heard about it from HS.
Updated 1:48 p.m.: Added mention of Baltic bans.
Updated 14:54: Added Yangon’s comments and the data protection commissioner’s clarification of the urgent decision.
#Yango #Taxis #personal #data #Finnish #Yango #customers #possession #Russian #security #service #FSB