Nordic governments join forces to protect data transfers

Nordic governments are bolstering cooperation with the aim of better policing the cross-border transfer of personal data mined by the subsidiaries of Russian-owned enterprises in their countries.

The collaboration forms part of the closer monitoring of Russian-owned companies across the region, with a special focus on enterprises that are engaged in the mining and possible transfer of customers’ personal data to servers operated by parent groups in Russia .   

The bolstering of inter-state Nordic cooperation takes place against the backdrop of pre-emptive actions, taken by the data protection agencies in Finland and Norway in August, to temporarily suspend any transfer by Yango of personal data from their national jurisdictions to servers in Russia owned by the taxi service company’s tech parent Yandex, the so-called “Google of Russia”.

The temporary bans implemented by Finland and Norway in August, which expired on November 30, were prompted by legislative reforms enacted in Russia in September that allows the country’s federal security service, the FSB (Federal’naya Sluzhba Bezopasnosti), to access to personal customer information held on the databases of taxi service operators.   

Security risks attaching to the Yango Taxi App (YTA) emerged as a specific source of concern to Norway ’s Office of the Data Protection Ombudsman (ODPO/Datatilsynet) and Finland ’s Data Protection Ombudsman (DPO/Tietosuojavaltuutettu). Both watchdog organisations feared that the personal data mined by Yango in both Norway and Finland , in the wake of reformed data capture laws, may have been processed on  Yandex servers in Russia and open to access by the FSB.

A tri-agency investigation, led by the Dutch Data Protection Authority (DDPA/Autoriteit Persoonsgegevens), revealed that personal data mined by Yango in Finland and in Norway was processed on servers located in the Netherlands and operated by Ridetech International, a wholly owned subsidiary of Yandex which is headquartered near Schiphol airport southwest of Amsterdam.

On the basis of legal jurisdiction and Ridetech International’s corporate base, the DDPA adopted the role of lead supervisory authority in the probe on Yango in cooperation with the DPO and the ODPO. The joint investigation is examining how Ridetech and Yango handle and share personal data, and if data is shared with its parent and subsidiaries on a possible cross-border level. The investigation is expected to be completed in the first half of 2024.  

An assessment on the legality of Yango’s cross-border data transfers will be made by the tri-agency investigation team as part of a final decision based on the European Union’s (EU’s) so-called “cross-border procedure”.

The tri-agency team, in pursuit of a final resolution, will consult on a wider scale with EU data protection authorities to form an appraisal as to the adequacy of data protection policies and standards applied by Russian companies operating in EU countries. The tri-agency team will test the data protection adequacy of Yango’s, Ridetech’s and Yandex’s processes in terms of compliance with the EU’s General Data Protection Regulation (GDPR) privacy and security laws.  

National security concerns directed at Yango and Yandex had previously surfaced in the Baltic states in 2022, leading to Estonia and Latvia declaring the Yango Taxi App a “national security risk”. The security concerns resulted in Estonia and Latvia revoking the commercial taxi operating licences of Yango.   

The reform of data capture laws for taxi operators in Russia was the primary trigger for introducing the temporary data transfer ban and the probe into how Yango and associated companies manage data mined outside Russia, said Anu Talus, Finland’s data protection ombudsman.

“The new legislation in Russia gives its security services exceptionally broad rights to capture information processed in taxi operations. Due to the reform, we needed to respond and take urgent measures to protect personal data mined by Yango in Finland ,” Talus said.

The ODPO consulted with national security intelligence agencies before deciding to impose a temporary ban on Yango in Norway, said Tobias Judin, the head of the authority’s international department. Yango entered the Norwegian ride-hailing market in 2021.

“The security of personal data was a significant concern for us in implementing the temporary ban. Among other things, Yango processes personal data about location, pick-up points and destination. We do not want the Yango app, or the company, to pose an acute risk to privacy by way of allowing authorities in Russia to potentially monitor the movements of Norwegian residents through Yango,” Judin said.

If Yango is found to be processing data on servers in Russia , the company will need to disconnect its operating systems from those in Russia , said Judin.

“Should Yango fail to do so, the company could face the termination of its taxi services operating licences in Norway and Finland until a viable technical ‘detachment solution’ is found,” Judin said.

The clamp-down by Nordic governments on Russian-owned companies potentially moving personal data from their national jurisdictions to Russia is taking place against the backdrop of a surge in cyber attacks since June 2023 that have targeted state and privately operated IT networks.

National security agencies in Finland , Norway , Denmark and Sweden suspect “bad actors” in Russia are behind a majority of the attacks. As a result, the scale of supervision conducted by national security agencies on Russian-owned enterprises operating in Nordic countries markedly intensified in the aftermath of Russia ’s invasion of Ukraine in February 2022.

Moreover, Nordic governments have reevaluated threat levels based on updated intelligence that “bad actors” planned to dramatically scale-up cyber attacks on Nordic state and private organisations in response to the joined decision by Finland and Sweden to join neighbours Denmark and Norway in the North Atlantic Treaty Organisation (NATO).

The prospect of having the once neutral Nordic states of Sweden and Finland in NATO precipitated an immediate hostile response, followed by the cooling of political relations,  from the Putin administration.    

The Nordic countries observed a noticeable rise in cyber attacks against government and private enterprises after Finland formalised its membership of NATO in July 2023. Nordic security agencies anticipate a further elevation and intensity in cyber attacks once Sweden ’s accession to the Alliance is ratified in the first half of 2024 

Traficom , Finland ’s state-run transport and communications organisation, attributed a distributed denial-of-service (DDoS) attack launched against its website on September 18 as emanating from “bad actors” in Russia . Traficom identified the Russia-based NoName as the prime suspect, the same “dark-cyber-sphere group” that had earlier targeted Traficom and other Finnish state organisations on September 7.

National security agencies in Norway suspect “bad actors” in Russia were behind two key events in July, including a data-capture attack against the IT-networks of 12 government ministries. The attacks triggered enhanced security measures to protect classified and non-classified information on ICT platforms that are shared by pivotal state departments, including defence, justice, emergency preparedness and foreign affairs. 

“We uncovered a previously unknown vulnerability in the software of one of our suppliers. This vulnerability was exploited by bad actors. The vulnerability has now been closed,” said Erik Hope, the director of the department of security and service (DSS). The DSS is tasked with defending the IT networks of government ministries against cyber attacks.

July also saw extensive data capture attacks launched against recycling group Tomra ASA’s and publishing house Schibsted ASA’s IT-networks. In each event, anti cyber attack defences were mobilised to prevent sustained attempts to appropriate sensitive data on the IT platforms of both companies.