top of page

Public Appeal to the Agency for Personal Data Protection, the Ministry of Justice of Armenia.

Updated: Nov 18, 2023

We respectfully bring to your attention the ongoing concerns within Armenia regarding the operations of Yandex services, which have recently sparked extensive discussion. The Armenian public, both as individuals and as a collective, has grown increasingly alarmed by the incidents described below.

Yandex leaked personal data of 6,800,000 users.

On March 1, 2022, Yandex reported a significant breach of its users’ personal data. In response to this incident, on March 23, Roskomnadzor initiated an administrative protocol against Yandex.Food. According to expert estimates, this breach exposed the personal data of approximately 6,800,000 users.

Subsequently, Yandex.Food users pursued a class action lawsuit against the company, seeking non-pecuniary damages of 100,000 RUB per each affected user.

In April 2022, the Zamoskvoretsky Court of Moscow imposed a fine of 60,000 rubles on Yandex.Food for the unauthorized disclosure of users’ personal data.

Further, on August 3, 2022, the Moscow News Agency reported that the Justice of the Peace of the Peace of Judicial Precinct No.101 of the Zamoskvoretsky District Court of Moscow levied another 60,000 RUB fine on the service Yandex.Food in a case related to the exposure of courier data.

Notably, users of the service initiated several class action lawsuits against the company. The first class action, filed on March 30, involved 33 clients represented with the assistance of Destra Legal Service, seeking compensation of 100,000 RUB for each affected user. The second lawsuit, filed on March 31, saw the Interregional Public Organization Responsibility representing 24 applicants who sought compensation of 10,000 RUB per user.

Additionally, the non-profit organization Roskomsvoboda, with support from the Network Freedoms project, facilitated the submission of a third class action. The plaintiffs request the court to declare the actions of Yandex.Food and its parent company, Yandex, as illegal due to their failure to implement necessary and sufficient measures to protect the confidentiality of personal data. The plaintiffs further demand an account of the measures the service and its parent company will take to ensure the security of user data. Finally, they seek compensation for moral damages in the amount of 100,000 RUB for each plaintiff, and it is worth noting that Roskomsvoboda has indicated that an additional 8,000 individuals intend to join the lawsuit.

Another leak, now in 2023.

In a more recent incident in 2023, on January 28, a significant data leak from Yandex occurred. According to Forbes reports, the source codes and related data of numerous Yandex services and programs have been found on the internet, with a total data size of approximately 45 GB in compressed form. This encompasses the source codes of many of the company’s products, ranging from Mail and Taxi to Disk and Alice. Notably, the press service of Yandex confirmed the data leak, underscoring that no hacking had taken place.

FSB will gain continuous access to data from Yandex’s cab ordering service, including trips outside of Russia.

In accordance with data published by the reputable source Meduza, there have been growing concerns among customers regarding the potential access of the FSB to user data, particularly information related to cab trips occurring outside of Russia.

The publication highlights that the data of Yandex Go service users, including those abroad, is currently exclusively stored in Russian data centers situated in the Moscow, Ryazan, and Vladimir regions. Effective from September 1, the FSB is slated to gain access to this data. It’s worth noting that the service, which often goes by the names Yango and Yandex Go, operates in over twenty countries, including Israel, Norway, Finland, Belarus, Kazakhstan, Georgia, and Armenia.

Kazakhstan has taken measures to safeguard the personal data of its users

On August 9, the domain name was suspended within Kazakhstan’s territory. This was due to the fact that the resource was hosted on hardware and software systems outside the Republic. On the same day, "Yandex" reported the restoration of access and indicated its ongoing dialogue with the relevant authorities in Kazakhstan to find a solution in compliance with the country's legislation.

The Agency for Personal Data Protection of the Ministry of Justice of Armenia is reviewing the issue...

An article published on August 12, 2023, on the Radio Azatutyun portal reveals that Juliet Matevosyan, the acting head of the Agency, has expressed keen interest in the situation and announced a comprehensive inquiry. She underscored that if the transfer of data beyond Armenia's borders is confirmed, appropriate actions will be taken in accordance with Armenian law. In the absence of such confirmation, no further action will be pursued.

In an official statement dated August 12, 2023, Armenian company Raidtech AM LLC, which provides Yandex Go services in Armenia, reiterated its unwavering commitment to adhere to the Republic's legislation and its obligations in processing usersэ personal data. The company clarified that data pertaining to its activities within Armenia can only be accessed by foreign state authorities, including the Russian Federation, through official requests and established international procedures. They also emphasized that their security policies adhere to rigorous international standards, as validated by pertinent reports on data security and confidentiality.

Given the circumstances outlined above, we, on behalf of the people of Armenia, urge the Agency for Personal Data Protection of the Ministry of Justice to take the following actions:

1. To provide a comprehensive report on the results of the verification activities initiated by Juliet Matevosyan.
Should these activities confirm the potential access of personal data of Yandex Go users in Armenia by Russian security entities and authorities, we request that concrete response measures, legal actions, and legislative initiatives be shared with the public.
2. In light of the confirmed data breaches affecting millions of Yandex users and the numerous class action lawsuits in Russia, we call for an investigation aimed at identifying instances of personal data leakage among Yandex Go users in Armenia.

Based on the findings of this inquiry, we urge the Agency to take responsive actions and, in the event of confirmed breaches, to educate Armenian users on their rights to individual and collective legal recourse against Yandex Go within Armenian territory.

3. We seek a clear statement from the authorities of the Republic of Armenia concerning the localization of storage for personal data of users of Internet services, such as Yandex, within the territory of Armenia. This statement should address the concerns raised by Armenian users in light of numerous reported incidents and also align with the positions of other CIS member states facing similar situations.

Initiators of the Appeal:

Areg Hakopyan - Managing Partner of Easy Life Consulting Group
Tigran Ohanian - Privacy Defender


bottom of page