A case note on the recent judgment of the Court of Justice of the European Union in Case C-492/23 (Russmedia) has been published in the legal journal Law of Technology and Communications (DiTE) (Issue 4/2025), in Greek. The decision significantly reshapes the regulatory framework governing the liability of online platforms under the General Data Protection Regulation (GDPR).
Background of the Case
The case concerned the publication of a false online advertisement containing personal data without the data subject’s consent. The CJEU was asked to clarify whether the operator of an online platform may qualify as a controller and to define the scope of its obligations in such circumstances.
Key Findings
In its judgment, the Court:
- broadened the concept of controller, confirming that platforms may qualify as joint controllers together with their users,
- further specified the obligations arising from Articles 24, 25 and 32 GDPR,
- introduced enhanced ex ante compliance obligations, and
- ruled out the applicability of hosting safe harbour exemptions in the context of GDPR infringements.
Practical Implications
The judgment marks a clear shift from the traditional notice-and-takedown approach towards a model of proactive compliance.
In practice, digital service providers are expected to:
- integrate privacy by design mechanisms at the development stage of their services,
- implement tools for identifying and managing content involving personal data,
- strengthen user identification and risk management processes, and
- reassess their overall GDPR compliance strategies.
This development is expected to have a significant impact on marketplaces, content-sharing platforms and digital service providers more broadly.