Liability of online platforms: end of the “Safe Harbor” for GDPR violations?

In a groundbreaking ruling, the Court of Justice of the European Union (CJEU) has ruled that operators of online marketplaces are directly liable as controllers for the personal data in users' advertisements. The traditional immunity for hosting providers does not apply under the GDPR. From now on, platforms must proactively check for sensitive data and verify the identity of advertisers.

The facts and context

The case revolves around an advertisement on www.publi24.ro, a Romanian online marketplace operated by Russmedia Digital. An unknown third party posted a false advertisement offering sexual services, using photos and the phone number of a woman without her consent.

Although Russmedia removed the advertisement within an hour of being notified, the damage had already been done: the advertisement had been copied and distributed on other websites. The victim initiated legal proceedings and claimed damages for the infringement of her privacy and honor.

The central legal debate was whether the online platform could hide behind the role of passive “intermediary” (hosting provider). According to the Directive on electronic commerce (and now the Digital Services Act or DSA) such providers are in principle not liable for user content as long as they are unaware of its illegal nature. The question was whether this immunity also applies to infringements of the General Data Protection Regulation (GDPR).

The decision of the Court of Justice

In the ruling of 2 December 2025 (C-492/23), the Grand Chamber of the Court of Justice made several far-reaching rulings that fundamentally change the landscape for online platforms in Europe:

• Platform is the data controller: The operator of an online marketplace is (together with the advertiser) the “controller” within the meaning of the GDPR. Because the platform structures, categorizes, and monetizes the advertisements for its own commercial purposes, it helps determine the “purposes and means” of the processing.
• No immunity under GDPR: The Court ruled sharply that the liability limitations (the so-called “safe harbor”) in the e-Commerce Directive cannot be invoked to escape obligations under the GDPR. The protection of personal data takes precedence.
• Obligation to carry out prior checks: When it comes to special categories of personal data (such as data concerning a person's sex life, Art. 9 GDPR), the platform must check whether the advertisement contains such data before publication.
• Identification requirement: The platform must verify the advertiser's identity to ensure that they have permission to post sensitive data. Anonymous advertising with sensitive personal data is contrary to the GDPR.
• Protection against scraping: The platform must take technical measures to prevent advertisements from being copied by third parties and republished elsewhere.

Legal analysis and interpretation

This ruling marks a seismic shift in internet law. Until now, many platforms operated under the assumption that the “notice and takedown” principle (responding after notification) was sufficient to avoid liability. The Court now states unequivocally that this mechanism is not sufficient for data protection.

The relationship between DSA and GDPR Although the ruling formally concerns the (old) Directive on electronic commerce, the reasoning is directly applicable to the current Digital Services Act (DSA). The Court thus confirms that the GDPR functions as lex specialis: platforms cannot invoke their status as “passive hosts” to avoid the strict rules of the GDPR.

From reactive to proactive supervision The most significant consequence is the introduction of a general monitoring obligation for specific types of data. Whereas Article 15 of the e-Commerce Directive (and Article 8 of the DSA) prohibits a general monitoring obligation, the Court states that this prohibition does not apply to the obligations of a controller under the GDPR.

This creates a complex situation for platforms: to be GDPR-compliant, they must scan uploads for sensitive data (such as health, political preferences, or sexual orientation). This requires advanced filters and human moderation, which significantly increases the duty of care.

What this specifically means

The impact of this ruling extends to any website that hosts user-generated content (UGC) or advertisements in Belgium and the EU.

For online platforms and marketplaces

• Amendment to general terms and conditions: You must acknowledge and make transparent your role as a data controller.
• Implementation of filters: You are required to implement technical measures that detect sensitive personal data before publication.
• End of anonymity: For advertisements containing sensitive data, you must implement a strict “Know Your Customer” (KYC) policy. You must verify that the advertiser is indeed the person to whom the data relates.
• Anti-scraping measures: You need to invest in technology that prevents bots from copying your content and your users' personal data.

For victims of online abuse

This ruling is a victory for victims of revenge porn, doxing, or fake profiles.

• Direct liability: You no longer need to search for the (often anonymous) perpetrator. You can directly claim compensation from the platform based on the GDPR, because they failed to protect your data.
• Right to be forgotten: Platforms must be much more proactive in preventing your data from reappearing after it has been deleted.

For advertisers and users

• Privacy vs. control: Please note that platforms will ask you for more information (such as proof of identity) before allowing you to post certain content. The threshold for anonymous posting will be significantly raised.

Frequently Asked Questions (FAQ)

Is a website always responsible for what users post?
Not for all content, but for the personal data contained in that content. If a platform determines the structure and distribution of advertisements, it is considered a ‘controller’ under the GDPR and is liable for the protection of that data.

Can I still place an ad anonymously?
That will be more difficult. If your advertisement contains sensitive information (for example, about ethnicity, health, or sexual preference), the platform is now required to verify your identity before publication to prevent abuse.

Does this also apply if the platform removes the advertisement quickly?
Yes. The Court ruled that even rapid removal (notice and takedown) does not exempt the platform from liability if it has failed to carry out prior checks on sensitive data.

Conclusion

The ruling Russmedia (C-492/23) rewrites the rules of the game for the internet in Europe. The days when platforms could wash their hands of responsibility by pointing to the user are over when it comes to privacy-sensitive information. The GDPR now unambiguously takes precedence over the immunity rules of e-commerce legislation. For platforms, this means: check, verify, and secure, or pay.