Internet and mobile ecosystem companies

Yandex N. V.

Domicile: Russia
Website: www.yandex.com
Download company report: English | Русский

8

Key findings

  • Despite key improvements, Yandex failed to disclose enough about policies affecting users’ freedom of expression and privacy.
  • It made notable strides by publishing a formal commitment to respect users’ freedom of expression and privacy rights, but otherwise lacked evidence of strong governance and oversight over human rights commitments across the company’s operations.
  • Yandex disclosed almost nothing about how it handles government demands to restrict content or to hand over user data, although there are no legal barriers to disclosing at least some information about its processes for responding to these types of requests.
Services evaluated

Analysis

Yandex ranked eighth out of the 12 internet and mobile ecosystem companies evaluated, disclosing little about its policies and practices affecting freedom of expression and privacy.1 The company made some substantive improvements, including by publishing a commitment to respect users’ freedom of expression and privacy rights. It also improved its disclosure of policies affecting users’ freedom of expression and privacy rights, but still lagged behind most other internet and mobile ecosystem companies evaluated. It disclosed almost nothing about government requests it receives for user information, and its disclosure of its freedom of expression policies lagged behind its Russian peer, Mail.Ru. While Yandex operates in an increasingly restrictive internet environment that discourages companies from publicly committing to protect human rights, the company could still be more transparent about key policies affecting users’ freedom of expression and privacy.



Yandex N.V. provides a range of internet-based services in Russia and internationally, with products and services that include Yandex Search, the largest search engine in Russia, and email, cloud storage, and maps.

Market cap: USD 12.4 billion2
NasdaqGS: YNDX

  • Disclose more about government requests: Yandex should disclose data about how it responds to government requests to remove content or deactivate accounts, and to hand over user data.
  • Improve governance oversight: Yandex should put processes in place to strengthen institutional oversight over freedom of expression and privacy issues at the company.
  • Clarify handling of user information: Yandex should disclose more about its handling of user information and its policies to keep user information secure.

Governance

Yandex took a significant step forward by disclosing a commitment to respect users’ freedom of expression and privacy rights in accordance with international human rights standards (G1), but otherwise had weak disclosure of its governance and oversight over human rights issues, scoring below most of the internet and mobile ecosystem companies evaluated.3 It disclosed little about whether it carries out human rights due diligence—although it revealed that it considers how laws affect privacy in the jurisdictions where it operates (G4). Yandex disclosed that it provides a mechanism for users to submit freedom of expression and privacy related complaints, however, it failed to disclose its procedures for providing remedy (G6).

G1. Policy commitment

Yandex disclosed a commitment to respect users’ freedom of expression and privacy rights in accordance with international human rights standards.

G3. Internal implementation

Yandex disclosed a whistleblower program through which employees can report concerns related to freedom of expression and privacy.

Freedom of Expression

Yandex disclosed little about policies and practices impacting users’ freedom of expression. The terms of service for Yandex Disk were easy to find, but not for Yandex Search, and its terms for Yandex Mail were more difficult to find than in the previous year (F1). These terms did not clarify if and how users would be notified of changes (F2). The company also lacked clear and comprehensive disclosure about the rules and how they are enforced, although it clarified that no government authorities or private entities receive priority consideration when flagging content to be restricted for violating the company’s rules (F3). It also failed to disclose any data about actions it took to enforce its rules (F4).

Yandex disclosed some information about how it handles government and private requests to restrict content or accounts (F5-F7), although this disclosure was minimal. The company disclosed limited information about its process for responding to government and private requests for content and account restrictions (F5), and published no data on the number of government and private requests it receives or complies with (F6, F7). While Yandex had published some information about the content removed as a result of requests made under Russia's Right to Be Forgotten Law, it lost points since this information is now outdated (F7).

F1. Access to terms of service

Yandex made it more difficult for users to locate the Yandex Mail terms of service.

F3. Process for terms of service enforcement

Yandex clarified that no government authorities or private entities receive priority consideration when flagging content to be restricted for violating the rules on Yandex Search.

F7. Data about private requests for content or account restriction

Yandex’s data about removal requests it received for Yandex Search through Russia’s Right to be Forgotten law was outdated.

F8. User notification about content and account restriction

Yandex improved its disclosure of its policies for notifying users when it restricts their accounts on Yandex Mail and Yandex Disk.

Privacy

Despite some improvements, Yandex lacked transparency about policies affecting privacy in key areas. The company was especially opaque about how it handles user information. It revealed some information about what types of user data it collects (P3), shares (P4), and for what purpose (P5), but it revealed nothing about its data retention policies (P6), or if users can obtain a copy of the information the company holds about them (P8). It also failed to disclose whether and how it tracks users across the internet (P9). However, while Yandex lacked clarity about what options users have to control what data the company collects and shares about them, it was one of the few companies to disclose options users have to control how their data is used for targeted advertising (P7).

Yandex disclosed almost nothing about how it handles third-party requests for user information (P10-P12). The company earned some credit for improving its disclosure of how it responds to government requests for user data, but its disclosure about private requests was less clear (P10). It provided no data about these types of requests that it received and with which it complied (P11). Since Russian authorities may have direct access to communications data, companies may not be aware of the frequency or scope of user information accessed by authorities.4 Still, it could disclose its processes for dealing with government requests in the cases they occur.

On a positive note, Yandex had stronger disclosure of its security policies than most internet and mobile ecosystem companies (P13-P18). It received the second-highest score after Apple for its disclosure of its encryption policies (P16), and provided relatively strong disclosure about its bug bounty program for addressing security vulnerabilities (P14). Like most of its peers, Yandex provided no information about how it responds to data breaches (P15).

P2. Changes to privacy policies

Yandex improved its disclosure regarding notifying users of changes to its privacy policies.

P10. Process for responding to third-party requests for user information

Yandex clarified its process for responding to non-judicial government requests and disclosed a commitment to carry out due diligence on government requests for user data before deciding how to respond.

Footnotes

[1] The research period for the 2019 Index ran from January 13, 2018 to February 8, 2019. Policies that came into effect after February 8, 2019 were not evaluated in this Index.

[2] Bloomberg Markets, Accessed April 18, 2019, www.bloomberg.com/quote/YNDX:US 

[3] “About Yandex,” yandex.com/company/general_info/yandex_today  

[4] Andrei Soldatov and Irina Borogan, “Inside the Red Web: Russia’s Back Door onto the Internet – Extract,” The Guardian, September 8, 2015, www.theguardian.com/world/2015/sep/08/red-web-book-russia-internet