CJEU ruling imposes strict data protection obligations on online marketplace operators

In August 2018, an unidentified third party published a false and harmful advertisement on Russmedia Digital's online marketplace, www.publi24.ro, presenting the applicant (referred to as "X") as offering sexual services. The advertisement contained photographs of X, used without her consent, along with her telephone number. Although Russmedia removed the advertisement from its website less than one hour after being contacted by X, the same advertisement had already been reproduced identically on other websites with the indication of the original source, where it remained available.

X brought legal action against Russmedia, claiming infringement of her rights to personal portrayal, honour, reputation, privacy, and violations of data protection rules. The Court of First Instance initially awarded her € 7,000 in damages.

However, on appeal, the Specialised Court in Cluj overturned this decision, holding that Russmedia merely provided a hosting service and was not actively involved in the advertisement's content, thus benefiting from the liability exemption under Romanian law implementing the e-Commerce Directive (2000/31/EC).

The Court of Appeal in Cluj, ruling as the final appellate court, decided to stay the proceedings and requested to the EU Court of Justice (CJEU) to determine whether an operator of an online marketplace (such as Russmedia) has failed to fulfil its obligations under the GDPR (EU2016/679) if it an advertisement contains personal data in breach of the GDPR, and if the liability exemptions in Articles 12 to 15 under the e-Commerce Directive apply to such an operator.

Online Marketplace Operators as Controllers under the GDPR

The CJEU found that Russmedia published advertisements on its online marketplace for its own commercial purposes. According to the platform's general terms and conditions, Russmedia reserved the right to use, distribute, transmit, reproduce, modify, translate, transfer to partners, and remove published content at any time without needing a valid reason. The CJEU concluded that Russmedia therefore processed and could exploit personal data for its own advertising and commercial purposes, not solely on behalf of user advertisers.

The CJEU held that where an online marketplace operator sets parameters for disseminating advertisements, determines presentation and duration, structures information through headings, or organises classification systems, it participates in determining essential elements of personal data publication, thereby exerting decisive influence over the data processing.

Consequently, according to the CJEU, both the marketplace operator and the user advertiser who placed the advertisement can be considered joint controllers under Article 26 of the GDPR when an advertisement is published.

Obligations Before Publication

Based on an interpretation of Article  5(2) and Articles 24 to 26 of the GDPR, the CJEU established three key obligations for online marketplace operators being controllers under the GDPR, before publishing advertisements containing sensitive data (such as information about a person's sex life):

• First, operators must identify advertisements containing sensitive data. 
   
• Second, they must verify whether the user advertiser is the person whose sensitive data appear in the advertisement. 
   
• Third, if the advertiser is not the data subject, operators must refuse publication unless the advertiser can demonstrate that the data subject gave explicit consent within the meaning of Article 9(2)(a) of the GDPR, or that one of the other exceptions provided for in Article 9(2)(b) to (j) is satisfied.
   

Security Measures

The CJEU emphasised that where operators know or ought to know that advertisements containing sensitive data are liable to be published on their platforms, they must implement appropriate technical and organisational measures to identify such advertisements before publication, even at the service design stage.

The CJEU also ruled that marketplace operators must implement appropriate technical and organisational security measures to prevent advertisements containing sensitive data from being copied and unlawfully published on other websites. Controllers must consider all technical measures available in the current state of technical knowledge that are apt to block the copying and reproduction of online content.

No Reliance on e-Commerce Directive Exemptions

Crucially, the CJEU held that online marketplace operators, as controllers under the GDPR, cannot rely on the e-Commerce Directive's liability exemptions when they have infringed GDPR obligations. The possible benefit of the hosting exemption cannot interfere with the GDPR regime, which applies to such operators in the same way as to any other operator falling within the regulation's scope.

This judgment could have significant implications for online marketplace operators across the EU:

• Enhanced Verification Requirements: Anonymous posting of advertisements containing personal data about third parties is not permissible without robust safeguards. Platforms allowing user-generated advertisements must implement systems to identify content containing sensitive personal data and verify user identities before publication. 
   
• Technical Measures Required: Operators must invest in technical solutions to detect sensitive data in advertisements and prevent unauthorised copying and redistribution. This may include content filtering systems, identity verification mechanisms, and copy-protection technologies.
   
• No Safe Harbour: The liability safe harbour exemption that hosting providers have relied upon under the e-Commerce Directive does not shield operators from GDPR liability. 
   
• Joint Controller Status: Marketplace operators will be considered joint controllers alongside users who post advertisements, meaning they share responsibility for GDPR compliance. This significantly expands their liability exposure beyond traditional hosting provider protections.
   
• Broader Application: Whilst this case concerned a classified advertisements platform, the principles may apply to any online marketplace or platform where users can publish content containing personal data about third parties—potentially including social media platforms, review sites, and other user-generated content services.

Several questions remain following this judgment, such as:

• Proportionality and Feasibility: The practical boundaries of what constitutes "appropriate" technical measures remain unclear, particularly for smaller platforms with limited resources.
   
• Identity Verification Standards: Whilst the CJEU mandates identity verification, it does not specify what level of verification is required. Must platforms implement government ID checks, or would email verification suffice? The answer may depend on the risk assessment for each platform.
   
• Impact on Other Platforms: The judgment focuses on online marketplaces, but its reasoning could extend to other platforms. Social media networks, forums, and review sites may face similar obligations when users post content containing personal data about third parties, though the CJEU has not yet addressed these scenarios directly.
   

In conclusion, this decision marks a significant shift in how EU law balances platform liability protections with data protection rights, placing substantial new obligations on online marketplace operators whilst leaving several practical questions for future clarification. Schjødt is monitoring the development and will keep our readers informed.