In early December, the Court of Justice (CJEU) handed down a controversial ruling in Russmedia (Case C-492/23) – indicating that online platforms can no longer confidently rely on EU intermediary liability law for protection against legal responsibility for user content in cases which involve data protection violations. The Grand Chamber held that the defendant company – Russmedia, an operator of an online marketplace in Romania – could be held liable for illegal user content despite having complied with its notice-and-takedown obligations under Article 14 of the E-Commerce Directive.

The Court held that the Directive’s so-called “safe harbour” rules – which are now transposed in the Digital Services Act (DSA) – could not be interpreted to interfere with the regime of the General Data Protection Regulation (GDPR). These rules protect platforms from liability for illegal content posted by their users unless they have knowledge of the content in question and have been given a chance to take it down. Russmedia significantly weakens the intermediary liability protection – but the extent of the damage to the safe harbour remains unclear.

The judgment can be read as having either a broad or narrow application, and the extent of the damage will depend upon how expansively the case is interpreted. Already, different actors are reading the judgment in different ways: European legal scholars, judges, and legislators are likely to interpret the case narrowly, as applying only to “online marketplaces” or even only to a subset of marketplace operators. Digital platforms themselves – largely foreign companies – are likely to read it more expansively, seeing in the Court’s reasoning a potential application to all internet hosting services, since the judgment does not explicitly limit its scope.

Two roads diverged

The case originated when the applicant – a woman who had been harmfully impersonated in an advert posted on Russmedia’s site – having no recourse to the unidentified user who posted the ad – sued the platform not merely for infringements relating to reputational rights, but crucially also for violation of data protection rules. She argued that – in cases where liability was established under other regulatory acts of the EU, like the GDPR – intermediary liability protections should not apply. The third-instance Romanian court referred the case to the CJEU on August 3rd 2023. Fundamentally, in all its questions, the referring court was asking the CJEU for clarity on the relationship between the GDPR and the intermediary liability regime in cases where their requirements appear to overlap or conflict.

The opinion of Advocate General (AG) Szpunar (the Opinion), delivered on February 6th 2025, set out an attractive means for the Court to solve the case by making a granular distinction between different activities of the platform as giving rise to differentiated liabilities as “data controller” and “data processor” under the GDPR. This would have been in line with the interpretations of the Commission (para. 119ff) and the Article 29 Working Party (now, the European Data Protection Board, see for example p. 25 of this Opinion and para. 40ff of their Guidelines). For reasons it largely declined to illuminate, however, the Court rejected the AG’s solution in favour of a road less travelled.

Russmedia, the Court held, as an operator of an online marketplace, was not a mere “processor” but liable as a “data controller” for GDPR purposes in respect to personal data contained within an advert which was maliciously posted on its site. The advert falsely presented the applicant in the main proceedings as offering sexual services online. The site in question – Publi24.ro (Publi24) – is an online classifieds marketplace, in the template of a Craigslist, and the impugned ad – posted by an anonymous and unidentified user – was unfortunately reproduced on other sites before the operator could take it down.

Additionally, the Court places significant weight upon the fact that Russmedia reserved the right in its terms and conditions to reproduce, otherwise manipulate, transfer, or delete user data – a clause which, the Commission and the AG observed, was “not unusual for intermediation services” and was appropriate in view of the “valuable role played by intermediary service providers in preventing illegal online content” (the Opinion, para. 61).

The AG underlined that the referring court’s emphasis on the terms of use distracted from the necessary examination – which must concern “actions actually undertaken by the provider” rather than “terms of use that it does not implement in practice” and which “should be ignored” (para. 58). The AG’s analysis was supported by the Guidelines of the European Data Protection Board which underline that designation of responsibility under the GDPR should be ‘based on a factual rather than a formal analysis’, having regard to facts rather than contractual provisions (see Guidelines para. 21 for example).

Nevertheless, the referring court and the Grand Chamber made repeated reference to this probably innocuous clause, creating a gathering sense that the respective courts were implicating Russmedia in the reproduction of the harmful advert on other websites: an implication which was never supported in the evidence before the Court.

The expansive interpretation

There is much to be said about the ruling which cannot be included in a short article such as this one. Detailed textual analysis will be better hosted at a later date in other venues. Instead, I wish to underline that the judgment will be – in fact, is already being interpreted in at least three different ways which range across a spectrum from the maximal and expansive to the minimal and narrow.

The first interpretation to consider is that of the platforms themselves, which are largely foreign companies. Here, it is relevant to consider what might be the interpretation not only of those “online marketplaces” which the Court explicitly addressed but also those platforms which feel themselves potentially addressed by the reasoning. This interpretation should be treated as important because it is the platforms, and not the public courts, which for practical purposes determine the vast majority of online speech disputes. Therefore, it is the platforms’ perception of legal risk, and the risk-mitigative moderation strategies they employ to cope with risk, which primarily shapes privacy and free expression online.

The platforms’ legal counsel, and American commentators, coming from a more practice-adjacent, legal realist tradition of jurisprudence, will likely parse the Court’s reasoning and find strong intimations that the CJEU’s ratio decidendi – the point which determines a judgment’s outcome and on which a case’s future significance will hang – did not hinge upon the specific nature of Russmedia’s offering but, instead, depended on the fact that Russmedia provided a platform that was used at all to disseminate GDPR-infringing content, particularly the “manifestly unlawful and deeply harmful” content of the kind at issue in the case.

As the Court put it, “by having made its online marketplace, which was used to publish the advertisement at issue in the main proceedings, available to the user advertiser, Russmedia participated in the determination of the means of that publication” (para. 70). Furthermore, “any natural or legal person who exerts influence over the processing ( … ) may be regarded as a controller” (para. 58), “even a person who has an influence, by means of his or her activity of defining parameters” (para. 71). And if one is determined liable as a “controller” in respect of illegal user content, according to the Court, one cannot avail of the Directive’s liability exemption.

Already, in the early discussion online, this expansive view has been suggested by Daphne Keller, former Associate General Counsel at Google and Director of Platform Regulation at Stanford, who brought her considerable practical experience to bear, almost immediately observing through her social channels that the Court might have just “casually dismantled 80% of the DSA” and in so doing “created half a dozen extremely serious fundamental rights problems”.

According to Keller, the decision substitutes “GDPR rules — not notice and takedown rules — for any platform where a user is likely to post images, text, or any other content depicting or referring to other people” and “effectively creates strict liability for any claim against hosts, like defamation or personality rights claims, that can be reformulated as a data protection claim”. Expansive indeed. It should be underlined that Keller’s argument is not that the Court has explicitly stated that its ruling should have this effect, but that the rationale implicit in the Court’s reasoning suggests that it does.

The minimal interpretation

On the other end of the spectrum, from a perspective internal to the European legal community, it will be tempting to hope that this controversial ruling will not affect the safe harbour’s functioning far beyond the facts of the immediate case. Scholars of EU law, judges, legislators, NGOs, and think tanks, are likely to favour interpretations which also support the preservation of legal certainty, the coherence of the Union legal order, the optimisation of the law’s impact on European free speech or privacy, as well as pragmatic interests like the maintenance of good relations with the Luxembourg Court, the scholarly instruction of confused Member State courts, and the simplification of future proceedings in this field.

European commentators, as such, have already begun to take a much narrower view. As a team of practitioners from Bird & Bird advise – though a “literal” reading of the case “may appear” to suggest the expansive reading – “arguably” the decision’s GDPR interpretation could be read as specifically concerning “controller obligations in relation to a specific combination of facts” including “user-generated content containing not only sensitive data but intentionally harmful content of a sexual nature”.

Two points are important in relation to this: first, while the judgment says online marketplace operators “cannot rely” on the safe harbour against claims arising from data protection, there is no indication that the Court’s reasoning is limited to this class or to any particular form of content. The Court’s reasoning about the relationship between the GDPR and the Directive, in paras. 127 through 136, suggest instead the more general argument that it

“follows from a combined reading […] that the provisions of that directive, in particular Articles 12 to 15 thereof, cannot interfere with the regime under that regulation (GDPR)” (para. 135).

Bird & Bird appear to concede this when they accept that a “literal” reading of the judgment suggests the expansive interpretation. This is no criticism of Bird & Bird, however, who would be remiss if they did not mention the minimal interpretation because it is likely to be a reading that European courts, at national level, or at Luxembourg, may find attractive in future, regardless of whether the CJEU implied it or not.

Member State courts, or even succeeding formations of the CJEU, may desire to locate zones of discretion within the judgment. In doing so, they could obscure the Court’s implication that the reasoning applies to all intermediaries, and replace it with the idea that the Court merely intended to rescind the safe harbour where intermediaries host adverts in specific marketplaces where adult or otherwise problematic content is commonly traded.

At the same time, it must be mentioned that succeeding Member State courts may wish to apply Russmedia to achieve the opposite effect: to remove protections from platforms and hold them liable in relation to a much wider variety of user content than has, until now, been permissible. Russmedia will likely furnish these courts with easy tools, even if it means repurposing what some may consider obiter dicta, to remove safe harbour protections in cases which appear to demand a scapegoat for any particularly egregious online speech.

Second, even if the “minimal” reading is correct, it is important to at least attempt to observe such a precedent from the point of view of the platforms seeking to comply. Even if Russmedia only removes the safe harbour protection where platforms carry “intentionally harmful content of a sexual nature”, platforms may be unable to understand how they are to detect such content, and therefore protect themselves from liability, without monitoring all user content to screen for potentially problematic posts.

When one considers the point of view of the platform, therefore, especially in view of DSA Recital 30 which specifies that intermediaries “should not be, neither de jure, nor de facto, subject to a monitoring obligation with respect to obligations of a general nature”, it becomes difficult to understand why the Court so unequivocally asserts that rescinding the safe harbour in respect to GDPR liability “cannot, in any event, be classified as” creating “a general monitoring obligation” (para. 132) which is prohibited by Article 15 of the Directive now transposed to Article 8 DSA.

The in-between reading

Between these interpretations, then, is the view that would restrict the case’s application only to a particular category of platform operators – “online marketplaces” – rather than hosting intermediaries at large. This is the framing which the CJEU has adopted in its communications thus far – in its press release, for example. How the term “online marketplace” will be interpreted remains unsettled, however. Should the term’s interpretation after Russmedia be considered as coextensive with the subcategory of online platforms which “allow consumers to conclude distance contracts with traders”, pursuant to Article 6(3) and Recital 13 DSA? This class of operator may have appeared until now more relevant to a particular type of business-to-consumer marketplace typified by services like Amazon or Zalando, which differ in relevant respects from the more peer-to-peer and unstructured service offered by Russmedia – making it debatable if Russmedia can be defined as an “online marketplace” in this sense.

In addition, whether a social networking service used by certain users to post adverts containing personal data might become exposed to potential liability pursuant to this “In-between reading” of Russmedia also remains unclear. Given that the jurisprudence and travaux préparatoires on Directive Article 14 have, since the beginning, consistently emphasised the need for functional analysis based on the specific activities and services provided rather than upon the designation of the operator as falling into one or another overarching formal category (see, for example, Opinion of AG Jääskinen in L’Oréal v. eBay (2010), para. 147, and EC, Proposal e-Commerce Directive (1998), p. 27, holding that “the distinction as regards liability is not based on different categories of operators but on the specific types of activities undertaken by operators”), there is an argument on this basis to suggest that such services might be exposed.

Judicial de-simplification

Contained within all this interpretative uncertainty is the other definite outcome of Russmedia: it is not just the safe harbour that has been damaged by the judgment, but the legal certainty of the EU’s digital regime as a whole. At a time when the legislature is pursuing simplification, the judiciary has just made everything significantly more complex and unpredictable, confusing things substantially for providers of internet services while supercharging intermediaries’ exposure to liability for user content.

While it may not break the internet, it will serve to further concentrate gatekeeper control in the hands of the American hyperscalers. It will do absolutely nothing to help young European internet companies, including media operations, to get up and running, and the EU legislator should carefully review the Court’s reasoning and consider how to respond. Some form of clarificatory intervention may be warranted because, by rejecting the AG and Commission’s solution without explaining why, the Court has badly confused existing law in this field.