CJEU ruling heralded as “landmark” GDPR judgment turns on a specific set of facts and requires careful interpretation in the post-DSA regulatory reality.

The judgment of the Court of Justice of the European Union (CJEU) in the Russmedia case is a significant ruling for online platforms. Caution is needed when making inferences from the specific facts and circumstances of that case, which involved a severe breach of privacy, the processing of sensitive personal data, and an operator of an online marketplace that the CJEU deemed a “data controller” in respect of its processing of that sensitive personal data.

Key facts and findings

The case can be traced back to August 2018, when an anonymous third party published a false advertisement on an online marketplace operated by Russmedia Digital.[1] The ad falsely and maliciously presented a woman as offering sexual services and included photographs of the woman and her personal telephone number. When contacted by the woman, Russmedia took down the ad within the hour, but at that point it had already been reproduced on other websites and the damage was done.

On these facts, the Court found that Russmedia, as operator of the online marketplace, should be qualified as a “controller” under GDPR in respect of the processing of the sensitive personal data contained in the ad and that, in that specific capacity, Russmedia should have taken the following actions, in each case “by means of appropriate technical and organisational measures” (within the meaning of GDPR), to prevent the harm caused:

  • Proactively screen ads proposed to be placed on its platform to identify ads that contain sensitive personal data (a.k.a. special categories of personal data within the meaning of Article 9 of GDPR).[2]
  • If an ad containing sensitive data is identified during the screening, perform an identity check – before publishing the ad – to verify if the advertiser is the person whose sensitive data appear in the ad.
  • If the advertiser is not the person whose sensitive data are included, refuse publication unless the advertiser can prove that the relevant person has given his or her explicit consent to the publication of the ad on the online marketplace.[3]
  • Prevent ads containing sensitive personal data from being scraped (copied) from the online marketplace and unlawfully published on other websites.[4]

The Court also held that Russmedia could not rely on the hosting liability safe harbour provisions of the e-Commerce Directive. Russmedia had successfully invoked the safe harbour before the Romanian court. The CJEU disagreed, however, and held that the application of the liability exemptions provided for by the e-Commerce Directive safe harbour in a case where a breach of GDPR was (allegedly) at issue and where – crucially – the operator in question qualified as a “controller” in relation to the processing of the sensitive personal data in question would “interfere with the GDPR regime” (at §131). Therefore, in this specific instance, Russmedia could not invoke the e-Commerce Directive hosting liability safe harbour provisions to defend against the claim for breach of its obligations as a controller under the GDPR.

Why the precedential value of the judgment should not be overstated

A number of findings of the Court require a detailed analysis and raise some challenging interpretations of the GDPR and the e-Commerce Directive. For example:

  • The Court adopted a broad interpretation of the concept of “controller” under GDPR and applied it to the very specific set of facts and circumstances of the case. The fact that Russmedia’s general terms and conditions gave it “considerable freedom to exploit the information published on [its] marketplace […] for its own advertising and commercial purposes” (at §§67), in combination with the specific architecture of the online marketplace, seem to have been determining factors. In reaching its conclusion, the Court did not clearly differentiate between the roles of the key actors during the different stages of processing of the personal data in question (e.g., the placement of the ad by the third-party advertiser vs. any subsequent processing by the marketplace operator for its own purposes).[5] This stands in stark contrast to a seemingly more measured approach taken by Advocate General (AG) Szpunar in his opinion. The AG opined that the third-party advertiser alone determined the purpose of the ad, since Russmedia had no knowledge of why the advertiser would post the ad. The AG also more clearly distinguished the role of the marketplace operator when processing sensitive personal data contained in ads from its role when processing personal data of advertisers (e.g., when creating or managing their accounts) and, on that basis, concluded that Russmedia qualified as a processor (not a controller) in relation to the processing of sensitive personal data contained in ads posted on the online marketplace.[6]
  • The Court appears to have moved very quickly from qualifying the online marketplace operator as “controller” to subsequently grounding several potentially far-reaching and highly specific ex-ante screening and due diligence obligations for data controllers processing sensitive personal data, in the much more general GDPR principles of accountability, data protection by design and by default, and data security (in particular Articles 5(2), 24, 25 and 32 of GDPR).
  • The exclusion of GDPR breaches from the hosting liability safe harbour is dealt with only briefly – almost in passing (at §§129-136) – and could have benefited from more elaborate analysis, in particular regarding the potential impact of the exclusion to the careful balance struck by the EU legislator in respect of the liability of intermediary service providers under the e-Commerce Directive.[7]

Moreover, the judgment is fundamentally predicated on several highly specific facts, which were highlighted by the Court itself:

  • The Court went out of its way to stress the particular sensitivity of the personal data in question and the severity of the consequences for the data subject (see, for example, at §§47-53 and 90-96). The judgment should be read in a context where the Court had already signalled that it would be a champion of European data protection rights in a world where the harmful effects of online harassment are becoming increasingly severe and visible. The findings of the Court should therefore not necessarily be extrapolated to apply to all types of personal data or all data processing activities subject to GDPR.
  • To come to the conclusion that Russmedia was a “joint controller” in relation to the processing of the sensitive personal data included in the harmful ad in question, the Court analysed in considerable detail the specific manner in which Russmedia operated its online marketplace. Relevant elements taken into account by the Court included – as set out above – the broad rights Russmedia reserved for itself in relation to further processing of personal data included in ads, the specific architecture of the online marketplace, as well as the fact that there appear to have been few constraints on anonymous advertisers placing potentially harmful and false ads on the online marketplace in a way that means injured parties have no recourse to, or way of identifying, such malicious third-party advertisers (see, for example, at §§69-73).
  • The Court was asked to rule on the e-Commerce Directive, which governed the underlying facts back in 2018. The hosting liability safe harbour provisions of the e-Commerce Directive have since been replaced by the Digital Services Act.[8]

The precedential value of the judgment should therefore not be overstated:

  • Other online marketplaces may be operated in a different manner, have a different architecture and content limitations, and may therefore not qualify as “controller” in relation to the processing of sensitive personal data included in ads placed on their platforms by third parties.
  • Most ads will not contain any sensitive personal data, and are therefore much less likely to cause the type of severe harm to data subjects which was at issue here. Those ads would not trigger the same requirements that the Court seems to impose on Russmedia in this specific case.
  • The e-Commerce Directive has been replaced by the DSA. Although the DSA incorporated hosting liability safe harbour provisions that mirror to a large extent the equivalent language in the e-Commerce Directive, there are some important textual differences that may provide scope for broader protection under the DSA. If the same facts as those at issue in this case were to occur today, the analysis under the DSA may be different and more nuanced.[9] Case law on the hosting liability safe harbour (even some of the other recent e-Commerce Directive rulings from the CJEU) appears to be evolving to take into account technological advancements and the practical architectural realities of today’s online marketplaces and content hosting platforms.

Practical takeaways for operators which are nevertheless impacted by the judgment

The findings of the Court were limited to general findings of law, since the judgment was in response to a request for a preliminary ruling from the Romanian court of appeal. It therefore remains to be seen how these findings will be applied by national courts and data protection authorities to specific fact patterns sufficiently similar to the ones at issue in Russmedia.

For example, the Court did not specify how operators of online marketplaces should operationalise the requirements summarised above. Several of those requirements – such as preventing ads from being scraped or pre-screening ads for sensitive personal data before they are published – indeed appear difficult to reconcile with how online marketplaces and the AdTech ecosystem operate in reality and, even if they were to operate differently, what is (and may in the future become) technically feasible at scale.

Moreover, the GDPR neither compels organisations to do the impossible nor requires absolute data protection in any and all circumstances. The GDPR allows due account to be taken of “the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing” of personal data (Articles 25 and 32 of GDPR).[10] Accordingly, we expect that a key battleground will remain the issue of what measures are technically feasible and proportionate considering the “state of the art”. The Russmedia judgment still offers considerable leeway on how to ensure GDPR compliance, even for operators whose online platforms may fall within the specific scope of the judgment.

[1] See §§30 and 31 of the Judgment of December 2, 2025, Russmedia Digital and Inform Media Press, Case C-492/23, available here.

[2] The Court came to the unsurprising conclusion that the data in question qualified as special category personal data since they concerned the data subject’s sex life and sexual orientation. The fact that the data was untrue and harmful did not change that conclusion (see Judgment, § 53). There is an active debate, however, on how broadly the concept of special category personal data should be interpreted under the GDPR, including in the context of the preparation of the EU’s proposed Digital Omnibus Package (which we commented on in an earlier blog post “Reset or rollback: Unpacking the EU’s Digital Omnibus Package”).

[3] Or that another exception under Article 9(2) of GDPR is satisfied that can be relied on to justify the publication without consent, which seems rather theoretical in the context of an online marketplace such as the one operated by Russmedia as described in the Judgment.

[4] The Court held that, to this end, the operator “must consider in particular all technical measures available in the current state of technical knowledge that are apt to block the copying and reproduction of online content” (§122).

[5] The Court held that the anonymous third-party advertiser was also a “joint controller”, together with Russmedia (see Judgment, §§54-75), and clarified that “the existence of joint responsibility does not necessarily imply equal responsibility”(§63), leaving it to the national court to determine the exact extent of Russmedia’s responsibility in the case at hand; On earlier CJEU case-law adopting a comparably extensive interpretation of joint controllership, see our earlier blog post “EU Court of Justice confirms earlier case law on broad interpretation of “personal data” and offers extensive interpretation of “joint controllership”, with possible broad ramifications in the AdTech industry and beyond”.

[6] See §111 and following of the AG opinion of February 6, 2025, available here.

[7] For example, even though the Court held that the requirements imposed on Russmedia “cannot, in any event, be classified as […] a general monitoring obligation” prohibited by Article 15 of the e-Commerce Directive, this can certainly be debated.

[8] Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act); In accordance with Article 89 of the Digital Services Act (DSA), references to Articles 12 to 15 of the e-Commerce Directive (Directive 2000/31/EC) are now to be construed as references to Articles 4, 5, 6 and 8 of the DSA.

[9] The AG also hinted at this in §160 of his opinion, by pointing to the textual differences between the e-Commerce Directive and the DSA.

[10] Even the Court admitted, in respect of the anti-scraping measures referenced above, that “the unlawful dissemination of personal data initially published online is [not] sufficient to conclude that the measures adopted by the controller concerned were not appropriate” (at §123).