On December 2, 2025, the Court of Justice of the EU (CJEU) in X v Russmedia Digital SRL (C-492/23), ruled that the operator of an online marketplace, as a data controller, is responsible for the processing of personal data contained in advertisements published on its platform, and cannot rely on the hosting liability safe harbor to avoid responsibility for General Data Protection Regulation (GDPR) infringements arising from unlawful processing.

The decision departs from long-standing case law on the liability of hosting service providers under the e-Commerce Directive. It introduces strict monitoring obligations before user-generated content is published on the platform. It also clarifies the conditions under which a marketplace qualifies as a (joint) data controller. In such cases, the safe harbor liability exemption does not apply to GDPR infringements arising from the data controller’s obligations.

Background

Russmedia Digital (Russmedia) is a Romanian company operating an online marketplace where users can publish advertisements for goods or services, free of charge or for a fee.

An unidentified user of the platform published an advertisement for an individual offering sexual services. The advertisement was false, and the individual had not consented to having this advertisement published. The advertisement included the individual’s picture and phone number. Russmedia removed the ad within an hour of receiving a take-down request; however, the ad had already been reproduced on other websites, showing the source as a Russmedia website. The CJEU assumed that the ad was not republished upon Russmedia’s request.

The case was referred to the CJEU by the Cluj Court of Appeal. The CJEU had to decide whether an operator of an online marketplace providing services free of charge or for a fee is responsible for the processing of personal data contained in ads published on its platform and whether the operator may benefit from the safe harbor liability exemption with respect to the potential GDPR infringement.

Advocate General Maciej Szpunar considered in his opinion that marketplace operators act merely as processors with respect to the personal data contained in user-generated ads and took the view that these operators should benefit from a liability exemption for the content of advertisements published by users. The CJEU took a different view.

Key Takeaways

1.     An operator of an online marketplace can be a (joint) data controller of the personal data contained in ads posted by users.

The CJEU first established that the marketplace operator can be a data controller (or a joint data controller) under the GDPR for the processing of the personal data included in ads published by a user on this marketplace.

In reaching this conclusion, the CJEU considered, among others, that the ads were only published thanks to Russmedia’s marketplace and that Russmedia publishes the listings for its own commercial purposes, such as promoting the marketplace on other websites, and not solely for the user’s purposes.

In particular, the website’s Terms and Conditions gave Russmedia a large scope of rights to freely exploit the information published on its marketplace including the right to use published content, distribute it, transmit it, reproduce it, modify it, translate it, transfer it to partners and remove it at any time, without the need for any “valid” reason for so doing.

Finally, the CJEU also found that the operator has substantial control over the dissemination of the ads by setting the parameters for the dissemination of advertisements likely to contain personal data depending on the recipients concerned, including i) allowing the dissemination by anonymous users, ii) determining the presentation and duration of the dissemination or the headings structuring the information published, and iii) organizing the classification to determine the arrangements for the dissemination of the ads.

2.     An operator of an online marketplace must verify the identity and the content of the ads prior to the publication.

The ruling highlights that, as a (joint) controller, an operator of an online marketplace participated in the dissemination of false information and the applicant’s sensitive personal data because it allowed the anonymous posting of the advertisement on its marketplace.

In addition, the CJEU determined that a marketplace operator must i) verify if the ads contain sensitive personal data, ii) if so, confirm that the user is the data subject to whom such sensitive data relates, in which case the placing of the ad on the marketplace by themselves would amount to consent (which could be the case if the user is the publisher), and iii) if not, ensure that the data subject in question consented to the processing of their sensitive personal data, or the processing can be based on another exception from art. 9(2) GDPR applies, or refuse such publication.

3.     An operator of an online marketplace must implement the necessary security measures to prevent or limit, as far as possible, the re-publication of the potentially illicit content.

The CJEU also ruled that the operator of an online marketplace in its capacity of data controller or joint controller must comply with the requirements of Art. 32 GDPR and implement suitable technical and organizational measures to prevent or limit third-party copying and unlawful republication of potentially illicit content including sensitive personal data. Here, the court considered that once sensitive data is published online, it can be widely duplicated and become hard to remove, so the controllers should evaluate and, as far as possible, employ tools that can technically impede copying or automated extraction of the content.

4.     A hosting service provider acting as a data controller cannot be exempted from its liability for the GDPR infringements.

The CJEU concluded that the special liability regime for the hosting service providers implemented by the e-Commerce Directive cannot interfere with the GDPR regime. A hosting service provider, which is also a data controller, cannot rely on the hosting liability safe harbor exemption for the infringement of the accountability principle, privacy by design, joint controllership, and security requirements (Art. 5, 24 to 26 and 32 of the GDPR).

Insights and Next Steps

The decision has potentially far-reaching consequences for operators of marketplaces with advertisements on their platforms, as it effectively rules that the safe harbor liability exemption does not apply to GDPR infringements arising from the operators’ data processing activities. The concrete application of this decision to other marketplace operators, and even more so to other providers of intermediary services, remains uncertain, but it may set a precedent requiring such operators to pre-screen user-generated ads to identify potentially unlawful processing of sensitive data under the GDPR.

Given the uncertain scope of the decision’s applicability across various types of providers of intermediary services, companies operating online should continue to monitor the landscape for new guidelines and court decisions on this topic.

If you have any questions regarding the GDPR and the liability of the providers of the intermediary services, please contact Cédric Burton, Laura De Boel, Yann Padova, Marie Catherine Ducharme, or Olga Kosno from Wilson Sonsini’s Data, Privacy, and Cybersecurity practice.

Aurore Troussel contributed to the preparation of this Wilson Sonsini Alert.