CJEU rules online marketplaces are responsible for processing of data in ads

The Court of Justice of the European Union (CJEU) has ruled in Case C-492/23 that the operator of an online marketplace is a joint controller of the personal data contained in advertisements published on its platform, therefore, requiring it to comply with the EU General Data Protection Regulation (GDPR). The judgment, which significantly deviates from the Opinion by AG Maciej Szpunar in February, confirms that marketplace operators must take responsibility for personal data, even when the content is placed by a user.

The case originated from a Romanian online marketplace, Russmedia Digital, where an unidentified person published a harmful advertisement for sexual services, containing a woman's photographs and phone number without her consent. Although the company removed the content within an hour of the woman's request, the advertisement had already appeared on other websites. After the initial Romanian Court upheld the woman's claim for damages, the case was referred to the CJEU for guidance on the operator's obligations.

The CJEU ruled that the operator must establish, prior to publication, whether the user placing the advertisement is or is not the person whose data is featured. If they are not the person whose data is featured, the operator must verify whether that person has provided explicit consent for publication. In the absence of consent, the operator must refuse to publish the advertisement, unless an exemption under the GDPR applies.

Furthermore, the CJEU ruled that the operator must implement appropriate technical and organisational security measures to prevent such advertisements from being copied and unlawfully published on other websites. In addition, the CJEU confirmed that the operator cannot avoid these GDPR obligations by relying on the exemption from liability provided by the eCommerce Directive 2000 for providers of information society services.

The implications of this ruling are likely to extend far-beyond online marketplaces to encompass any digital platform offering online advertising services.

Additional legal analysis by Pinsent Masons. 

In a LinkedIn post commenting on the ruling, data protection specialist Robert Bateman asks whether the CJEU has used the GDPR to replace the intermediary liability exemption with a general monitoring obligation. 

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.