These questions were central to a recent case before the Court of Justice of the European Union (CJEU). The dispute revolves around an online marketplace on which an advertisement was placed containing an individual's personal data without their consent. The Court had to determine the extent to which the platform is liable and whether it should be considered a controller under the GDPR.
The ruling by the CJEU has far-reaching implications for online service providers and the protection of personal data within the EU. In this article, we analyze the legal frameworks, the Court's considerations, and the possible consequences for online platforms.
The dispute is between an individual and Russmedia Digital SRL, operator of the Romanian online marketplace Publi24.ro. An advertisement was placed on this platform without permission, claiming that the individual in question was offering sexual services. The advertisement included her photo and telephone number.
After reporting it to the platform, the advertisement was removed within an hour. But the damage had already been done: the advertisement was copied by other websites, causing her personal data to be further disseminated.
The case revolves around two important legal questions:
1. Can the online platform be held liable for the publication and further dissemination of the advertisement?
2. Does the platform fall under the definition of a controller under the GDPR?
The Court had to clarify the relationship between the GDPR and Directive 2000/31/EC (the e-commerce directive).
The e-commerce directive offers online service providers an exemption from liability when they function as passive intermediaries. Article 14 of the directive states that hosting platforms are not liable for unlawful content posted by users, provided that they had no knowledge of the illegal content and act swiftly to remove the content once they become aware of it.
However, since the Digital Services Act (DSA) came into force on February 17, 2024, this provision has been replaced by Article 6 DSA, which applies similar principles but also introduces additional duties of care for online platforms. Nevertheless, this case still refers to Article 14 of the E-Commerce Directive (now Article 14 REH), probably because the facts took place before the DSA came into force. This explains why the older provision is cited in the legal assessment, even though the legislation has since been amended.
On the other hand, the GDPR imposes obligations on parties that process personal data. Article 4 of the GDPR defines a controller as a party that determines which personal data is processed and for what purpose. This entails obligations such as:
Taking security measures to protect personal data;
Respecting the rights of those involved;
Being able to demonstrate that the processing of personal data is lawful.
The key question is whether Russmedia was merely a neutral host, or whether the platform was actively involved in the publication and distribution of the advertisement. If Russmedia played only a passive role, it can invoke the exemption from the e-commerce directive. But if the platform played an active role, it can be considered a controller under the GDPR.
The CJEU has previously ruled, as in the L'Oréal/eBay case, that an online platform is not a neutral intermediary if it is actively involved in the content posted by users. When a platform manages, promotes, or controls advertisements, it can no longer claim exemption from liability.
Several crucial factors play a role in the Russmedia case:
The platform's terms of use gave Russmedia the right to modify, distribute, or remove advertisements. This may indicate that the platform did more than just facilitate:
The identity of the advertiser was not verified prior to publication.
The advertisement was quickly removed, but Russmedia did not take any measures to prevent further dissemination.
Other websites reposted the advertisement, citing Russmedia as the original source.
Another important aspect is whether platforms should proactively check whether users are publishing personal data without consent. The e-commerce directive prohibits member states from imposing a general monitoring obligation on platforms, which means that they are not required to screen all content in advance. At the same time, the GDPR requires controllers to take appropriate measures to protect personal data. This leads to a conflict between the obligations under the GDPR and the exemptions under the e-commerce directive.
The Court has adopted a balanced approach by recognizing that a platform is not automatically liable, but is also not necessarily protected by the e-commerce directive. The main conclusions are:
Russmedia may qualify for the exemption from liability under the e-commerce directive, even if it reserves the right to modify or remove advertisements. This applies as long as the platform does not take any measures that undermine its neutral hosting status.
An online platform that stores advertisements acts as a processor of personal data within the GDPR. Users decide for themselves which personal data they share and for what purpose, while the platform only facilitates storage without any objective of its own. The platform is therefore classified as a processor and not as a controller. This means that the platform is not obliged to check advertisements in advance or prevent their distribution, but it must ensure that appropriate security measures are in place to protect personal data.
When the platform processes personal data from advertising users who have an account, it acts as a data controller. This entails a specific obligation to verify the identity of these users.
This ruling confirms that online platforms are not automatically considered controllers for all data published through their services. At the same time, they are not completely exempt from obligations under the GDPR.
The Court's ruling means that platforms such as Russmedia are not directly liable for user content, but are also not completely exempt from responsibility. In concrete terms, this means:
No general obligation to monitor, but platforms cannot turn a blind eye to obvious abuses.
Hosting services remain exempt from liability as long as they act quickly when notified of unlawful content.
Platforms must take adequate security measures to protect the personal data they process themselves.
When platforms manage accounts and process personal data, they must verify the identity of users.
This ruling by the CJEU highlights the delicate balance between the exemption from liability for online platforms and their responsibility with regard to personal data. The Court confirms that platforms are not automatically liable for all content posted by users, but are also not completely exempt from obligations under the GDPR. This judgment underscores that the legal position of platforms depends on their role: as long as a platform is merely a passive host, it can invoke the exemption under the e-commerce directive. However, as soon as it actively intervenes in or manages the content, more stringent obligations may apply.
With the entry into force of the Digital Services Act (DSA), the rules governing platform liability have been further tightened. The DSA introduces additional duties of care and clarifies that a platform that removes illegal content on its own initiative does not automatically lose its neutral status (*Good Samaritan* clause). This means that platforms are not only required to act reactively, but may also take proactive measures without immediately being designated as a data controller.
This ruling has concrete consequences for online platforms: they must not only respond quickly to reports of unlawful content, but also implement appropriate security measures to protect personal data. At the same time, a general obligation to check all content in advance remains excluded. This ruling shows that legislation on platform liability is constantly evolving and that policymakers, companies, and judges will have to work together to further define the limits of responsibility and exemption in light of the new DSA rules.
