The European Court of Justice has issued its judgment in Case C-492/23 | Russmedia Digital and Inform Media Press Data Protection. It said that the operator of an online marketplace is responsible for processing personal data in advertisements published on its platform.
The case involved Russmedia Digital, a company that runs the website www.publi24.ro, where people can post adverts for free or for a fee. These adverts can be to sell goods or offer services in Romania.
On 1 August 2018, someone posted an advert on the site claiming that a woman was offering sexual services. The advert included her photos and phone number, but she had not given permission for this information to be used. The woman said the advert was false and damaging to her reputation and privacy. She asked Russmedia Digital to remove it, and they did so within an hour. However, by then, the advert had already been copied to other websites, where it stayed online.
The woman took legal action, saying her rights had been violated and that her personal data had been misused. The first instance court agreed with her and ordered Russmedia Digital to pay her €7,000 for the harm caused. However, on appeal, the decision was overturned, with the appeal court saying the website was just a hosting service and not responsible for what users posted.
The case was then referred to the ECJ to clarify whether online marketplace operators are responsible for personal data in adverts under the GDPR, and if they can avoid this responsibility by claiming an exemption under another Directive 2000/31.
The Court’s decision
The ECJ decided that the operator of an online marketplace is indeed responsible for the personal data in adverts posted on its site. Even if a user creates the advert, it is the marketplace that makes it available online. This means the operator is a data controller under the GDPR.
The Court said that before publishing adverts, the operator must use suitable technical and organisational measures to spot adverts that contain sensitive personal data; check if the person posting the advert is the same person whose data appears in it; and if not, check if the person whose data is being used has given clear consent for it to be published.
If there is no consent, the operator must refuse to publish the advert, unless another GDPR exception applies.
The operator must also try to stop adverts with sensitive data from being copied and illegally posted on other websites. This requires putting in place proper security measures.
Finally, the ECJ said that online marketplace operators cannot avoid their GDPR responsibilities by relying on the exemption for hosting services in Directive 2000/31.
In summary, the ECJ has made it clear that online marketplaces must take active steps to protect personal data in adverts and cannot simply claim they are not responsible for what users post. This is a significant decision and will have potentially onerous implications for online platforms.
