Tietosuojavaltuutetun toimisto (Finland) - 7732/161/23

From GDPRhub
Revision as of 11:37, 11 October 2023 by Ar (talk | contribs)
Tietosuojavaltuutetun toimisto - 7732/161/23 (2)
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 3(2) GDPR
Article 4(22) GDPR
Article 44 GDPR
Article 46 GDPR
Article 58 GDPR
Article 58(2)(f) GDPR
Article 60 GDPR
Article 66 GDPR
Type: Investigation
Outcome: Other Outcome
Started:
Decided:
Published:
Fine: n/a
Parties: Ridetech International BV
Yandex LLC
National Case Number/Name: 7732/161/23 (2)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finnish DPA (in FI)
Initial Contributor: ar

The Finnish DPA revoked the urgent procedure under Article 66 GDPR, which ordered a taxi service company to suspend data transfers from Finland to Russia. But it decided that a further examination of the issue in the context of Article 60 GDPR should be carried out.

English Summary

Facts

Yango is a taxi services mobile app available in the European Economic Area. This app is operated mainly by Ridetech International BV, but also by Yandex Oy. The first company is based in the Netherlands, while the latter is based in Finland. They act as controllers for the processing of personal data carried out through Yango app.

Initially, the lawfulness of personal data processing carried out through the app was being investigated under a cooperation procedure between the Dutch and the Finnish DPA, pursuant to Article 60 GDPR The conclusion of these investigations was that personal data from Yango users were transferred to Russia based on standard contractual clauses (SCCs) pursuant to Article 46 GDPR.

With regard to the transfers of personal data from Yandex Oy to Yandex LLC, located in the Russian Federation, the Finnish DPA considered itself as the lead competent authority. Upon learning that a law would enter into force in Russia, allowing public authorities of that country to have access to the data of taxi passengers, the Finnish DPA initiated an urgent procedure based on Article 66 GDPR to further investigate the matter.

On 4 August 2023, the DPA highlighted that, with the new legislation entering into force in September 2023, Russian authorities would be legally empowered to have very broad access to personal data collected in Finland, which constituted a disproportionate limitation to the rights and freedoms of data subjects. Therefore, it held that SCCs were no longer sufficient to ensure an adequate level of protection. Hence, it decided that the processing of personal data carried out through Yango app was contrary to Article 44 GDPR, Article 46 GDPR and Chapter V GDPR. Moreover, it found that the conditions set for the urgency procedure were met, in accordance with Article 66 GDPR. Thus, the DPA temporarily prohibited controllers from transferring personal data collected through Yango app from Finland to Russia, based on Article 58(2)(f) GDPR.

Holding

Following the decision, the controllers were also given the opportunity to provide any other information they considered relevant to the assessment. For which, a report was provided on the applicability of the Russian taxi law on their activities. The DPA considered that the additional clarification required further examination and an assessment of whether it would impact the interim decision of emergency procedure or the handling of the case. Hence, the DPA ordered the suspension of the decision until 26 September 2023.

Based on the report, the DPA stated that the legislation on taxis that entered into force in the Russian Federation does not apply to taxi brokerage activities outside Russia and the unrestricted access of the National Security Service of the Russian Federation to the personal data of taxi passengers does not apply to the data of Finnish taxi passengers processed in connection with the Yango application. Nonetheless, based on the information received, the DPA considered that the taxi law did not seriously endanger the fundamental rights and freedoms of data subjects in Finland. Moreover, based on the clarification received, the DPA considered that the requirements of exceptional circumstances and the need for urgent measures under Article 66 GDPR were no longer met. However, it deemed possible that the taxi law was incorrectly applied in Russia, meaning that a further examination of the issue of data transfers in the context of the Article 60 GDPR procedure should be carried out.

Thus, the DPA withdrew the interim decision of 4 August 2023 taken during the urgent procedure, revoking the prohibition of processing and the order to suspend data transmission. The case was closed under the urgency procedure pursuant to Article 60 GDPR, and the competent authority could continue to investigate the case. Hence, the Finnish DPA would be able to continue to cooperate closely with the Dutch and Norwegian DPAs in accordance with Article 60 GDPR. In fact, as the service provider for the Yango application in the EEA is Ridetech International B.V., established in the Netherlands, it was determined that the lead supervisory authority for Ridetech International B.V. would be the Dutch supervisory authority, Autoriteit Persoonsgegevens, and the other supervisory authorities involved would be participating supervisory authorities as defined in Article 4(22) GDPR. Regarding the processing of personal data by Yandex LLC established in the Russian Federation, the cooperation procedure would not apply, and the Finnish DPA would be the competent authority under Article 3(2) GDPR and Article 58 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Decision of the Data Protection Commissioner to remove the temporary decision

Keywords: data transfers
processing of personal data
urgent procedure

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: add 7732/161/23

Thing

Removal of the temporary decision on banning and suspending data transfers.

Data Controllers

Ridetech International B.V. (Yango taxi service app)

Yandex LLC

Background of the matter

In its decision on August 4, 2023, the Data Protection Commissioner ordered the service provider of the Yango taxi service, Ridetech International B.V. and Yandex LLC, to temporarily suspend the transfer of personal data about the users of the Yango application to the Russian Federation until the matter is finally resolved.

According to the decision, the processing ban for the transfer of personal data and the order to suspend data transfers will enter into force on September 1, 2023. The decision also stipulated that the data controllers must comply with the order regarding the suspension of data transfers, despite the appeal. In addition, the decision ordered the data controller to provide the data protection commissioner's office by August 25, 2023 with information on what measures it has taken as a result of the decision in question. In addition, the data controllers were given the opportunity to submit other information that it considers to have an impact on the assessment presented in the decision in question.

The registrants have submitted to the data protection commissioner's office a report on the applicability of the taxi law that entered into force in the Russian Federation to its operations. The data protection commissioner considered that the additional information received required familiarization with the material and an assessment of whether the additional information has an effect on the temporary decision issued in the urgent procedure or on the further processing of the case. According to section 53 subsection 1 of the Administrative Act, the authority can prohibit the implementation of the decision until further notice or order it to be suspended. The data protection commissioner ordered the implementation of the decision to be suspended until September 26, 2023.

Cleared up

The data controllers have submitted various reports to the data protection commissioner's office by August 25, 2023.

Report provided by Ridetech International B.V

Ridetech International B.V. has submitted a report to the Data Protection Commissioner's office on August 16, 2023, in which it presents its views on the applicability of Russian taxi legislation to its operations. Ridetech International B.V. has requested an opinion on the matter from the law firm. According to the report, the taxi law that came into force in the Russian Federation does not apply to Yangon's international taxi brokerage operations, nor to users of the application who make trips outside of Russia using the application. According to the report, the Taxi Act applies only to taxi operations, which are carried out in the Russian Federation by legal entities registered in Russia. In order to be a taxi broker as referred to in the law, the company must be located in Russia. Ridetech International B.V. is not a Russian legal entity, and the authorities' access to information rights stipulated in the Taxi Act are therefore not applied to its operations. According to the report, the Taxi Act does not set requirements for a foreign company that keeps information about trips made in Russia outside of Russia.

Ridetech International B.V. has on 25 August 2023 delivered to the office of the Data Protection Commissioner the assessment of the effects of transfers of personal data prepared on 25 July 2023. In the impact assessment, the taxi law coming into force in the Russian Federation has been taken into account. In the impact assessment, it has been determined that the Taxi Act does not apply to the data of Yango application users transferred to Russia.

Report provided by Yandex LLC

On August 16, 2023, Yandex LLC submitted a report to the Data Protection Commissioner's office in which it presents its views on the applicability of Russian taxi legislation to its operations. According to the report, user registration in connection with the Yango application takes place through a separate Yandex ID service. The data is stored in Russia. In its statement, Yandex LLC states that it is the provider of the Yandex ID authentication service. According to Yandex LLC, the taxi law that came into force in Russia does not apply to its operations, because the taxi law applies to taxi brokerage services, and Yandex LLC is not a taxi brokerage service provider.

Expert opinion

On September 14, 2023, the Data Protection Commissioner has requested an expert opinion on the applicability of the taxi legislation in force in Russia to the data collected in connection with the Yango application. The statement is based on a linguistic and systematic interpretation of Russian taxi legislation. Regarding the scope of the Taxi Act and Regulation, the statement states that the scope of the Taxi Act and Regulation is limited to taxi operations for the transportation of persons and goods carried out on the territory of Russia, including the provision of taxi brokerage services. Taxi brokerage operations outside of Russia are thus outside the scope of taxi regulation in force in Russia.

The statement states that the regional scope of the Taxi Act has not been specifically defined separately. The law also does not provide for taxi operations outside the territory of the Russian Federation or the taxi brokerage service, or the data processing that takes place in connection with these – which is partly carried out in Russia. The speaker states that it is clear that Russian legislation does not have the possibility to oblige companies located and operating abroad to collect and provide information to the Russian security authorities, but whether it is possible to obtain information depends on the legislation of the country concerned. The Taxi Act separately stipulates that international passenger and goods transport based on taxis is determined according to Russia's international agreements. The Taxi Act does not contain any other provisions on taxi operations carried out abroad or across national borders, or related data processing.

The commenter states that, based on a systematic analysis of the Taxi Act, the authorities' right to access information based on Section 14.7 of the Taxi Act only applies to personal data collected and received in connection with the taxi brokerage service operating in Russia. The Taxi Act applies to taxi operations in Russia. According to the law, the taxi brokerage service must be registered in the regional register. In addition, the Taxi Act imposes obligations related to the processing of data collected and received in connection with taxi operations in Russia. The scope of the taxi regulation issued under the Taxi Act is determined accordingly.

According to the opinion, a point-by-point examination of individual legal provisions leads to a haphazard interpretation solution. In the Taxi Act's provision on the authority's right to access information, the taxi brokerage service is obliged to open access to the authorities to its information systems and databases intended for receiving, storing, processing and forwarding taxi orders. Based on that, the authorities seem to have an unlimited right to all information related to the purposes of use according to the law. The statement states, referring to the legal literature, that a point-by-point interpretation of an individual provision or individual provisions cannot be completely ruled out, even if it would mean an incorrect interpretation of the law (See O. D. Ovshinnikova – A. M. Shaganyan, Some problems of interpretation of norms of law, Istoriko-teoreticheskie issledovaniya gosudarstva i prava 2017 N 4 (83), pp. 24–25). The Russian authorities have an obligation based on Article 15.2 of the Constitution (December 12, 1993) to comply with the Constitution and other laws. Russia declares itself to be a state governed by the rule of law, the fundamental prerequisites of which are that the authority of the authorities is based on the law and that the law is otherwise followed in the activities. A point-by-point interpretation of the provisions of the Taxi Act would basically mean an excess of authority and arbitrary interference in the activities of Russian companies doing business abroad.

If the Russian authority were to interpret that it is competent under the Taxi Act and Regulation to also obtain information concerning European users, storing the information in Russia opens the Russian authorities access to information concerning European users. In this case, however, according to the speaker, it would be an interpretation of the law, which would be contrary to the systematic interpretation of the Taxi Act.

The data protection officer's decision and reasons

The data protection commissioner has reviewed the report he received. According to the report, the taxi legislation that entered into force in the Russian Federation on September 1, 2023 does not apply to taxi brokerage operations outside of Russia. Therefore, the unrestricted access of the National Security Service of the Russian Federation to the personal data of taxi passengers stipulated in the Taxi Act and Regulation does not apply in principle to the data of Finnish taxi passengers processed in connection with the Yango application. Based on the report received, the data protection commissioner considers that the taxi law that came into force in Russia does not seriously endanger the basic rights and freedoms of registered users in Finland.

The Data Protection Commissioner considers that with the report received, the requirements regarding exceptional circumstances and the need for urgent measures referred to in Article 66 of the General Data Protection Regulation are no longer met and the handling of the matter in the urgent procedure in accordance with Article 66 of the General Data Protection Regulation is decided. However, according to the expert report obtained by the Office of the Data Protection Commissioner, it is possible that the Taxi Act is applied incorrectly in Russia. The Data Protection Commissioner considers that, although there are no conditions for continuing the urgent procedure, this fact revealed in the expert report highlights the importance of further investigating and evaluating the question of data transfers in the procedure according to Article 60 of the Data Protection Regulation.

According to Section 50, Subsection 1, Clause 4 of the Administrative Act, the authority can withdraw its decision and decide the matter again, if new information has come to light that can significantly affect the decision.

The data protection commissioner removes the temporary decision made in the urgent procedure on 4 August 2023 pursuant to section 50 subsection 1 section 4 of the Administrative Act. The processing ban issued by the temporary decision and the order to suspend data transfers do not enter into force.

The matter regarding the removal of the decision has been dealt with in the written procedure of the Sanctions Board of the Office of the Data Protection Commissioner on 25 September 2023.

Further processing of the case and the points to be taken into account

The processing of the case in the urgent procedure according to Article 60 of the Data Protection Regulation ends. The competent authority can continue to investigate the matter. The Data Protection Commissioner continues to cooperate closely with the Dutch and Norwegian data protection authorities.

Matters concerning the processing of personal data that have effects in the territory of several member states (and EEA countries) are dealt with in the so-called cooperation procedure according to Article 60 of the General Data Protection Regulation. The leading supervisory authority is determined in the said procedure according to the head office of the data controller defined in Article 4, subsection 16.

Ridetech International B.V., located in the Netherlands, acts as the service provider of the Yango application in the European Economic Area. The Dutch supervisory authority Autoriteit Persoonsgegevens acts as the leading supervisory authority in matters concerning Ridetech International B.V. Other supervisory authorities participating in the processing and decision of the matter in the procedure according to Article 60 are participating supervisory authorities according to the definition of Article 4, Section 22 of the Data Protection Regulation. The Data Protection Commissioner is the supervisory authority involved in the case.

As far as the processing of personal data by Yandex LLC, which is located in the Russian Federation, is concerned, the cooperation procedure according to Article 60 of the Data Protection Regulation does not apply and the Data Protection Commissioner is the competent authority pursuant to Article 3(2) and Article 58 of the General Data Protection Regulation.

Applicable legal provisions

Those mentioned in the decision.

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the Helsinki Administrative Court.

Service

The decision is notified in accordance with Sections 60 and 63 of the Administration Act (434/2003).

Learn more about this decision

Chief Inspector Meeri Blomberg

The decision was made by the data protection commissioner Anu Talus.