In the proceedings X v Russmedia Digital SRL, Inform Media Press SRL ("Russmedia", Case C-492-23), Advocate General Szpunar delivered his Opinion on 6 February 2025. The proceedings concern four questions on the liability of an online marketplace operator for user content, which the Cluj Court of Appeal referred to the ECJ for a preliminary ruling. The decisive legal issues are the liability exemption under the E-Commerce Directive (Directive 2000/31/EC), the role of an online marketplace operator in data processing under the GDPR (Regulation EU 2016/679) and the interaction of the two legal acts.
In his Opinion the Advocate General confirms that operators of online marketplaces are exempt from liability under Art. 14(1) E-Commerce Directive (Hosting) in their role as neutral intermediaries for user content. They are only liable for user content in the case of actual knowledge and control over it. For the processing of personal data in user adverts, operators are only processors and not controllers within the meaning of Art. 4 No. 7 GDPR. With this assumption, the Advocate General synchronises the two legal acts with regard to the liability of hosting providers for third party content.
The Digital Services Act ("DSA"; Regulation EU 2022/2065) was not yet applicable to this case. However, the Advocate General’s remarks are in large parts transferable to the liability exemptions regulated in it.
The national dispute and the questions referred
The plaintiff in the main proceedings filed an action against the operator of a Romanian online marketplace. She is claiming damages from the operator and asserting a violation of personal rights and data protection.
Registered users can place adverts on the online marketplace. The operator does not check the identity of users when they register. The operator reserves the right to copy, distribute or otherwise utilise user content in its terms and conditions.
The legal dispute was triggered by the fact that a third party placed an advert on the online marketplace against the plaintiff's will. The advert offered the provision of sexual services and contained a photo of the plaintiff as well as her telephone number. The plaintiff reported the advert to the operator, who removed it in less than an hour. In the meantime, the advert in question was uploaded to third party websites. It is unclear whether the operator had passed it on to the third party sites or whether the third party site operators copied the advert from the online marketplace without the operator's knowledge.
The referring court assumes extensive liability of the marketplace operator. It is of the opinion that a notification of the advert was not necessary for the operator to be liable, as the advert was manifestly unlawful and deeply harmful. According to the referring court, the marketplace operator also does not play a neutral role in the provision of the service. This is because it reserves the right to distribute and otherwise use the third party content in its terms and conditions. In terms of data protection law, the referring court assumes that operators of online marketplaces are controllers within the meaning of Art. 4 No. 7 GDPR for the processing of personal data in user adverts.
Legal observations of the Advocate General
The Advocate General disagrees with the referring court's assumptions and is in favour of a comprehensive exemption from liability. His comments relating to marketplace operators are likely to be generally applicable to hosting services.
Exemption from liability under the E-Commerce Directive
On the basis of the decisions L'Oreal and YouTube and Cyando, the Advocate General confirms that operators of online marketplaces can rely on the exemption from liability under Art. 14(1) E-Commerce Directive as long as they assume a neutral and purely technical role. The wording of the terms and conditions is irrelevant for the categorisation of the role. The only decisive factor is the actual knowledge and control of user information.
The exemption from liability also applies to manifestly illegal and deeply harmful information as long as the service provider has no actual knowledge of it. Such knowledge cannot be presumed. Otherwise, the operator would be subject to an obligation to monitor user content, which would be incompatible with Art.15(1) E-Commerce Directive.
Finally, Art. 14(1)(b) E-Commerce Directive requires that hosting service providers not only remove illegal information from their own services in order to be exempt from liability. If they disseminate information to contractual partners, they must also take appropriate measures to ensure that their contractual partners remove the unlawful information from their websites. As an example for an appropriate measure, the Advocate General names contractual clauses. However, such a requirement to take action does not apply to third parties with whom the hosting service provider has no contractual relationship.
The role of an online marketplace operator under data protection law
When examining the role of the operator of an online marketplace under data protection law, the Advocate General differentiates between two data processing operations: Data processing when setting up a user account and data processing in the course of uploaded user adverts.
The operator is the controller within the meaning of Art. 4 No. 7 GDPR for data processing when setting up a user account. In this role, the operator is obliged under Art. 25 GDPR to undertake best endeavours to verify the identity of registered users. It must take measures to reduce the risk of abusive identity theft on the marketplace. The Advocate General cites the requesting of a telephone number to confirm registration as an example of such an identity verification measure. This measure could not eliminate the risk of identity theft entirely. However, this is not necessary to fulfil the operator’s obligation, as it is under no obligation to achieve a specific result.
For the processing of personal data in user adverts, i.e. third party content, the operator of an online marketplace is only a processor within the meaning of Art. 4 No. 8 GDPR. Insofar as the operator determines technical and organisational aspects of the processing, these are only non-essential means. As processors, hosting service providers are not obliged to systematically check if user content is authorized and legal before its publication. Furthermore, they are not obliged to prevent the copying or dissemination of user adverts containing personal data. Pursuant to Art. 32 GDPR, they would only have to act on their contractual partners in accordance with the requirements of their exemption from liability pursuant to Art. 14(1)(b) E-Commerce Directive if they have taken illegal adverts from the online marketplace.
Relationship between the two legal acts
At the end of his submissions, the Advocate General makes remarkable comments on the interaction between the E-Commerce Directive and the GDPR. He elaborates that there is an exclusionary relationship between the role as a neutral intermediary within the meaning of Art. 14(1) E-Commerce Directive and a controller within the meaning of Art. 4 No. 7 GDPR: If a provider of information services is to be categorised as a controller under data protection law, it inevitably takes on an active role in the processing of third party information. It would therefore not fall under the exemption from liability of Art. 14(1) E-Commerce Directive. However, this exclusionary relationship is not necessarily transferable to the DSA and the GDPR.
In his final remarks, the Advocate General states that processors under Art. 4 No. 8 GDPR could invoke the exemption under Art. 14(1) E-Commerce Directive with regard to their liability under data protection law. In principle, both legal acts are applicable in parallel, unless the GDPR contains a special provision. Art. 82(3) GDPR does not constitute a special liability provision to Art. 14(1) E-Commerce Directive. This is because Art. 82 GDPR is a provision establishing liability with the possibility of exculpation, whereas Art. 14(1) E-Commerce Directive is an exemption from liability.
Effects of the upcoming ECJ ruling
The ECJ's decision in the Russmedia case will have far-reaching consequences for the liability of hosting services for user content. Accordingly, in its decision of 18 February 2025, the German Federal Court of Justice (BGH) suspended the proceedings VI ZR 64/24, which concern the liability of Meta for memes with misquotes to the detriment of German politician Renate Künast, until the ECJ's decision. The lower courts had ruled solely on the basis of national law. However, the BGH pointed out that the case may have to be decided on the basis of the interplay between the DSA and the GDPR. If the ECJ follows the Advocate General's Opinion, this would speak against the liability of hosting services for “infringements similar in core”, the legal question at issue in the BGH proceedings. In the opinion of the Advocate General
- hosting services are only responsible for user content once they have actual knowledge of it, even when it is manifestly unlawful and deeply harmful;
- hosting services act as processors for user content with personal data and are therefore not obliged to systematically check the content of the adverts before publication.
