Advocate General Clarifies Online Marketplace Liability in Data Misuse Case

On February 6, 2025, Advocate General Maciej Szpunar of the Court of Justice of the European Union (CJEU) delivered an opinion in Case C-492/23, clarifying the liability of online marketplace operators concerning user-generated content and personal data protection. A vital role here plays the interaction between two EU legal acts, as in E-Commerce Directive and GDPR. The case arose when an unauthorized advertisement, falsely offering sexual services, was posted on a platform run by Russmedia Digital, using an individual’s personal data without consent.

The role of the operator plays a vital role. Advocate General stated that under Art. 14(1) of the E-Commerce Directive, online platforms are generally not liable for user-created content as long as they remain neutral, passive intermediaries, as in do not actively manage or promote content. However, the role of the operator under the GDPR needs to be examined in order to understand the (dual) responsibilities of operators.

Here, for personal data contained within user advertisements, the operator acts as a data processor and might not be required to systematically monitor content before publication. The general obligation to implement appropriate organizational and technical measures to safeguard personal data cannot be understood as determining the operator as controller. Concerning the personal data of registered users, the operator assumes the role of a data controller. In this capacity, the operator takes an active role which requires identity verification for user advertisers and therefore would not fall under the exemption from the E-Directive.

The opinion offers insights on the interaction between EU digital legislations and its applicability, while it also shows the parallel application of personal data protection and a free environment for businesses and consumers in e-commerce. CURIA - Dokumente