EU Court of Justice: the operator of a website is responsible for the processing of personal data contained in the ads published on its platform and cannot invoke the absence of the gen-eral obligation of surveillance for hosting service providers.

In its judgment C-492/23 - Russmedia Digital and Inform Media Press , the Court of Justice of the EU dealt with the following case.

Russmedia Digital, a company incorporated under Romanian law, is the owner of the website www.publi24.ro. This site is an online marketplace on which you can post ads for free or for a fee. These announcements relate in particular to the sale of goods or the provision of services in Romania.

An unidentified person posted a message on this site claiming that a woman was offering sexual services. The message contained photos of the woman, used without her consent, and her phone number.

The woman felt that the ad was lying and harmful and therefore asked the owner of the site to remove it. After this request, Russmedia Digital removed the publication within an hour. However, the ad in question had already been disseminated on other websites, on which it remained accessible. In those circumstances, considering that the ad violated her rights to image, honour, reputation, privacy and the rules relating to the processing of personal data, the woman referred the matter to the Romanian courts. The Court of First Instance agreed with her and ordered Russmedia Digital to pay her 7,000 euros in non-material damages. On appeal, however, the specialized court considered that this company was exempt from liability, qualifying it as a simple hosting service provider not responsible for the content published by its users. The victim then appealed against that judgment to the Court of Appeal. The latter decided to refer the matter to the Court of Justice for clarification on the interpretation of EU law, in particular as regards the obligations incumbent on the operator of an online marketplace under the GDPR, and to clarify whether that operator can escape those obligations by virtue of the exemption from liability provided for by Directive 2000/31 for information society service providers

In its judgment, the Court ruled that the operator of an online marketplace such as Russmedia Digital is the controller of the processing of personal data contained in the advertisements published on its online marketplace. Even if the advertisement is placed by a user, that advertisement is published on the internet and thus made accessible to internet users only by means of the online marketplace. Consequently, the operator of an online marketplace must, before publishing such advertisements and by appropriate technical and organisational measures, identify those containing sensitive data, such as those at issue in the present case, and verify whether the user who is preparing to place such an advertisement is the person whose sensitive data appears in it. If this is not the case, it must check whether the person whose data is published has given his or her express consent to the publication. In the absence of this consent, the operator of an online marketplace must refuse the publication of the advertisement in question, unless it falls under one of the other exceptions provided for by the GDPR. In addition, the operator of an online marketplace must ensure that advertisements containing sensitive data published on its site are not copied and unlawfully published on other websites. To this end, it must put in place appropriate technical and organisational security measures.

Finally, the Court states that the operator of an online marketplace cannot escape those obligations, which are incumbent on it under the GDPR, by relying on the exemption from liability provided for by Directive 2000/31.