A landmark CJEU ruling reshapes the boundaries between GDPR obligations and online platform liability, confirming that operators of online marketplaces may be classified as data controllers with proactive duties to verify, moderate, and prevent the unlawful dissemination of personal data.

The CJEU Grand Chamber’s judgment in the case of X v Russmedia Digital SRL and Inform Media Press SRL (Case C-492/23), delivered on 2 December 2025, breaks new ground on the intersection of data protection law under the GDPR[1] and the liability of online platforms under the E-Commerce Directive[2].

The Factual Background

In 2018 an unidentified user placed an advertisement for sexual services, which included a photo and telephone number of a woman (identified as ‘X’ in the proceedings) taken without her consent from her social media account. This was published on Publi24.ro, an online marketplace owned by Russmedia Digital SRL (Russmedia).

Following a complaint by X, Russmedia removed the ad within an hour, but the information had already been copied and republished on other websites, causing her harm. X issued a claim against Russmedia alleging infringement of her rights to personal portrayal, honour and privacy, as well as the unlawful processing of personal data. The Romanian court referred questions to the CJEU.

The Online Marketplace as a Data Controller

The central finding of the Court was that the operator of an online marketplace (Operator), in this context, qualifies as a data controller under Article 4(7) of the GDPR.

The Court justified this broad interpretation by noting that Russmedia exerted a “decisive influence” over the processing and acted for its “own commercial purposes”:

• Joint Controllership: The Court specified that the online marketplace and the user who placed the advertisement are considered joint controllers of the personal data once the advertisement is published. This means they both share responsibility for ensuring the lawful processing of the data.
• Commercial Purpose: Russmedia’s terms and conditions enabled them to exploit and/or remove the content uploaded by the users without giving reasons. The Court considered that this constituted participation in determining the purpose of the processing—making the personal data accessible to internet users—to put such publications to effective use and generate revenue.
• Determining Means of Processing: The platform set the parameters for dissemination (like headings, classification, duration, and presentation) and, crucially, facilitated the publication of data by allowing advertisements to be placed anonymously and without the consent of the data subject. By determining these ‘essential elements’ of publication, Russmedia exerted ‘decisive influence’ over the distribution of the claimant’s personal data.

Proactive Obligations for Data Protection

As a data controller, the Oerator is subject to all GDPR principles and obligations, particularly regarding the principles of lawfulness, accuracy, fairness, transparency, and data minimisation. This translates into specific duties:

• Pre-Publication Vetting for Sensitive Data: The Operator must put in place “appropriate technical and organisational measures” to
  1. Identify advertisements that contain sensitive data (such as data revealing sexual life or health) before publication and be able to demonstrate that the personal data is accurate.
  2. Verify that the advertiser is either the person whose data is being published or that the advertiser has the explicit consent of that person for the publication and has provided its contact details to the individual.
  3. If no lawful basis (like explicit consent) is established, the operator must refuse to publish the advertisement.
• Preventing Further Dissemination: The Operator must also take all appropriate measures to prevent such advertisements from being “copied and unlawfully published on other websites”. Once sensitive data is published and accessible, it can become difficult or impossible for the data subject to achieve its effective deletion from the internet.

Rejection of the E-Commerce Directive Exemption

The Court ruled that the Operator cannot rely on the exemption from liability for hosting information service providers under Article 14(1) of the E-Commerce Directive as doing so would “interfere with the GDPR regime”.

This exemption applies only when the service provider plays a neutral, purely technical, and passive role. Since Publi24.ro actively determined the means and purposes of the data processing for its own commercial gain (as described above), its role is considered active and non-neutral. Therefore, the stricter duties and liability standards of the GDPR apply.

Implications of the Decision

This decision has profound and far-reaching implications for operators of online marketplaces, classified ad websites, and other platforms that host user-generated content containing personal data.  These include:

1. Increased Legal and Financial Liability for Online Platforms

• Shift from Host to Controller: Operators can no longer rely on the liability shield provided by the E-Commerce Directive (Article 14) by claiming to be a neutral hosting provider. If the platform is actively involved in setting the terms for the data’s dissemination for commercial purposes, it is a (joint) data controller and fully responsible for GDPR compliance.
• Joint and Several Liability: As a joint controller with the advertiser, the Operator can be held liable for the advertiser’s illegal publication of personal data, and potentially fined under the GDPR (up to 4% of global annual turnover or €20 million, whichever is higher).

2. Mandatory Proactive Moderation Systems

The ruling necessitates a fundamental change in content moderation strategy, shifting from reactive “notice-and-takedown” to proactive, pre-publication vetting.

• Technical Investment Required: Platforms must invest heavily in AI-powered or human moderation tools capable of detecting personal data, especially sensitive categories (e.g., photos or text related to health, sexual life, ethnic origin) before the content goes live.
• Verification Mechanisms: They must develop robust systems to verify that the person placing the ad is either the data subject or has obtained their explicit consent. This is technically complex, as it requires identity verification of the advertiser and, potentially, the data subject.
• Slowing Down Publication: Real-time, instant publishing of classified ads may no longer be feasible, as an essential review or verification step is now legally required.

3. Impact on Anonymity and Free Expression

The requirement to verify identity or consent for ads containing sensitive personal data will impact the user experience:

• Chilling Effect on Anonymous Posting: The ability of users to post content anonymously or under pseudonyms, especially when sensitive topics are involved, will be severely restricted.
• Increased Data Collection: Platforms may need to collect more personal data from the advertiser to satisfy the verification requirement, creating a potential tension with the GDPR principle of data minimisation.

4. Obligations Beyond the Platform

• Duty to Prevent Republication: Platforms now have an explicit duty beyond simply deleting the original ad to take reasonable steps to prevent the unlawful copying and republication of the offending content on other websites (e.g., notifying the original data subject that their ad was removed and trying to track downstream publication). This is an incredibly difficult, arguably near-impossible, technical challenge in the age of rapid information sharing.

5. Broader Implications

While the case specifically involved classified ads for sexual services, the principles apply to any platform where users can post content containing personal data, including:

• E-commerce sites (user reviews with photos/personal details).
• Social media platforms (although they have always had a high standard of data controller responsibility).
• Online forums and discussion boards.
• Dating apps (especially concerning sensitive health or sexual preference data).

The decision imposes a significant compliance burden on Operators, greatly increasing their accountability for their users’ actions and requiring them to become active data gatekeepers rather than passive hosts.  This seems likely to create major tensions with platforms owned and controlled from outside the EU.

Authors: Patrick Wheeler, Partner, and Cécile de Lagarde, Senior Associate, Collyer Bristow LLP, London

Moderator: Delia Belciu, Partner, DB Law Office, Bucharest

[1] Regulation (EU) 2016/679 (General Data Protection Regulation)

[2] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000