CJEU clarifies GDPR duties for online platforms hosting user ads

The ruling also explicitly imposes proactive duties on operators of online marketplaces to screen for sensitive data in user generated content published on their platforms and implement technical measures to prevent unlawful dissemination. It signals a shift from passive hosting to active responsibility and raises important questions about feasibility, proportionality, and the future of platform liability in the EU.

Background

The case concerned an online marketplace in Romania that enabled users to publish advertisements, either free or for a fee, on a platform operated by the defendant service provider. In 2018, an advertisement was published on the platform containing photographs and a telephone number of a woman, falsely suggesting that she offered sexual services. The ad was posted without the woman's consent and included her sensitive personal data. Although the operator removed the ad shortly after being notified of its unlawful publication, the content had already been copied and republished on other websites.

The woman brought an action in Romanian court seeking compensation for non-material damage, alleging unlawful processing of her personal data and violations of her rights to privacy, honor, and personal portrayal. The proceedings raised questions about the platform operator's role: whether it acted merely as a hosting intermediary under the eCommerce Directive or bore responsibilities as a controller under the GDPR. Specifically, the referring court asked whether the operator was required to verify the identity of advertisers and prevent publication of unlawful ads, and whether its obligations included proactive measures to identify sensitive data before publication.

These circumstances framed the legal issues referred to CJEU: the interpretation of GDPR provisions on controllership, accountability, and processing of sensitive data, alongside the liability exemptions for hosting providers under the eCommerce Directive.

The referring court's questions focused on whether the operator could rely on the eCommerce Directive's intermediary liability limitations despite exercising certain rights over user content, and whether its involvement in determining how ads were published and managed amounted to joint control with advertisers for the purposes of the GDPR.

The Legal Questions

The Romanian Court of Appeal referred several questions to the CJEU, seeking clarification on:

• Whether an online marketplace operator qualifies as a controller under GDPR for personal data in user ads.
• Whether the liability exemptions for information society services in Articles 14 and 15 of the eCommerce Directive exempt platforms from GDPR obligations.
• Whether platforms must verify the advertiser’s identity and check for sensitive data before publication.
• Whether platforms must implement measures to prevent unlawful copying and redistribution of ads.

The Broader Context

This case sits at the intersection of two regulatory regimes:

• The eCommerce Directive, which traditionally shields hosting providers from liability for third-party content if they act as neutral intermediaries.
• The GDPR, which imposes responsibilities on controllers, particularly when processing sensitive data.

The judgment resolves tension between these frameworks by prioritizing data protection over intermediary liability exemptions.

Analysis

The Court’s reasoning addresses several key issues:

Controller Status

The Court held that platforms are not mere technical intermediaries in certain scenarios. By structuring, categorizing, and monetizing advertisements, and by reserving rights to copy, distribute, and modify content under their terms of service, platforms determine the purposes and means of processing even if they do not exercise ownership rights over the content. This makes them controllers under the GDPR. The fact that users upload the ads does not absolve platforms of responsibility.

No GDPR Safe Harbor Under eCommerce Directive

The Court confirmed that the liability exemptions in the eCommerce Directive do not apply to GDPR obligations. While platforms may avoid civil liability for unlawful content under the Directive, they cannot escape their duties as controllers under GDPR. This principle underscores the primacy of data protection in EU law.

Proactive Compliance Duties

The judgment imposes significant proactive obligations:

• Pre-publication checks: Platforms must identify whether ads contain special category data under Article 9 GDPR (such as sexual orientation or health data).
• Identity verification: Platforms must verify that the advertiser is the data subject or has obtained explicit consent. If no lawful basis exists, the ad must not be published. These requirements represent a clear departure from the traditional notice-and-takedown model that underpins the eCommerce Directive and the Digital Services Act.

Security and Dissemination Controls

Platforms must implement technical and organizational measures to prevent ads from being copied or scraped and unlawfully republished elsewhere. This obligation, linked to Article 32 GDPR, requires robust security controls and may involve watermarking, anti-scraping technologies, and contractual restrictions.

Implications for Hosting Providers in the EU

The CJEU’s judgment introduces a notable evolution in the responsibilities of hosting providers. While many platforms have traditionally operated under the assumption that they were neutral intermediaries, the decision clarifies that certain activities, such as structuring, categorizing, and monetizing user content, can amount to determining the purposes and means of processing personal data. This interpretation places some hosting providers closer to the role of data controllers under the GDPR.

For many businesses, this means moving beyond a purely reactive compliance model. Pre-publication checks and identity verification are now part of the expected compliance framework for some scenarios, requiring investment in technology and operational processes. Automated tools for detecting sensitive data and verifying advertiser identity will likely become standard, but these measures also raise questions about feasibility and proportionality, particularly for smaller providers.

The Judgment may also influence business models. Increased compliance obligations for some scenarios could lead to higher operational costs and stricter onboarding requirements, which might affect user experience and engagement. Smaller platforms could face competitive pressure if they lack resources to implement robust compliance systems, potentially accelerating market consolidation.

Finally, hosting providers must consider the broader regulatory context. The obligations outlined by the Court do not exist in isolation, they intersect with frameworks such as the Digital Services Act and the forthcoming AI Act. This convergence suggests a future where data protection, content moderation, and algorithmic accountability are increasingly interlinked. Providers that proactively integrate these requirements into their governance structures will be better positioned to manage risk and maintain trust.

What Companies Should Do Now

To mitigate risks under GDPR requirements, operators of online platforms in Europe should:

• Map Controller Roles - Determine whether your platform qualifies as a controller or joint controller for user-generated content. Update governance frameworks accordingly.
• Embed Pre-Publication Checks - Implement workflows to verify advertiser identity and detect sensitive data before ads go live. Consider automated tools and AI-driven content screening.
• Update Contracts and Notices - Revise terms with advertisers to reflect joint controllership and lawful basis requirements. Update privacy notices to explain processing activities clearly.
• Strengthen Security Measures - Deploy technical safeguards to prevent scraping and unauthorized copying of ads. Review compliance with Article 32 GDPR.
• Monitor Legislative Developments - Align with evolving EU frameworks, including the Digital Services Act and AI Act, which complement GDPR obligations.

Conclusion

The CJEU’s judgment signals a significant development in the regulatory landscape for certain online platforms. By clarifying that certain hosting activities can amount to controllership under the GDPR, and by introducing proactive compliance duties, the Court has moved the industry toward a more preventive approach to data protection. While this does not eliminate the concept of hosting as an intermediary, it does require some platforms to reassess how they manage user-generated content and personal data.

The udgment reflects the EU’s broader policy of prioritizing individual rights and accountability in the digital environment. Hosting providers that take a proactive, balanced approach to compliance will be better positioned to navigate this shift and maintain competitiveness in an increasingly regulated market.

Authored by Joke Bodewits and Julian Flamant.