CJEU Russmedia C-492/23
“Intermediary liability exemption: See you later, alligator”
Welcome to Zero Party Data “WTF edition.” I know, the Digital Omnibus also deserved a special urgent issue, but we have a life.
The case:
Russmedia Digital is the owner of the website www.publi24.ro, which is basically the Romanian Wallapop – an online marketplace where you can post free or paid ads for the sale of goods or services in Romania.
“X” alleged that, in August 2018, an unidentified third party posted a fake ad on publi24 with her personal data, including photographs and her phone number, making it appear as though she was offering sexual services.
At her request, Russmedia removed the ad from its website less than an hour after receiving the request, but the same ad was still available on other websites that had “scraped” it.
X filed a lawsuit seeking compensation for moral damages arising from the unlawful processing of her personal data and the infringement of her image, honor, and privacy rights. The preliminary question arises at the appellate stage.
The preliminary question of the Romanian Court
Essentially, the issue is how far the consequences go if Russmedia is classified as a “controller” or “joint controller” of X’s personal data when publishing the ad at the request of its client, who is a third party.
Let’s remember that “intermediary” service providers—hosting services like Google or publishing platforms like Youtube—are (spoiler: “WERE”) exempt from liability (e-commerce and ePrivacy Directives) for unlawful acts related to content stored or published by a third party as long as they had no direct knowledge of it—which is why those little report and notification buttons are offered to users.
You are reading ZERO PARTY DATA. The newsletter about tech news from the perspective of data protection law and AI by Jorge García Herrero and Darío López Rincón.
In the spare time left by this newsletter, we like to solve complicated issues in personal data protection and artificial intelligence. If you have any of those, just give us a wave. Or contact us by email at jgh(at)jorgegarciaherrero.com
The new case law doctrine
The CJEU applies in its ruling a bunch of doctrines established in recent years:
1.-The reinforced protection of sensitive data requires a broad interpretation of such data.
2.-Even if the data published about anybody´s life or sexual orientation is false, it is still “sensitive data” (special category).
3.- Russmedia is joint controller of the processing for GDPR purposes, along with the advertiser user, because:
· It economically benefits from what it publishes, does so in its own name, not on behalf of its users, and has actively designed the service: it is not neutral.
· In its terms, it reserves the right to “distribute, transmit, publish, delete, or even reproduce the information contained in the ads, including the personal data they contain.” This wording is omnipresent on online platforms.
· This does not make it responsible for identity theft perpetrated by its user. But it does indeed for the publication.
Conclusions of the ruling
The operator and the advertiser user are joint controllers of the publication and therefore must be able to prove that the personal data contained in the ad in question is lawfully published, that is, with the consent of the data subject whose data is published, or another legitimate basis under Article 6 GDPR.
When the data is of a special category, consent must be explicit and, moreover, it is particularly important that the data be accurate.
The operator is responsible not at the time of publication, but from the design of the service, for implementing effective measures to identify sensitive data in posts and to validate their compliance as described above.
Additionally, it must prevent third parties from data scraping such posts containing sensitive data. The CJEU does not specify how this can be done.
Specifically (paragraph 137), when sensitive data is involved, the operator must:
a. Identify ads containing sensitive data (from Article 9 GDPR). To do this, the content proposed by users must be monitored ex ante.
b. Verify if the advertiser user who is about to place such an ad is the person whose sensitive data appears in the ad (i.e., not necessarily verify the user’s identity, but almost) and, if not,
c. Deny its publication, unless the advertiser user can prove that the data subject has given explicit consent or another circumstance under Article 9.2 GDPR applies (that is: deny its publication).
d. Apply appropriate technical and organizational security measures to prevent ads published in that marketplace containing sensitive data from being copied and unlawfully published on other websites. (This is, frankly, technically impossible.)
But hey, doesn’t this new doctrine contradict the famous liability exemption of the e-commerce and ePrivacy directive?
137.3 “The operator of an online marketplace, as the controller under the GDPR of personal data contained in ads published in its online marketplace, cannot invoke , regarding the breach of obligations arising from Articles 5.2, 24 to 26 and 32 of this Regulation, Articles 12 to 15 of that Directive, relating to the liability of intermediary service providers.”
Is this doctrine applicable to other cases?
Few doubts about this: It is.
The CJEU explicitly classifies in this ruling (paragraphs 71, 72) (also) as controllers for these purposes (i) online marketplaces like publi24, (ii) platforms like Facebook or Instagram. (Hello, Twitter, Threads, Bluesky) and (iii) search engines.
This is the paragraph (74) that will take your breath away:
74.- “In any case, the operator of an online marketplace cannot evade its responsibility, as controller of the processing of personal data, by claiming that it was not the one who determined the content of the contested ad published on that marketplace. In fact, this would be incompatible not only with the clear wording of Article 4, point 7, of the GDPR, but also with the objective of this provision.”
Other “potentially” affected activities:
Dating apps and platforms. “Check that your user is who they say they are, and if not, do not publish their profile.” The tastiest part of any profile is the sensitive one. On the other hand, this doctrine by definition wipes out models like Grindr. Or OnlyFans.
Crowdfunding apps and platforms: they usually disclose all sorts of details (the need for an operation, for medical treatment) about third parties: specifically, the beneficiaries of the financial aid, who are not the user.
Platforms for reviews and ratings of medical professionals, where the user discusses their ailment and may lie about whether they even visited the professional they criticize.
Any service that accepts and publishes reviews or ratings that regularly or occasionally contain sensitive data (the most obvious: reports of discriminatory treatment based on whichever Article 9 data you prefer).
The “AI training”? The massive ingestion of all types of data including personal data and, within that, special category data, not provided by the data subjects. It is debatable whether this processing results in its publication or something similar, but hey! The CJEU never ceases to surprise us.
Last but not least, any news feed you can think of: news aggregator services that use personalized recommendation services are anything but passive services.
News outlets are protected by freedom of the press, but news aggregators… Do they have to ensure that the latest outburst from a pseudo-media outlet subsidized by a party or a ministry was actually written by the person concerned?
And if not, if what was published (is linking the same as republishing, according to Russmedia?) is inaccurate or not? Oh, questions.
It seems appropriate here to apply the well-established doctrine on the hyperflexibilization—read: “substantial deprivation”—of the data protection rights of “public persons” outside their strictly personal and family sphere.
Jorge García Herrero
External DPO of Freepik
If you liked Zero Party Data, share it, don’t be like that.