Regulators fear Russia could access Yandex taxi data from Europe, Central Asia

News that the Russian security service could potentially gain access to data collected by the Yandex taxi service has raised alarms among users and regulators in Europe and Central Asia.

Often referred to as "Russia's Google," Yandex runs the biggest search engine in the country and also provides an Uber-like ride-hailing and food-delivery service under the name Yango, or YandexGo, in more than 20 countries. These include Israel, Norway, Finland, Belarus, Kazakhstan, Georgia, and Armenia.

Last year, the Russian parliament signed a law allowing the country’s security service, the FSB, to access user data collected by taxi services. The law comes into force in September and could potentially affect not only Russian but also foreign users of Yango, according to an investigation published by the Russian independent media outlet Meduza.

In response to Meduza's investigation, Yandex denied that the FSB would gain access to customer data outside of Russia.

"Data about the trip can only be obtained by law enforcement agencies of the country where the trip was made," the company's press service said in a statement shared with the Russian media. Russia's new law on access to taxi data will not change those rules, Yandex added.

However, countries where the service operates still have concerns about user privacy.

Finnish and Norwegian regulators said on Tuesday they had banned Yandex and its Netherlands-based partner Ridetech International from sharing any personal data of Yango’s customers with Russia.

"There is an acute risk to privacy as Russian authorities could potentially monitor the movements of Norwegian citizens via Yango," the Norwegian data protection authority said in a statement.

Georgia and Kazakhstan have also launched an investigation into this matter. While the investigation is ongoing, the Kazakhstan government has temporarily suspended the operation of the Yandex website in the country.

The Kazakhstan subsidiary of the company said that it handles its user data in compliance with the nation's laws and can only share user data with foreign governments through an official request.

Yandex data processing

Citing unnamed sources from Yandex, Meduza reported that the company's taxi service data is stored in three data centers located in Russia. Before the war in Ukraine, some data was also stored in a center in Finland, but it was duplicated in Russia, the outlet reported.

Starting in September, the Russian FSB might be able to access Yandex users' IP addresses, device IDs, and operating systems, along with personal details such as names, phone numbers, email addresses, banking information, and travel routes.

Within Europe, the company has to abide by European data protection laws, which allows users to ask for their personal data to be deleted by the service. But, according to Meduza's report, Yandex has a different set of data that users cannot delete. This includes "technical" and "historical data." What exactly this data includes isn't entirely clear.

Yandex has a long history of both cooperating with and refusing requests from the FSB. In 2011, the agency required the company to disclose details about financial contributors to opposition activist Alexei Navalny through Yandex’s money service.

In 2017, Yandex closed its offices in Ukraine after the country’s security service accused it of illegally collecting Ukrainian users’ data and sending it to Russian security agencies. The firm denied any wrongdoing.

During the first half of 2020, Yandex received 15,300 requests from the Russian government to transfer data about its users. Yandex complied with 84% of these requests, according to the company’s transparency report.

In June this year, however, the company was fined $24,000 for repeatedly refusing to share user information with security services.