back

Toward a Two-Tier Liability Regime for Online Platforms? Analysis of the CJEU’s Russmedia Decision

Article IT and Data Protection | 08/12/25 | 6 min. | Florence Chafiol Robin Nini

Tech & Digital

In a decision delivered on 2 December 2025, the Court of Justice of the European Union held an online marketplace liable for the unlawful processing of sensitive personal data published in a user’s listing. The Court ruled that the operator qualifies as a data controller for the processing of personal data contained in listings published on its platform and must, prior to publication, verify whether these listings include sensitive data and whether such processing complies with the GDPR.

Although the facts predate the Digital Services Act, the Court’s reasoning would very likely apply equally today.

 

Facts

An online marketplace operator allowed users, essentially in Romania, to publish classified ads for the sale of goods or services.

An anonymous user posted an ad offering sexual services allegedly provided by a third party. The listing included photographs of that person as well as her contact details.

The person concerned notified the platform, which promptly removed the content.

However, before the removal, the ad had been copied and reposted on other websites beyond the marketplace operator’s control. As a result, the data remained available online despite the original platform’s withdrawal.

 

Marketplace Operator Qualifies as Controller

The Court confirmed the approach outlined earlier by the European Data Protection Board in its guidelines on the interplay between the DSA and the GDPR. According to the Court, a platform operator generally acts as data controller for the personal data processed within the service it provides.

Several factors support this finding:

  • The listing is made available online solely because of the platform’s service.
  • The operator pursues its own purposes, including commercial and advertising objectives, and does not merely provide a technical service.
  • It determines essential means of the processing such as presentation, publication period, categories and ranking, and conditions of dissemination.

The operator and the advertiser therefore act as joint data controllers for the processing of personal data contained in the listings.

 

Pre-Publication GDPR Review Required

As data controller, the operator must comply with the obligations set out in Articles 24 and 25 GDPR. It must identify potential risks arising from the processing of personal data and implement appropriate measures and safeguards in light of those risks. This obligation applies upstream, at the design stage of the service (“privacy by design” approach).

The Court emphasized that the publication of personal data on a platform carries a high risk because the information can be copied, disseminated and accessed on other sites without any control. The data subject may lose anonymity and control over the use of his or her data, with potentially serious consequences, particularly when the data processed is sensitive.

The CJEU held that the operator must therefore, before publication:

  • Detect whether a listing contains sensitive personal data.
  • Verify whether the data relates to the advertiser or whether the advertiser benefits from a relevant derogation, such as the explicit consent of the person concerned.
  • Refuse publication where these conditions are not met.

As part of its security obligations, the operator must also implement measures designed to limit the unlawful copying and reproduction of listings containing sensitive personal data.

 

Intermediary Liability Exemptions Do Not Apply to GDPR

The Court reiterated that the E-Commerce Directive(and now the DSA) provides a limited liability regime for intermediary service providers, including an absence of a general monitoring obligation and a requirement to remove illegal content expeditiously once they become aware of it.

However, Article 1 of the E-Commerce Directive excludes data protection matters, which fall under the GDPR’s separate liability framework.

As a result, an operator cannot rely on the intermediary liability exemptions to avoid its obligations as data controller. The two regimes coexist, but the liabilities they establish remain distinct.

 

Practical Implications

Although legally coherent, the judgment introduces uncertainty for platform operators.

It may amount to another step away from the prohibition of general monitoring, similar to the requirements introduced under the Copyright Directive for content sharing platforms regarding user-uploaded content.

Several practical challenges arise from this decision:

  • The content of listings is determined freely by users.
  • The notions of personal data and sensitive data are broad, making detection difficult and wide scale filtering mechanisms likely to trigger unjustified refusals to publish.
  • Automated filtering tools may qualify as automated decision making within the meaning of Article 22 GDPR, creating operational and human resource burdens for operators.

The judgment therefore imposes a multi-layer liability framework on platforms, which they will need to manage depending on the nature of the content published.

Explore our collection of PDF documents and enrich your knowledge now!
[[ typeof errors.company === 'string' ? errors.company : errors.company[0] ]]
[[ typeof errors.email === 'string' ? errors.email : errors.email[0] ]]
The email has been added correctly