For a quarter century, European platform law rested on a quiet bargain: operators of hosting services would not be treated as publishers of what their users posted, provided they moved quickly once notified of illegal content. On 2 December 2025, the Grand Chamber of the Court of Justice of the European Union made clear that this bargain does not extend to data protection. In Russmedia Digital and Inform Media Press (C-492/23), the Court held that operators of online marketplaces are controllers under the GDPR for the personal data contained in user-generated ads, and that they must — before publication — identify ads containing sensitive data, verify the identity of the person posting, and refuse publication in the absence of valid consent. Post-publication takedown is no longer enough.
- The GDPR obligations of platform operators are not displaced by the host-provider safe harbor of the e-Commerce Directive (now Articles 4–6 DSA). Article 1(5)(b) eCD and Article 2(4) GDPR are read together to preserve a full data-protection compliance regime on top of DSA duties.
- A marketplace that monetizes user ads, reserves broad usage rights over posted content, and parameters the distribution (ranking, visibility, categorization) qualifies as a controller — alongside the user — for the personal data contained in those ads.
- For sensitive data (Article 9 GDPR), operators must implement ex-ante technical and organizational measures: detection of sensitive content, identity verification of the poster, and publication refusal without documented consent. Anonymous posting of third-party sensitive data is no longer viable by design.
- Under Article 32 GDPR, operators must take all state-of-the-art measures reasonably available to prevent copying and redistribution of lawfully posted sensitive content — scraping protection, deep-link control, replication blocking.
§ IThe shift in one sentence
Russmedia is not a revolutionary decision. It is a clarifying one. The judgment tracks a line the Court has been drawing since Wirtschaftsakademie Schleswig-Holstein and Fashion ID: a functional, purpose-and-means-based concept of controllership that refuses to let platform operators disclaim responsibility for data flows they have designed. What Russmedia adds is the explicit confirmation that this controllership logic operates on top of, not in parallel with, the host-provider liability framework — and that for data protection purposes, the reactive notice-and-takedown model does not suffice.
The shift is one of architecture. For years, platforms have invested heavily in post-publication moderation: notice channels, trust-and-safety teams, takedown automation. Russmedia treats this infrastructure as necessary but not sufficient for personal-data compliance. Where sensitive data is foreseeably at stake, the compliance question moves to product design — who can post, under what verification, and what the service does before an item is made public.
§ IIWhat happened
Russmedia Digital operates publi24.ro, a Romanian online marketplace on which users can post classified advertisements. In August 2018, an unidentified third party posted an ad depicting the claimant — by name, photograph, and telephone number — as a provider of sexual services. The claimant had given no consent. After being notified, Russmedia removed the listing within an hour. By then, however, automated crawlers had copied the ad to other websites, where it remained accessible; the claimant could not obtain its removal.
Romanian courts divided on liability. A first-instance court awarded €7,000 in non-material damages. A specialized appellate court reversed, holding that Russmedia acted as a neutral host shielded by the national implementation of Article 14 eCD. The Cluj Court of Appeal, sitting at last instance, referred four questions to the CJEU, asking whether the GDPR imposes preventive verification obligations on marketplace operators, and how those obligations interact with the host-provider safe harbor.
§ IIIThe Court's reasoning
1. Sensitive data, including the false and harmful
The Court begins by confirming — in terms that matter for AI-generated and synthetic content cases — that untruthful or defamatory attributions of sensitive characteristics remain sensitive data under Article 9(1) GDPR. Whether the claimant was actually a sex worker is irrelevant; what matters is that the content ascribes such status to an identifiable person, and that processing it poses a particularly serious interference with Articles 7 and 8 of the Charter (paras. 51–53). This applies equally to inferred, derived, or matched information — a principle the Court had already articulated in OT v Lithuanian Chief Ethics Commission (C-184/20) and the Commission v Poland judgment on judicial asset disclosures.
2. The marketplace as a (joint) controller
The doctrinal core of Russmedia is the treatment of the platform operator as a controller — and indeed a joint controller with the posting user — within the meaning of Article 4(7) and Article 26 GDPR. The Court derives this qualification from a bundle of functional factors:
Influence on purposes. Russmedia published ads out of its own commercial interest and retained, through its terms of service, broad rights to use, distribute, transmit, modify, and share the posted content with partners — all without having to cite a "valid reason." The Court treats these contractual provisions as evidence that the operator processes the data not solely for users but in service of its own advertising and commercial aims (para. 67). The platform's design choice to permit anonymous posting is additionally noted as facilitating the unauthorized processing of third-party data.
Influence on means. Setting ranking, visibility parameters, distribution duration, and categorization counts as participation in the determination of the essential means of processing (paras. 70–73). This extends the reach of Wirtschaftsakademie and Fashion ID into a wider class of platform operators: any service whose algorithmic infrastructure meaningfully shapes how personal data becomes publicly accessible is on notice.
The Court explicitly rejects the defense that the operator did not itself choose the content (para. 74). That argument, the Court holds, would contradict both the wording and the protective purpose of Article 4(7).
3. The preventive triad for sensitive data
Against this controllership backdrop, the Court derives an ex-ante program of three obligations (paras. 92–106), grounded in Articles 5(2), 24, 25, and 26 GDPR:
- Detect — Operators must implement technical and organizational measures to identify, before publication, ads that may contain Article 9 data. This duty arises at the moment the operator designs the service, not merely at the moment of processing (Article 25(1)).
- Verify — Operators must collect and verify the identity of the posting user so as to confirm whether the poster is the person to whom the sensitive data relates. Anonymous posting of another's sensitive data is, by definition, incompatible with the consent requirement.
- Refuse — If the poster is not the data subject and cannot demonstrate explicit consent under Article 9(2)(a) (or another Article 9(2) exception), the operator must refuse publication, again via suitable technical and organizational measures.
The Court frames this obligation using the risk-based logic of Articles 24 and 25. The adequacy of measures is assessed concretely — in light of the nature, scope, context, purposes, and risks of the processing. The Court explicitly adds a general-preventive function: measures must also operate to deny would-be abusers the sense that the platform is a space of impunity (para. 104).
4. A separate duty to contain redistribution
Article 32 GDPR is pressed into service as an independent obligation to prevent the copying and unlawful redistribution of sensitive content that has been lawfully posted (paras. 113–126). Operators must consider all state-of-the-art technical measures capable of blocking copies and replication. This covers scraping protection, rate-limiting, content hashing, watermarking, and access restrictions. Importantly, the Court stops short of strict liability: the mere fact that redistribution occurred does not conclusively prove the operator's measures were inadequate (para. 123).
5. No escape via the safe harbor
The Court's answer to the first question is doctrinally spare but functionally decisive. Article 1(5)(b) eCD excludes data-protection questions from the Directive's scope; Article 2(4) GDPR leaves the eCD's Articles 12–15 "unaffected" only for non-data-protection matters. The same reading applies a fortiori to the DSA, whose Article 2(4)(g) preserves the application of EU data-protection law. The host-provider safe harbor therefore does not insulate operators from GDPR obligations, and the compliance duty the Court articulates does not qualify as a prohibited general monitoring obligation under Article 15 eCD (para. 132).
§ IVWhere the judgment is strong — and where it strains
1. The end of reactive-only compliance
On the central holding — that the eCD/DSA safe harbor does not displace GDPR duties — Russmedia is both textually obvious and practically overdue. The wording of Article 1(5)(b) eCD has been on the books since 2000; the Court had already said so explicitly in La Quadrature du Net (C-511/18, para. 200). That the market received Russmedia as a surprise says more about the degree to which Section 230-style intuitions migrated into European compliance thinking than about any novelty in the judgment itself.
2. The strained joint-controllership construction
Less convincing is the construction of the operator and the anonymous poster as joint controllers under Article 26. Joint controllership presupposes converging determinations of purposes and means. Here, however, the operator's purposes (monetization, distribution, engagement) and the poster's purposes (whatever malicious or commercial aim the poster pursues) are not convergent but parallel, linked only by the infrastructure. The Court locates the joint element primarily in the platform's terms of service — a document the user accepts unilaterally. That is a thin reed. Dogmatically, the operator is better characterized as an independent controller under Article 4(7) alt. 1 for its own processing acts, with the poster as a separate independent controller for the act of making the data public. The joint-controllership framing introduces practical problems — most notably, the Court itself acknowledges that the Article 26 transparency arrangement is impossible to conclude with an anonymous counterparty (para. 101) — without producing compensating doctrinal clarity.
3. GDPR and DSA: two regimes, one product
For US technology companies operating in the EU, the practical significance of Russmedia sits in its implicit confirmation that DSA compliance does not substitute for GDPR compliance. Many US-headquartered platforms have, over the past eighteen months, operationalized DSA obligations (transparency reporting, Article 13 representation, statements of reasons, trusted-flagger channels) as a discrete workstream. That workstream does not address the controllership, lawfulness, identity-verification, and security duties the Court has now underscored. Article 27 GDPR representatives, Article 13 DSA representatives, product teams, and counsel need to operate within a shared map, not three separate ones.
4. The practicability question — and the AI paradox
The Court demands neither omniscience nor general monitoring. It requires risk-proportionate, state-of-the-art detection and verification measures. At scale, this pushes platforms toward automated classification (image and text models to flag potential Article 9 content, pattern-matching for common sensitive-data signatures) and identity verification infrastructure (from lightweight email/phone confirmations to eID-based verification). The paradox is visible: a judgment animated by data-protection concerns may, in practice, require substantially more processing — ingesting every post through classifiers, collecting and retaining verified identity data — than the reactive model it replaces. This tension with Article 5(1)(c) data minimization is unresolved and will occupy both supervisory authorities and the Court in the coming years.
5. Reach beyond online marketplaces
The Court frames its holding narrowly — sensitive data, online marketplaces. The underlying logic is not so confined. Any platform whose operator exercises the kind of purpose-and-means influence the Court identifies (monetization, algorithmic distribution, broad content-usage rights) is exposed. Social networks, review platforms, classifieds, AI-assisted content platforms, and VLOPs/VLOSEs under the DSA all sit inside the reasoning. For non-sensitive personal data, a proportionally lighter but structurally similar preventive program is the natural extrapolation — a point the Court implicitly concedes by grounding the duty in Articles 5(2), 24, and 25, which apply across all personal data.
§ VWhat this means for product and compliance teams
1. Product architecture is now a legal artifact
Privacy by design (Article 25) has long been the GDPR's most under-enforced provision. Russmedia changes that. The Court explicitly anchors compliance obligations at the moment the operator designs the service. For product teams, this means treating onboarding flows, identity verification, upload schemas, and default visibility settings as legally material artifacts. A data protection impact assessment (Article 35) that does not model the foreseeable risk of third-party sensitive data being posted via the service is, post-Russmedia, plainly deficient.
2. The anonymity question
Platforms that currently permit anonymous content posting will need to assess whether the business rationale for anonymity outweighs the regulatory risk. The Court does not ban anonymity; it treats anonymity, combined with the foreseeable posting of third-party sensitive data, as a risk factor that aggravates the operator's due-care duties. Pseudonymous posting paired with robust identity verification at account creation is a defensible architecture; truly anonymous posting of content that touches third parties is increasingly hard to justify.
3. Terms of service as a liability surface
The Court pointed to Russmedia's broad content-usage rights in its terms of service as evidence of joint controllership (para. 67). Operators should audit their terms to distinguish between rights that are technically necessary for service operation (right to display, transmit, cache, serve) and rights that reach beyond operational necessity (right to modify, share with partners, use for unrelated purposes). Rights of the second kind are compliance-relevant; they should be scoped, justified, or dropped.
4. Accountability documentation
Article 5(2) GDPR's accountability principle — emphasized throughout the judgment — means the burden of demonstrating adequate measures falls on the operator. Plaintiffs and supervisory authorities do not have to prove that the measures were inadequate; operators have to prove they were adequate. In litigation, this translates to careful technical documentation: which state-of-the-art measures were considered, which were implemented, which were rejected, and on what risk-proportionality grounds.
5. For US companies operating at EU scale
For US-headquartered technology companies offering services to EU users under Article 3(2) GDPR, Russmedia reinforces three points. First, the European compliance stack is not DSA plus GDPR; it is DSA alongside a fully operative GDPR regime whose obligations are not privileged by hosting status. Second, the EU representative role under Article 27 GDPR is distinct from the representative role under Article 13 DSA — neither substitutes for the other, and the GDPR representative sits closer to the substantive controllership duties the Court has now emphasized. Third, product decisions made at US headquarters — authentication flows, content categorization, algorithmic ranking — now carry direct legal weight in EU compliance assessments in a way they did not before.
§ VIThe architecture question
The deepest implication of Russmedia is not doctrinal. It is that the architecture of a platform is, in Europe, a legal object. What a service allows users to do, under what verification, with what visibility defaults, and under what redistribution controls — these are no longer purely product choices. They sit inside the GDPR's accountability regime, and after Russmedia, they sit there without the cushion of the host-provider safe harbor.
Open questions remain. How far the preventive triad extends beyond Article 9 data will be the first. What identity-verification standards satisfy "state of the art" will be the second. How far the logic applies to generative AI services that host or ingest third-party personal data will be the third, and perhaps the most consequential. Each of these will be litigated. But the core position is settled: platforms that commercialize user-generated content participate in the processing of the personal data inside that content, and they carry the compliance burden that participation entails.
For operators, the choice is not between compliance and non-compliance. It is between addressing the architecture question now, as a product decision, or addressing it later, as a remedial one. The former is an engineering project. The latter is litigation.