Today's Top Story
Dutch DPA Fines Yango €100M: SCCs Alone Won't Shield Russia Transfers
The Dutch Data Protection Authority (AP) announced on May 8, 2026 that it has fined MLU B.V. — the Netherlands-registered operator of the Yango taxi app (a Yandex subsidiary) — €100 million for transferring Finnish and Norwegian users' personal data to Russia without adequate safeguards. The case was co-investigated by the Dutch, Norwegian, and Finnish DPAs.
The AP found that Standard Contractual Clauses (SCCs) are legally insufficient to authorise transfers to Russia given the absence of GDPR adequacy and Russia's state surveillance laws. This is the third major GDPR cross-border transfer enforcement action in three years — following Meta's €1.2B fine (Ireland DPC, 2023) and TikTok's €530M fine (Ireland DPC, 2025) — establishing a clear regulatory pattern: controllers must demonstrate functioning supplementary safeguards, not just signed SCCs, for every transfer to a non-adequate jurisdiction with active state surveillance laws.
Also Today
UK DUAA Complaint-Handling SLA — 17 Days to Go (June 19)
The UK Data (Use and Access) Act 2025 requires all UK data controllers to acknowledge data protection complaints within 30 days of receipt, effective June 19, 2026. Non-compliance opens a direct ICO enforcement pathway. If your complaint intake process isn't logged and assigned, build it this week.
California Hits GM with $12.75M — First CCPA Data Minimization Fine
The California AG and CPPA settled with General Motors for $12.75 million — the largest CCPA fine to date — for selling driving behaviour and location data to Consumer Reporting Agencies without adequate consent. GM must delete all retained Covered Driving Data within 180 days. This is California's first enforcement targeting data minimization and purpose limitation, signalling active CPRA scrutiny of connected-vehicle and IoT data pipelines.
South Korea PIPA 10% Revenue Fines — 101 Days (September 11)
South Korea's amended PIPA (signed March 10, 2026) introduces fines of up to 10% of annual revenue for qualifying violations, alongside personal CEO liability and a 72-hour breach notification deadline. Effective September 11, 2026. Map exposure and assign C-suite compliance ownership now.
⏰ Deadline Alert — 3 Days
Australia Children's Online Privacy Code — OAIC consultation closes June 5. Submit feedback if your services are accessible to Australian children. Final code registration required by December 10, 2026. OAIC page →
One Thing to Do Today
Audit every data flow routed through Russian data centres or to Russian processors. Document whether supplementary safeguards beyond SCCs are in place and tested. The Yango decision gives regulators a confirmed playbook — and a €100M precedent — to act on.
Tomorrow's Focus
AI Governance — EU AI Act compliance milestones, global AI governance updates, and model risk obligations for financial institutions.