The CJEU’s decision in Russmedia (C‑492/23) could reshape our understanding of intermediary liability protection – put simply whether a platform is liable for content posted by its users. It also poses three wider questions:
- Is the EU digital package coherent? The EU digital package is made up of around twenty separate Regulations or Directives, alongside existing laws such as the GDPR. However, they do not work in isolation, and the decision illustrates the risk of conflict between them.
- If there is a hierarchy of digital regulation? The GDPR is rooted in the EU Charter of Fundamental Rights. This judgment suggests it is likely to take precedence over other instruments in the digital package.
- How mindful is the CJEU of wider practical and policy issues? Intermediary liability protection is needed for compelling practical and policy imperatives. The volume of user-generated content on most platforms is so large that there is no way a platform can realistically moderate it before publication, yet this judgment potentially now makes platforms liable for that content.
Russmedia relates to a fraudulent advert for sexual services on online marketplaces and may be sui generis to its facts. However, on the face of the judgment there is little to suggest the reasoning would not also apply to things such as organic content on all platforms meaning the exact scope of this new lacuna is likely to be back before the CJEU before long.
Background
Russmedia Digital operates www.publi24.ro, an online marketplace platform where users can post advertisements either free of charge or for a fee. In August 2018, an unidentified individual posted an advertisement falsely claiming that a woman was providing sexual services. The advertisement included the woman’s telephone number and photographs of her taken from her social media without her consent.
Russmedia did not verify the identity of the person who posted the advertisement before it went live. Although Russmedia removed the advertisement within an hour of being notified by the woman, it had already been reposted to other websites where it remained accessible.
Believing the advertisement violated her rights to personal portrayal, honour, reputation and privacy and the rules relating to the processing of personal data, the woman commenced proceedings before the Romanian courts. The Court of First Instance found in her favour and awarded €7,000 in damages. This decision was reversed by the Specialised Court of Cluj which ruled that Russmedia was protected by the so-called hosting defence under the Romanian law implementing Article 14(1) of Directive 2000/31/EC (the “eCommerce Directive”). The woman appealed to the Court of Appeal of Cluj which referred a number of questions to the CJEU.
Key findings of the CJEU
GDPR trumps the hosting defence
The CJEU’s key finding is that the GDPR takes precedence over the intermediary liability protections in the eCommerce Directive. In other words, operators of online marketplaces cannot rely on the hosting defence to avoid their obligations under the GDPR nor can they argue that they cannot be placed under a general monitoring obligation because of Article 15 of the eCommerce Directive.
In some ways, this is not a surprise given Article 1(5)(b) of the eCommerce Directive states that it “does not apply to” obligations under data protection legislation. However, equally, the GDPR states that it is “without prejudice to” the intermediary liability provisions in the eCommerce Directive (Article 2(4)).
This appears to create a circularity which the CJEU resolved decisively in favour of the GDPR, in part because the GDPR reflects the fundamental right to data protection under the EU Charter and its objective is to ensure “a high level of protection of the right of every person to the protection of personal data”. This suggests that the GDPR has an inherent precedence over other digital regulations.
Controller status
The CJEU also addressed the prior question as to whether the platform is liable under the GDPR for advertisements placed by users. This depends on the status of the platform. In particular, is it a “controller” or merely a “processor” with more limited obligations?
The CJEU held that an online marketplace operator acts as a “joint controller” in relation to personal data appearing in advertisements alongside the person posting the advertisement. This is on the basis that it exercises decisive influence over how that data is processed.
Russmedia reserved certain rights in relation to the content, including to copy, distribute, transmit, modify and transfer it for its own commercial purposes. It participated in determining the purpose of the processing which consists of making the personal data contained in the advertisement accessible to internet users for commercialisation. Additionally, by allowing ads to be placed anonymously, Russmedia had facilitated the publication of special category data without the consent of the data subject (or other authority to process special category data).
The CJEU rejected the argument that Russmedia could not be a controller because it does not itself determine the content of the advertisement. When Russmedia transmits the content to third parties for its own purposes, this constitutes a separate processing operation for which it acts as sole controller.
Given the critical importance of intermediary liability protections to the online environment and the sheer impossibility of online platforms vetting content before publication, the CJEU might have taken a different course here and applied the fungible rules on joint controllership differently. For example, it could have used this concept to more tightly circumscribe the obligations on platforms (see below) but chose not to do so. While the CJEU did not take that opportunity, we know from previous decisions that even though the CJEU is quick to recognise joint controller relationships, it is also quick to recognise that each party’s controller responsibilities only extend to the processing contingent with its rights and responsibilities. This means a joint controller is able to avoid responsibility for upstream or downstream actions by its counterpart that are outside its immediate area of rights and responsibilities.
Pre-Publication Obligations
Given its status as a controller and the fact the advert constitutes special category data, the CJEU found that operators of online marketplaces must use appropriate technical and organisational measures to identify such advertisements that contain “sensitive data” prior to their publication. The Court did not set out what constitutes ‘appropriate technical and organisational measures’.
Operators must also verify whether the user preparing to place the advertisement is the person whose special category data appears in it. If not, the operator must verify whether the person whose data is being published has given express consent to publication. In the absence of consent, the operator of an online marketplace must refuse publication of the advertisement unless it is covered by an exception provided for by Article 9 of the GDPR.
Preventing Unauthorised Redistribution
The CJEU held that operators of online marketplaces must also take steps to prevent advertisements containing special category data from being copied and unlawfully republished on third-party websites. This requires them to implement appropriate technical and organisational security safeguards, although the CJEU did not specify what measures would satisfy this requirement.
Future implications for the EU
The hosting defence and other intermediary liability protections in the eCommerce Directive have now been carried over into the EU Digital Services Act (the “DSA”) (with some extensions such as the “good Samaritan” provisions in Article 7). The pre-emption wording in eCommerce Directive (“This Directive shall not apply to”) is slightly different to that in the DSA (“This Regulation is without prejudice to”) (Article 2(3)) but it seems likely the approach in Russmedia would be applied in the same way to the DSA.
In addition, while the Russmedia judgment only considers the joint controllership position in advertisements, the same reasoning could also apply to organic user content. This could include, for example, social media posts referring to other individuals. Does this mean that a social networking platform must confirm that both parties in a post celebrating a recent proposal have consented to the inherent special category processing? Such an extension could create significant practical difficulties and would clearly start to impinge on other fundamental rights such as the right to freedom of information and expression under the EU Charter.
Implications in the UK
The Russmedia judgment may also affect the UK’s regulatory framework. The UK’s intermediary liability rules are still contained in the UK implementation of the eCommerce Directive, see regs 17 to 19 of the Electronic Commerce (EC Directive) Regulations 2002 (the “E-Commerce Regulations”).
Online Safety Act 2023
While the intermediary liability rules remain in place, they do not protect from liability under the under the new Online Safety Act 2023. The Online Safety Act is not about individual items of content and much more about systems and processes, requiring affected entities to undertake risk assessments and implement appropriate technical and organisational measures. Whilst the presence of individual items of harmful content might suggest a failure in those systems and policies, they do not in themselves create any liability under the Online Safety Act 2023.
UK GDPR
More generally, the UK GDPR replicates the position in the EU GDPR, in that it is without prejudice to the provisions about mere conduits, caching and hosting in E-Commerce Regulations. This creates the same circularity in the EU with: (a) the UK GDPR being “without prejudice to” the E-Commerce Regulations, and (b) the provision that “nothing in [the E-Commerce Regulations] shall apply in respect of” the UK GDPR.
Russmedia is a post-Brexit decision and so not binding on the UK. However, in practice, the decisions of the CJEU continue to be very influential in the UK. While there is UK case law that suggests the hosting defence does apply to claims under the old Data Protection Act 1998 (CG v Facebook & Anor [2015] NIQB 11), the UK courts might still follow the CJEU on this point.
Conclusion
There is an open question as to whether the Russmedia judgment is sui generis to adverts for sexual services on online marketplaces, or is more widely applicable to, for example, organic content from users on any platform.
Given the scale and volume of user-generated content and the many and varied obligations under the GDPR, the approach in Russmedia risks creating liability “in an indeterminate amount for an indeterminate time to an indeterminate class” (per Cardozo J in Ultramares Corporation v Touche 174 NE 441). This is something the CJEU may have to grapple with sooner rather than later.
More widely the judgment illustrates the need to analyse the new EU digital regulation framework in the round and the likelihood of the GDPR overriding other laws in case of conflict.
Practical consequences
- In this context, online platforms should carry out a thorough review of their data processing activities to identify any situations where they act as joint controllers in relation to user-generated content, in particular where that content includes special category data.
- The findings of this review should drive updates to contractual documentation, privacy notices and internal policies to ensure each party’s respective roles and responsibilities are clearly and transparently defined.
- Platforms should also evaluate whether their existing technical and organisational measures are adequate to detect and manage high-risk content before it is published and should implement safeguards to prevent unauthorised redistribution of such content, while recognising that the exact scope of “appropriate” measures remains to be determined by the courts.
