The CJEU’s new judgment in C-492/23 (Russmedia Digital) significantly narrows the traditional EU “platform liability privilege” that many online services rely on in the EU.
Historically, platforms could treat themselves as neutral hosts under the EU e-commerce safe-harbor: they weren’t liable for user-generated content unless notified. That model is now substantially restricted when personal data — especially sensitive data — appears in user-posted ads.
The CJEU held that an online marketplace that publishes user adverts is itself a GDPR controller for all personal data inside those ads. And because GDPR obligations attach to controllers, the classic hosting safe-harbor does not shield the platform from responsibility. This means for platforms that they cannot rely on:
- “we don’t control the content; users do.”
- being “just a neutral intermediary.”
- notice-and-takedown alone.
Key new obligations (pre-publication):
After the CJEU ruling, before an ad goes live, the platform must:
- Identify whether the ad contains sensitive personal data (e.g. health, sexual life, biometric data, political beliefs).
- Verify the identity of the person posting the ad and confirm that:
- they are the person depicted; or
- they have explicit consent from the person whose data appears.
- Refuse publication if these conditions aren’t met (unless a narrow GDPR exception applies).
There’s also a duty to prevent the ad from being copied and republished elsewhere, through technical and organizational safeguards.
If a platform supports ads in Europe, after this ruling:
- The platform is very likely a data controller for what appears in user-posted adverts.
- The burden shifts from “remove when notified” to “prevent unlawful data before publication.”
Our opinion:
This judgment marks a real tightening of liability for platforms. Platforms can no longer assume they’re shielded from responsibility for personal data in user adverts.
