€100 Million Says Your SCCs Aren’t Enough for Data Sovereignty

Key Takeaways

1. Contracts didn’t save the controller. The Dutch Data Protection Authority fined a taxi platform €100 million for transferring EU personal data to Russia — even though the company had signed EU Standard Contractual Clauses. SCCs alone are no longer a defense.
2. Regulators want architecture, not assurance. The decision turns on a simple test: can the controller actually prevent unauthorized access by the third country? Paper safeguards do not pass that test. Encryption key custody, residency enforcement, and access controls do.
3. The pattern is spreading. Ireland’s DPC opened a parallel investigation into Shein over data transfers to China. Two jurisdictions, two high-risk destinations, one regulatory thesis: prove the control or pay the fine.
4. Most organizations cannot prove processing sovereignty. Sovereign storage is solved. Sovereign processing is not. Only 36% of organizations have visibility into how third parties handle data in AI systems, and AI workloads complicate every cross-border control assumption.
5. The CFO is now a data sovereignty stakeholder. GDPR maximums of 4% of global turnover, plus reputational fallout, plus the cost of restructuring transfers, push sovereignty out of the compliance department and onto the executive risk register.

The Dutch AP Drew a Line. SCCs Won’t Save You.

In April 2026, the Dutch Data Protection Authority — the AP — imposed a €100 million GDPR fine on MLU B.V., the Netherlands-based operator of the Yango taxi app and a subsidiary of Russian tech firm Yandex, for unlawful transfers of personal data belonging to Finnish and Norwegian users to Russia. The decision is dated April 1, 2026; the AP publicly announced the penalty on May 8, 2026, alongside the Finnish and Norwegian data protection authorities, who co-investigated the case starting in 2023. The company had signed EU Standard Contractual Clauses. The AP concluded the clauses were insufficient given Russia’s surveillance and governmental access risks. The transfers were unlawful regardless.

That conclusion is the entire story. SCCs are not a presumption of adequacy. They are a starting point. The controller still has to demonstrate that, in practice, the third country’s legal regime allows the data to be protected at a level “essentially equivalent” to EU standards. When that demonstration fails — and Russia’s surveillance posture made it impossible to succeed — the contractual mechanism collapses.

This is Schrems II logic, fully operationalized. The Court of Justice of the European Union told controllers in 2020 that SCCs require supplementary measures when third-country law presents systemic access risks. For six years, the industry treated that ruling as theoretical. The Dutch AP just made it a €100 million invoice.

The lesson scales beyond taxi platforms and Russia. Every multinational using offshore developers, support teams, analytics vendors, or cloud regions in jurisdictions with strong state-access regimes is now under the same legal microscope. The exam is not whether the contract is in place. The exam is whether the architecture makes the contract enforceable.

What makes the MLU decision particularly difficult to dismiss is the AP’s reasoning. The authority did not argue that SCCs are bad. The AP argued that SCCs, by themselves, cannot constrain a foreign government’s access powers. That is a structural finding, not a documentation finding. No amount of clause refinement fixes a structural problem. The only remedy is to ensure that, in practice, the data is unreachable — through encryption with EU-controlled keys, through residency enforcement, through architectural controls that operate independently of contractual goodwill.

What “Supplementary Measures” Actually Means in Practice

The AP decision underscores a phrase European regulators have been using for years and that most controllers have systematically underweighted: “supplementary measures.” Article 46 of GDPR allows transfers based on appropriate safeguards, but only if those safeguards actually work. When SCCs are the mechanism, the supplementary measures are what makes them work.

In practice, that means three categories of control.

• Technical controls. Encryption with keys held outside the third country. Pseudonymization where decryption cannot occur in the destination jurisdiction. Access logging that demonstrates which entities — including governmental ones — attempted to reach the data. The technical posture must make unauthorized access architecturally difficult, not merely contractually forbidden.
• Organizational controls. Documented Transfer Impact Assessments that evaluate the legal regime of each destination country. Vendor due diligence that examines surveillance laws, not just SOC 2 reports. Incident response playbooks for government data access requests.
• Contractual controls beyond SCCs. Indemnification, audit rights, breach notification timelines tighter than GDPR minimums, and clauses requiring the processor to challenge unlawful access demands. These are not substitutes for the technical and organizational controls. They are accompaniments.

The Dutch AP found MLU’s supplementary measures insufficient given the systemic surveillance risk. The fine is the price of treating “appropriate safeguards” as a checkbox.

Why Storage Sovereignty Isn’t Processing Sovereignty

Most large organizations have solved storage sovereignty. Data lives in EU data centers. Backups stay in-region. Disaster recovery sites are documented. The next regulatory wave is asking a harder question: where is the data actually processed, and does data sovereignty extend that far?

Kiteworks Data Security and Compliance Risk: 2026 Forecast Report data shows the gap explicitly. 29% of organizations cite cross-border transfers via AI vendors as a top privacy exposure. 30% cite third-party AI vendor handling as a top security concern. But only 36% have visibility into how partners handle data in AI systems. The rest are relying on contracts — the exact reliance the Dutch AP just punished.

The 2026 Forecast Report describes this as a shift from “where is the data stored?” to “where is it processed, who can access it, and can you prove it?” Storage controls answer the first question. They do not answer the second two.

This becomes acute with AI workloads. A prompt sent to a cloud AI vendor may be processed in a different jurisdiction than the storage location. The model may be hosted in a third country and fine-tuned in a fourth. The output may traverse multiple borders before returning. Traditional sovereignty controls — which assume data has a fixed location — do not capture this.

The Dutch AP decision applies to all of it. The legal test is not “did the data live in the EU?” The legal test is “could a third-country actor compel access?” For most AI deployments, the honest answer is “we don’t know.”

That honest answer has consequences. When the regulator asks where a prompt was processed, where the model was hosted, and which jurisdiction’s law governs an access request, the controller has to produce evidence — not a statement of intent. Contracts establish the intent. Architecture produces the evidence. The MLU decision is the bridge between those two: it punishes intent that lacks evidence.

The Shein Case Confirms the Pattern

Three days before the Dutch AP publicly announced the Yango fine, Ireland’s Data Protection Commission announced an investigation into Infinite Styles Services Co. Ltd. (Shein Ireland) over transfers of EU and EEA user data to China. The DPC opened the inquiry under Section 110 of the Data Protection Act 2018 on April 30, 2026 and made it public on May 5, 2026. The investigation examines lawful basis, transparency, and safeguards for overseas processing through Shein’s Dublin-based EMEA headquarters.

Two enforcement actions in the same month, targeting two different high-risk destinations, both turning on the same legal mechanism: cross-border transfer safeguards. This is no longer a one-off. It is a regulatory pattern.

China presents the same legal challenge as Russia. The PIPL contains restrictions on cross-border transfers; China’s national security and intelligence laws contain access provisions that cut the other way. The combination means a multinational moving European data into Chinese processing infrastructure faces the same Schrems II problem the Dutch AP just adjudicated.

The Shein case has not concluded. But the DPC has authority to impose substantial penalties under GDPR — up to 4% of global turnover. For a high-volume consumer platform, that math is not abstract.

The wider implication: any organization with development, analytics, or support teams in jurisdictions with strong state-access regimes — not just Russia and China, but also the broader list of countries the EU has flagged in adequacy proceedings — should expect parallel scrutiny. The DPAs are coordinating, the legal test is harmonized, and the budget for these cases is growing.

Sovereignty You Can Prove: The European Standard

European regulators have been telegraphing the new standard for years. Kiteworks 2026 Data Security and Compliance Risk: Data Sovereignty in Europe executive summary describes it as the shift from “we believe we’re compliant” to “we can demonstrate where data resides, how access is governed, and how cross-border movement is prevented or documented.”

The Europe Sovereignty Report identifies three operational pillars.

• Controls. Residency enforcement, encryption key custody, and access policies that prevent unauthorized cross-border movement at the architecture level. Not at the policy level. Not at the contract level. At the architecture level — meaning the data cannot leave the boundary because the system will not allow it, regardless of who asks.
• Evidence artifacts. Exportable audit trails, data residency logs, and compliance reporting that satisfy regulators and customers on demand. Not on quarterly cadence. On demand.
• Response readiness. Tested playbooks for government data access requests, third-party vendor failures, Transfer Impact Assessments, and Schrems II compliance scenarios. The exercise has to predate the incident.

44% of European respondents cite concerns over provider sovereignty guarantees as a barrier to adopting European cloud solutions — the highest of any region surveyed. The market has been telling vendors what it needs. Regulators have now told them the same thing, with a €100 million enforcement to underline the point.

The Kiteworks Approach: Architecture, Not Aspiration

Kiteworks operationalizes data sovereignty at the infrastructure level rather than the policy level. Secure data exchange supports flexible deployment options — on-premises, private cloud, hybrid, and FedRAMP — so organizations can store sensitive content within the home jurisdiction, whether that is the EU, Canada, the Middle East, or the United States.

Encryption key custody is retained in-jurisdiction. Geofencing is enforced through configurable IP controls. Email, file sharing, managed file transfer, SFTP, and data forms consolidate onto a single zero-trust platform where every file is controlled, tracked, and protected across its life cycle. The architecture enforces residency. The architecture is what the Dutch AP wants to see.

The audit dimension matters equally. Centralized, immutable audit logs and automated compliance reporting — with preconfigured templates for GDPR, DORA, NIS 2, PIPEDA, PDPL, and others — deliver the exportable evidence that the Europe Sovereignty Report identifies as the operational differentiator between organizations that experience incidents and those that prevent them. When a DPA asks for proof of where data was processed, the answer is a query against an immutable log, not a forensic reconstruction.

For organizations rethinking their data transfer posture after the MLU decision, Kiteworks 2026 Forecast Report findings frame the question correctly: the goal is not better contracts. The goal is a unified governance framework that produces audit-ready documentation regulators, auditors, and enterprise customers increasingly demand.

What CISOs and General Counsel Should Do Now

1. Audit the geography. Inventory every system, vendor, and workflow that moves European personal data across borders. According to Kiteworks 2026 Forecast Report data, only 36% of organizations have visibility into partner data handling in AI systems — a baseline that will not survive the next DPC inquiry. Start with AI vendors, then offshore development teams, then analytics processors.
2. Re-evaluate SCCs as a defense. Per Kiteworks 2026 Forecast Report findings, contractual safeguards alone are increasingly insufficient against state-access regimes. Treat SCCs as one layer of a defense-in-depth posture, not the controlling layer. Add technical controls — encryption, key segregation, residency enforcement — and document them in updated Transfer Impact Assessments.
3. Prove processing sovereignty, not just storage sovereignty. Kiteworks 2026 Forecast Report data shows 29% of organizations recognize cross-border AI transfers as an exposure, but recognition is not control. Build the technical posture that constrains processing location, not just storage location. For AI workloads, this is the harder problem and the more urgent one.
4. Instrument the audit trail. When a DPA asks how a transfer occurred, the answer must come from a tamper-evident log, not a reconstruction. Kiteworks 2026 Forecast Report findings show 33% of organizations lack evidence-quality audit trails. The Europe Sovereignty Report describes exportable audit trails as the operational differentiator between organizations that experience sovereignty incidents and those that prevent them.
5. Run the playbook before the incident. Test the response to a government data access request. Test the response to a vendor failure in a high-risk jurisdiction. The Dutch AP decision shows the regulator will measure the response against documented preparation, not against good intentions. Tabletop exercises that include legal, security, privacy, and the executive team are the cheapest insurance against a regulatory inquiry going badly.

The MLU fine cost €100 million. The architecture that would have prevented it costs less. The board math has changed. What used to be a privacy department line item is now an enterprise risk register entry — one that competes for attention with cybersecurity, financial controls, and operational resilience. The organizations that treat data sovereignty as architecture will spend less money over time than the organizations that treat it as a paperwork exercise. The Dutch AP just made that proposition expensive enough to take seriously.