Are online platforms liable for their users’ content if there is a violation of the GDPR? The European Court of Justice (CJEU) addressed this question in its eagerly awaited ruling in the Russmedia case (ruling of 2 December 2025, ref.: C-492/23). In addition to the requesting Romanian court, the German Federal Court of Justice (BGH) had also suspended proceedings and awaited the decision from Luxembourg.
The facts
The Romanian company Russmedia Digital operates an online marketplace on which advertisements for the sale of goods and services may be placed. An unidentified third party published an advertisement on the platform offering sexual services allegedly provided by the claimant, of which the claimant herself had no knowledge. The advertisement included both photographs and the data subject’s telephone number. The advertisement was subsequently republished on numerous other websites, indicating the original source.
The data subject subsequently brought a claim for compensation against Russmedia under Art. 82 GDPR, which was granted at first instance. Russmedia successfully appealed that decision. The Court of Appeal in Cluj held that Russmedia could rely on the host-provider privilege, originally set out in Art. 14(1) of Directive 2000/31/EC (the E-Commerce Directive) and now contained in Art. 6(1) of the Digital Services Act. Under that provision, a service provider is not liable for information stored at the request of users if it has no actual knowledge of the unlawful content and acts expeditiously to disable access to, or remove, such content once it becomes aware of it.
Russmedia was not obliged to actively search for illegal content and deleted the advertisement quickly at the plaintiff’s request, according to the judges. The court assumed that the liability privilege in Art. 14(1) 2000/31/EC and the Romanian implementing law also extends to a claim for damages under Art. 82 GDPR.
The plaintiff appealed against this decision, arguing that the specialist court had misinterpreted Art. 14(1) of Directive 2000/31/EC and that the provision was not applicable because Russmedia was directly involved in the management and dissemination of the content, as its provision to the public was subject to a specific analysis of the information by Russmedia. Furthermore, the liability privilege did not apply if responsibility for the content was established on the basis of other legal acts such as the GDPR. The Court of Appeal then referred the matter to the CJEU for clarification:
- Whether a hosting provider, in particular the operator of an online marketplace, infringes its obligations under the GDPR when it enables users to publish advertisements and thereby facilitates the unlawful processing of personal data.
- Whether such an operator may rely on Articles 12 to 15 of Directive 2000/31/EC or, respectively, on the host-provider privilege.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
The CJEU ruling
For the first question, the CJEU finds that the operator of an online marketplace is a controller within the meaning of Art. 4(7) GDPR for personal data contained in the advertisements published on the platform. A platform operator may in particular be regarded as a controller where it “publishes the personal data concerned for commercial or advertising purposes which go beyond the mere provision of a service which he or she provides to the user advertiser”, and where it substantially influences the collection and transmission of the personal data or determines the parameters thereof. As such, it has the obligation, prior to the publication of the advertisements
- to determine whether special categories of personal data, that is, sensitive data within the meaning of 9(1) GDPR, are contained in the advertisement,
- to verify, in the case of such advertisements, whether the sensitive data relates to the person placing the advertisement, and
- if that is not the case, to refuse the publication of the advertisement unless the user placing the advertisement can demonstrate that one of the exceptions under Art. 9(2) GDPR applies, such as an explicit consent to the publication of the sensitive data in the advertisement.
These obligations arise from the principles relating to processing (Art. 5 GDPR) and from the requirement of lawful processing (Art. 6 GDPR), together with the duty to implement those principles effectively and to take appropriate measures for that purpose (Articles 24 to 26 GDPR), as well as the specific provisions on sensitive data set out in Article 9 GDPR.
With regard to the identity of the person placing the advertisement, the GDPR requires the controller to demonstrate the lawfulness of the publication. In the present case, this means in particular that, for the sensitive data concerned, explicit consent must on the one hand be obtained and documented. On the other hand, the identity of the individual must be verified in accordance with the principle of accuracy under Art. 5(1)(d) GDPR. The appropriate means of doing so must be determined on a case-by-case basis and depend on the nature, scope, context and purposes of the processing, as well as the likelihood and severity of the risks to the rights and freedoms of the data subject.
Since Russmedia must have been aware that advertisements such as those in this specific case were possible, it was obliged to put measures in place at the design stage of the service to identify such advertisements before publication. According to Art. 25(1) GDPR, appropriate measures must be implemented at the time the means are determined in order to prevent unlawful processing.
Furthermore, the operator of an online marketplace cannot assume that the data subject has consented to the processing of their sensitive data in accordance with Art. 9(2)(a) GDPR solely on the basis of the publication of an advertisement if the identity of the person placing the advertisement is unclear. Consequently, the identity must be established in order to prove that explicit consent has been given. Without sufficient proof of identity or another exception for the processing of sensitive data under Art. 9(2) GDPR, the publication of the advertisement must be refused and this must be ensured by technical and organisational measures.
In addition, as the controller, the operator of an online marketplace is obliged to take technical and organisational measures in accordance with Art. 32 GDPR to prevent published advertisements containing sensitive data from being copied and unlawfully published on other websites.
Art. 32 GDPR establishes a duty of protection for the controller of personal data. Taking into account the state of the art, the controller must take appropriate measures to ensure a level of protection that is appropriate to the risk. In this specific case, sensitive data was processed. This can lead to a particularly serious infringement of the fundamental rights to privacy and the protection of personal data. As soon as an advertisement containing such data is published on the internet, the CJEU states that there is a risk of losing control over the data, which in particular renders the data subject’s right to erasure of their data under Art. 17 GDPR ineffective.
The controller is therefore obliged to take measures to prevent copies or replicas. However, the CJEU points out that uncontrolled dissemination does not automatically mean that the measures taken were not appropriate.
With regard to the second question, the Court held that the operator of an online marketplace, as a controller within the meaning of the GDPR for the personal data contained in published advertisements, may not rely on Articles 12 to 15 of Directive 2000/31/EC, and thus may not rely on the host-provider privilege, where it has infringed:
- the accountability obligation under Art. 5(2) GDPR,
- the obligations of the controller under Articles 24 to 26 GDPR and
- the obligation to ensure the security of processing under Art. 32 GDPR
The CJEU draws the distinction between the GDPR and the E-Commerce Directive on the basis of Art. 1(5)(b) of Directive 2000/31/EC and Art. 2(4) GDPR.
The first of these provisions states that the Directive does not apply to matters covered by Directive 95/46/EC, which has since been replaced by the GDPR. Accordingly, the rules of the GDPR may not be affected by Directive 2000/31/EC, with the result that the operator of an online marketplace cannot rely on the liability exemption in so far as it falls, as a data controller, under the provisions of the GDPR. The obligations arising from the GDPR likewise do not constitute a general monitoring obligation within the meaning of Art. 15 of Directive 2000/31/EC.
Art. 2(4) GDPR provides that Articles 12 to 15 of Directive 2000/31/EC remain unaffected by the GDPR. According to the CJEU, this merely means that a controller under data-protection law may rely on those provisions in so far as the matter at issue does not concern the protection of personal data.
Data protection assessment
The CJEU’s judgment is once again a landmark decision. Major platforms in particular have so far resisted large-scale deletion of unlawful content and have rejected claims for damages by invoking the host-provider privilege.
The CJEU has now clarified that the provisions, which are now found in Art. 6 DSA, do not prevent liability insofar as the processing of personal data is concerned.
This will also have an impact on the decision of the BGH in the case of Künast v Meta (BGH VI ZR 64/24). Meta had removed a meme about Renate Künast but did not want to remove copies or prevent its further distribution. Künast then sued Meta for injunctive relief and damages. Only the Federal Court of Justice noted that the facts of the case were relevant to data protection law, whereupon it suspended the proceedings until a decision was made in the above-mentioned case. Now that it is no longer possible to invoke the host provider privilege for data protection violations, there is a good chance that the Federal Court of Justice will grant Künast not only the injunction but also the damages that the Frankfurt Higher Regional Court had previously denied her.
Unfortunately, in the absence of a preliminary question, the CJEU did not comment on the plaintiff’s objection that Russmedia could not invoke the exemption from liability because it was directly involved in the management and distribution of the content, as its provision to the public was subject to a specific analysis of the information by Russmedia. Whether and to what extent, for example, logarithmic curation of user content prevents recourse to the exemption from liability under Art. 6 DSA, based on the ECJ ruling on the electronic version of a newspaper (ECJ ruling of 11 September 2014, C-291/13), therefore remains unclear.