CJEU - C-492/23 - Russmedia
| CJEU - C-492/23 Russmedia | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 26(1) GDPR |
| Decided: | |
| Parties: | |
| Case Number/Name: | C-492/23 Russmedia |
| European Case Law Identifier: | ECLI:EU:C:2025:68 |
| Reference from: | Curtea de Apel Cluj (Romania) |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion |
| Initial Contributor: | tjk |
The AG opined, that the operator of an online marketplace acts as a processor of personal data contained in ads and therefore is not obliged to check their content. However regarding personal data of registered user advertisers, the operator acts as a controller and must verify the identity of the user advertisers.
English Summary
Facts
Russmedia Digital (Russmedia), a Romanian company, is the owner of the online marketplace www.publi24.ro on which ads for - inter alia - goods or services from Romania can be published, either free of charge or for a fee. An unidentified person published an ad on that online marketplace, the content of which was disparaging and offensive towards the data subject, stating that it offered sexual services (‘the ad’). That ad contained photographs without the data subject's consent originating from a social networking account. The identity of the person posting that ad was not verified prior to publication. When contacted by the data subject, the controller removed the ad from its online marketplace less than an hour later. However, the same ad has been placed online, indicating the original source, by other websites with advertising content, where it can still be accessed.
Court of first Instance
Arguing that the ad at issue infringed her rights, the data subject brought an action against Russmedia. The Court of First Instance upheld that action and ordered Russmedia, on the basis of Romanian law to pay the data subject non-material damage caused to her by the infringement of her right of personal portrayal and right to honour and reputation, the breach of her right to privacy, and the improper processing of her personal data. That court took the view that the ad at issue constituted a failure by Russmedia to meet the obligations imposed on it by the GDPR.
Specialised Court
A specialised ourt upheld Russmedia’s appeal, ruling that the action brought by the data subject was unfounded because Russmedia was not the author of the ad at issue. The court held that Russmedia was merely providing a service for storing ads, without being actively involved ‘in the content’ of those ads. That court therefore found that Russmedia was exempted from liability by Romanian law for the damage claimed.
Referral by Appeal's court
The data subject brought an appeal against that decision before the Curtea de Apel Cluj (Court of Appeal, Cluj). In that appeal, the data subject submits, inter alia, that the appeal court should have analysed Russmedia’s liability from the GDPR's point of view. Furthermore, the data subject claimed that the Romanian law privileging providers of information society services is not applicable in the present case.
The referring court allowed the appeal, and ruled, by decision of 15 June 2023, to stay the proceedings and refer the following questions to the CJEU for a preliminary ruling:
- Do Articles 12 to 14 of Directive 2000/31 apply to a storage and hosting information service provider making available a website on which free or paid ads may be published, which claims that its role in publishing users’ ads is purely technical, but which, through its general terms and conditions retains the right to use the content without the need for any reason for doing so?
- Must Article 2(4), Article 4(7) and (11), Article 5(1)(f), Article 6(1)(a), Articles 7, 24 and 25 GDPR and Article 15 of Directive 2000/31 be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to verify before publishing an ad whether the person publishing the ad and the owner of the personal data referred to in the ad are the same person?
- Must those provision be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to verify in advance the content of ads published by users, in order to exclude ads which are potentially unlawful in nature or likely to infringe a person’s private and family life?
- Must Article 5(1)(b) and (f), Articles 24 and 25 GDPR and Article 15 Directive 2000/31 be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to apply safeguards which prevent or limit the reproduction and redistribution of the content of the ads published through it?
Advocate General Opinion
The AG noted, that all questions referred concern the more fundamental question of the relationship between the provisions of Directive 2000/31 and those of the GDPR.
The first question: a marketplace operator's liability for hosted content
The AG found that the publishing of ads on its online marketplace by Russmedia and its determination of the layout of ads cannot have the effect of denying it the exemptions from liability provided for by Directive 2000/31 as nothing indicates that Russmedia intervenes in the posting of ads, or that it checks the individual content of those ads prior to publication. The AG found, the contractual arrangements under which a provider may handle the information stored, without being obliged to do so, cannot, in themself, be decisive in determining if a provider is neutral, because the examination should take into account only the actions actually undertaken by the provider.
The AG is of the opinion that an operator can still rely on the exemption of liability following Article 14(1)(a) of Directive 2000/31 when an ad published on an online marketplace is manifestly illegal and deeply harmful to the person concerned by that ad, unless a service provider according to Recital 44 of Directive 2000/31 deliberately collaborates to undertake illegal acts.
The second, third and fourth questions referred
Legal characterisations of marketplace operators under the GDPR
The AG stated, that the purpose of the publication of an ad is generally intended to promote the product or service offered by a user advertiser to the public and therefore determined by the user advertiser. The AG found that thus the operator, such as Russmedia, does not exert any influence, for its own purposes, over the determination of the purpose and means of processing of any personal data contained in ads posted. If that operator is involved in processing those data, it acts as processor, on behalf of a user advertiser and under its responsibility. Given that circumstance, users of a hosting service must be characterised as controllers within the meaning of the GDPR.
The obligations and responsibilities of the operator
When considering the operator a processor of data contained in ads
The AG draws on Article 32 GDPR for the obligations of the operator, stating that a processor cannot be required to monitor the actions of the data controller. However, the processor must ensure protection against unauthorised or illegal processing, or loss in accordance with the principles of integrity and confidentiality set out in Article 5(1)(f) GDPR. If ads posted on an online marketplace can legally be reproduced by the operators of other sites that are listed there and are known in advance by user advertisers, the AG is of the opinion, that the processor should implement measures enabling it to require the removal of ads removed from its own platform. However, the AG is not of the opinion that a processor should be required to prevent the redistribution of ads containing personal data.
Nonetheless, the AG opines, that the operator is the controller when processing data of user advertisers who create accounts. The AG found, that following Articles 24 and 25 GDPR a controller managing an online marketplace must implement technical or organisational measures to verify the identity of user advertisers, to prevent fraud or identity theft. The AG points out, that the assumption of anonymous use of the internet does not preclude verification of the identity e.g. by telephone number.
When considering the operator a controller of data contained in ads
The AG is of the opinion, that where the operator is the controller of the data contained in ads, it must check the ads before publishing, verify whether their processing is based on the consent of the data subject or on some other legitimate basis laid down by Articles 5(1)(a), 6(1) and 7 GDPR, and introduce measures preventing processing that is harmful to data subjects. If that operator fails to comply with those principles, it may be held liable for breaches of that regulation, in accordance with Article 82 GDPR.
Additionally, the AG doubts that the operator, relying economically on publicly accessible ads should be obliged to limit their redistribution.
The relationship between Directive 2000/31 and the GDPR
A neutral hosting provider as controller
The AG discussed the tension, that, if a hosting service stores personal data and is considered to be a controller then the role of that provider is not confined to neutral storage of such information. Consequently, the provider of such a service assumes an active role with regard to that information and is ineligible for the exemption from liability provided for in Article 14(1) of Directive 2000/31. This, the AG supposed, supports the interpretation that the operator acts not as a controller for the personal data contained in the ads but as a processor.
Parallel application of the GDPR and Directive 2000/31
The AG discusses the questions, whether a party involved in the processing of personal data that may be held liable for a breach of the GDPR can rely on the exemption from liability provided for in Article 14(1) of Directive 2000/31.
The AG finds, that especially in the light of Article 2(4) GDPR both Directive 2000/31 and the GDPR are to be applied in parallel to matters that are not specifically regulated under the GDPR. The AG does not consider Article 82(3) GDPR to constitute a clause providing exemption from liability fulfilling a role comparable to that of Article 14(1) of Directive 2000/31 as it is subject to fault on the part of the controller. The AG also considered that a processor may be liable under the second sentence of Article 82(2) GDPR but only where it has not complied primarily with Article 32 GDPR obligations. However, the AG noted, that if a company can be held liable for a GDPR breach under national legislation, there is even less reason to find that the entity concerned is ineligible for the exemption from liability provided for in Article 14(1) of Directive 2000/31. Therefore the AG is of the opinion that a processor that could be held liable for a breach of the GDPR can rely on the exemption from liability provided for in Article 14(1) of Directive 2000/31.
Conclusion
The AG thus proposes,
- that Article 14(1) of Directive 2000/31 must be interpreted as meaning that the provider of an information society service that makes available to users an online marketplace on which ads are posted may also be considered eligible for the exemption from liability where that provider indicates, in the general terms and conditions of use of its online marketplace, that, while it does not claim any right of ownership over the content, it nonetheless retains the right to use that content, without the need for any reason for doing so, provided that that service provider does not take any action that would cause it to cease to be classified as a neutral hosting provider.
- Article 5(1)(f), Article 6(1)(a), Articles 7, 24 and 25 GDPR, must be interpreted as meaning that the provider of an information society service hosting ads, on a website at the request of its users acts as processor of the personal data contained in the ads posted on its online marketplace. In that context, it is not required to verify the content of the ads posted or to implement security measures to prevent or limit the copying and redistribution of the content of the ads published by means of its services. However, it must implement appropriate organisational and technical measures to ensure the security of processing vis-à-vis third parties. On the other hand, such a service provider acts as a controller of the personal data of registered user advertisers. In that context, it is required to verify the identity of those user advertisers.
Holding
TBD
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
