I. In short

In the judgment (C‑492/23), the European Court of Justice (ECJ) holds that operators of online marketplaces hosting user-generated content are, under certain conditions, themselves (joint) controllers under the GDPR and resulting in substantive compliance obligations. This applies in particular where sensitive data are concerned. According to the judgment, the liability exemptions for platform operators under the Digital Services Act (DSA) do not displace obligations under the GDPR. The ruling potentially shifts the compliance focus for platform operators from a reactive notice‑and‑action approach to preventive technical and organizational measures before the publication of content containing personal data. 

II. Circumstances

Russmedia operates an online marketplace for goods and services. In 2018, a fake advertisement was published in which a woman was portrayed as a sex worker using her real photograph and phone number. The advertisement was posted by an anonymous user and removed by Russmedia less than an hour after publication, following a notification by the affected person. At the time of deletion the advertisement had already been disseminated to various other websites citing the original source. The affected person subsequently brought a damages claim against Russmedia alleging violations of rights of personality and data protection law. 

III. Legal questions

The ECJ had to address the following questions:

1. (Joint) controllership for user‑generated content: Under what conditions is an online marketplace, in addition to the user, a (joint) Controller for user‑generated content?
2. Relationship between liability privileges and data protection: Can online marketplaces invoke the DSA’s liability exemptions in cases of data protection infringements?
3. Pre‑screening and safeguards: What checks are necessary before publishing advertisements (e.g., detection of sensitive content, identity verification, refusal to publish) and what measures must the online marketplace take to restrict further distribution of unlawful content? 

IV. Statements of the ECJ ruling

1. Joint control of online marketplace and user

The ECJ prefaced its answers to the referring court with an extensive analysis of data protection controllership for user‑generated content on online marketplaces. Although Russmedia neither posted the advertisement itself, nor knew of the unlawful content at the time of publication, and removed it promptly, the ECJ nevertheless assumed joint control between the posting user and Russmedia. The Court clarified that the publication in the pertinent form was possible only due to the specific design of the online marketplace. Relying on its Fashion ID judgment (C‑40/17), the Court reiterated that joint control does not require that each party have equivalent responsibility for the processing or that all parties have access to the personal data processed. The platform operator “sets the parameters” of the processing through the specific functionalities of the platform. According to the ECJ, Russmedia pursued its own purposes by providing the platform and organizing the content. In addition, Russmedia’s platform terms and conditions granted it extensive usage rights in respect of user‑generated content. 

As a consequence, not only the user who posted the infringing content qualifies as a controller, but also the platform itself. It remains unclear to what extent the ECJ’s conclusion of joint control was based on this particularly far‑reaching clause in Russmedia's terms and conditions. It could be argued that platforms with less extensive usage rights clauses may not be (joint) controllers. It must be observed how courts and supervisory authorities will interpret the ECJ’s statements in future.

2. The DSA’s liability exemptions do not affect a controller’s obligations under the GDPR

Where user‑generated content on online marketplaces contains personal data, the GDPR’s obligations apply in full. If the operator of an online marketplace is a (joint) controller within the meaning of the GDPR, it cannot rely on the DSA’s liability exemptions—particularly Article 6—with respect to GDPR obligations. The ECJ bases this view principally on Article 2(4) GDPR. While systematic and coherent, this approach effectively narrows intermediary liability exemptions under the DSA. 

3. Online marketplaces must implement appropriate security measures

a) Preliminary checks

Online marketplaces that qualify as controllers (see IV.1) must ensure before publication that personal data contained in advertisements are lawfully processed. The specific measures required depend on the nature, scope, context, and purposes of the processing, as well as the risk.

A heightened level of protection applies to sensitive data. In such cases, it is necessary to identify possible sensitive content before publication. As consent of the data subject is likely to be the sole viable legal basis when processing sensitive personal data, platform operators must verify the user’s identity to determine whether the sensitive personal data relate to the user personally. If not, the platform operator must ensure that the user has obtained the actual data subject’s consent; if such consent is not available, publication on the platform must be refused. This entails that anonymous platform use—such as mandated under section 19 TDDDG in Germany—will no longer be feasible where sensitive personal data are processed. This creates a dilemma for platform operators because extensive pre-screenings of user-generated content to comply with potential GDPR obligations might eliminate the host provider liability exemption under Art. 6 DSA even for content that does not contain personal data. How this conflict will be solved remains to be seen.

b) Downstream protective measures

In addition to preliminary checks, effective security measures must be implemented to make copying or republication of unlawful content technically difficult. While the ECJ did not specify exact benchmarks, it stated that where sensitive data are published online, the controller, under Article 32 GDPR, must take all technical and organizational measures to ensure a level of security apt to effectively prevent a loss of control over those data and block copying and reproduction of online content. 

At the same time, the ECJ clarifies that Articles 24 and 32 GDPR cannot be interpreted to mean that the unlawful dissemination of personal data initially published online is, by itself, sufficient to conclude that the measures adopted by the controller were inappropriate, without allowing the controller to adduce evidence to the contrary. Platform operators therefore are not strictly liable for every unlawful disclosure of personal data on their websites or on the internet in general, although they likely bear the burden of proving on a case-by-case basis that their security measures were appropriate. 

V. Practical consequences

The ruling tightens obligations for platform operators when handling user‑generated content, particularly where it contains personal data. For operators of online marketplaces and other platforms, this may result in a de facto obligation to pre‑screen content and call the platforms' reliance on host provider liability exemptions into question.

Rather than relying on the DSA’s notice‑and‑take‑down approach, proactive monitoring will, in practice, be necessary to mitigate GDPR liability exposure. Notice‑and‑take‑down procedures will remain relevant, for example in copyright and trademark matters, but will be supplemented by GDPR‑driven obligations. 

Platform operator liability may especially arise in the context of processing sensitive personal data. In such cases, operators will need to establish protection and control mechanisms both within the upload workflow and with respect to downstream distribution options for the content. 

The practical impact of the judgment will depend largely on how the criteria for determining (joint) control are applied across different platform models. However, where only limited amounts of personal data are processed, the additional compliance burdens and liability risks are likely to be limited.