CLOSE

close

CLOSE

EN

CJEU’s latest ruling: Why this one matters to ad-powered platforms

Recommended
CJEU’s latest ruling: Why this one matters to ad-powered platforms

CJEU’s latest ruling: Why this one matters to ad-powered platforms
Cryptocurrency becomes legal property in England, Wales and Northern Ireland

Cryptocurrency becomes legal property in England, Wales and Northern Ireland
November compliance news round-up

November compliance news round-up

Yesterday the Court of Justice of the European Union (CJEU) delivered a landmark verdict in the case of Russmedia Digital SRL and Inform Media Press vs X, fundamentally altering how online marketplaces and likely any ad-serving platform are treated under GDPR. 

 

The ruling 

 

For years, online platforms have lived in the comfortable shadow of “intermediary liability.” If a user uploaded an ad containing personal data, the platform could shrug and say, We’re just the host. We didn’t create it. We’re not responsible for what’s inside it.

 

That era is now over.

 

The decisive ruling draws a bright line that indicates that if you operate an online marketplace or any platform that publishes third-party ads, you are not a passive host. You are a data controller. And with that status comes responsibility.

 

The court has made it clear that platforms play an active role in shaping, presenting and distributing user-submitted advertisements. Because of this involvement, they must take ownership over what those ads contain, especially when personal data is involved.

 

This responsibility is not theoretical. It brings concrete, mandatory obligations that fundamentally reshape the way platforms must manage third-party advertising.

 

Before publishing any advertisement, platforms must now implement “appropriate technical and organisational measures” to ensure that unlawful or sensitive data is not allowed to slip through unnoticed.

 

This means they must:

1. Detect sensitive and special-category data

Ads containing information about a person’s sexual orientation, political views, religious beliefs, health status, or other sensitive characteristics must be identified before publication, not after a complaint and not once harm has occurred.

2. Verify identity or obtain explicit consent

If an ad includes personal data about an individual, platforms must confirm that the advertiser is actually that person. If they’re not, explicit consent from the data-subject must be obtained. Anything less is unlawful.

3. Block ads without a lawful basis

Where there is no valid Article 9 GDPR condition, including no proof of consent, the ad cannot be published. 

4. Stop unlawful ads from spreading

Platforms must also take reasonable steps to prevent the reappearance or redistribution of ads they’ve already removed. Automated republication, syndication, or copying to other platforms must be prevented.

 

No more safe harbor?

 

Perhaps the most transformative part of the ruling is that the safe-harbor protections of the E-Commerce Directive no longer apply to platforms that facilitate the publication of ads where they play an active role. If a platform controls the presentation, formatting, delivery, or visibility of advertisements, it cannot claim to be a neutral intermediary. And in those circumstances, it cannot rely on Article 2(4) GDPR to escape its responsibilities.

 

Article 2(4) says that if another EU law, such as the E-Commerce Directive, provides an exemption for neutral intermediaries, the GDPR does not override it. But the Court has now made clear that platforms that organise or shape publicity are not neutral intermediaries in the first place. So the exemption simply does not apply.

 

In other words, once you exercise control, you assume accountability.

 

Why this matters

 

This ruling doesn’t just affect online marketplaces. It reaches into the core of every business model built on third-party advertising. That description fits social networks, ad networks, job boards, classifieds, forums, dating apps, mobile apps with “promoted posts,” newsletter platforms that accept third-party ads and more. As long as a platform “facilitates delivery of third-party advertising,” it very likely falls under this new ruling.

 

This could reshape the entire ad-supported internet ecosystem across the EU. Essentially, if you enable the delivery of third-party advertising, you are now part of the data-processing chain and legally responsible for what you publish.

 

The court has effectively redrawn the compliance landscape. Platforms must move from passive hosts to active guardians of the data they help distribute. This means new workflows, new technologies, new policy frameworks, and, in many cases, a complete rethinking of how user-generated advertising is handled.

 

It is a wake-up call for the industry. If you publish ads, you must protect the people inside them.

 

Vinciworks’ new conversational learning course on data protection’s rights and responsibilities puts you at the heart of data protection, turning policy into practical action. Guided by AI-powered experts, it explores how personal data should be handled, shared and stored through realistic workplace scenarios. Try it here.