Back to the overview
01-09-2026 Article

CJEU denies hosting safe harbour for GDPR infringements: “Russmedia” increases obligations for platform operators

Data Protection Update No. 227

In its judgment of 2 December 2025 (Case C-492/23 – “Russmedia”), the Court of Justice of the European Union (CJEU) held that hosting providers/online marketplaces cannot rely, in the event of infringements of the GDPR, on the hosting liability exemption known from intermediary liability law (E-Commerce Directive; now reflected in Article 6 DSA). In the CJEU’s view, this exemption, important to the development of services involving user participation, does not reduce the requirements of the GDPR. For operators of user-generated platforms, this increases the pressure to implement preventive GDPR compliance.

Facts

An unknown person published an advertisement on a classifieds platform under the name of the claimant. The ad offered sexual services and used a photo and a telephone number for this purpose. The operator removed the ad after receiving a corresponding notice. By that time, however, the ad had already been copied and disseminated on other websites. The data subject took legal action against the operator, inter alia, for infringements of the GDPR.

Key statements of the CJEU

  1. Platform operators may be controllers of data uploaded by a user.
    In this specific case, the CJEU classified the operator as a controller. The decisive factors included the framework conditions for publication (including structure and presentation) specified by the operator and extensive rights to the content.
  2. No hosting liability exemption for GDPR responsibility. 
    According to the CJEU, the hosting liability exemption does not shield the operator from responsibility under data protection law. Unlike the DSA’s “notice and action” concept, it is therefore not sufficient to react only once the operator has knowledge. Infringements of data protection law should be prevented proactively.
  3. Specific preventive obligations, especially under Article 9 GDPR. 
    Platforms should, prior to publication, identify content that contains special categories of personal data, verify the identity of the person posting it, and assess whether there is a lawful basis (in particular, consent). In addition, appropriate measures should prevent or limit the unlawful copying and dissemination of such content.

Significance for practice

The judgment is likely to affect platforms where users can typically post content relating to third parties, especially in sensitive contexts (sexual content, health-related content, etc.). The decisive factor is less the label (“host provider”) than whether, by virtue of the platform design and rights to the content, the operator appears as an actor that determines (at least in part) the purposes and means of the processing.

What companies should do now

Role and platform-model review: Does your platform design meet the CJEU criteria (rights to content, control over presentation, anonymity, monetisation/commercial exploitation interest)? The results of this review must be documented (accountability).

Pre-upload governance for sensitive content: Detection and escalation processes for potential Article 9 GDPR relevance (text/image/metadata), including a “stop/review” workflow.

Risk-based user verification: Identity verification at least where higher-risk third-party content can be posted; clear evidence and declarations of entitlement/authorisation.

Protection against redistribution: Implement technical and organisational measures (TOMs) to limit copying and reuse, technically and organisationally, especially for sensitive content. In addition, monitoring and response paths should be established.

Ensure DSA processes dovetail properly: The notice-and-action mechanism has proven to be a reliable tool for issue resolution. It enables swift responses to notices and should be used as an additional line of defence alongside preventive GDPR measures.

Conclusion

“Russmedia” significantly strengthens data subjects’ rights and shifts platform compliance towards the pre-publication phase, at least where sensitive third-party content is involved. Operators should now align their platform model and processes so that they can robustly implement preventive GDPR measures and evidence compliance under the GDPR.
 

Download as PDF
Download as PDF

Contact persons

Dr. Philip Kempermann, LL.M.
Düsseldorf

Contact persons

Dr. Philip Kempermann, LL.M.
Düsseldorf

Related articles

01-09-2026
CJEU denies hosting safe harbour for GDPR infringements: “Russmedia” increases obligations for platform operators
01-07-2026
EU Digital Law 2026: An overview of the most important changes
12-22-2025
AI ACT: How do companies need to label AI-generated content?
12-02-2025
EU DIGITAL LAW: What legal obligations will providers of SaaS (Software as a Service) services face in the future?
11-27-2025
Digital Omnibus: What changes in data protection (GDPR) can be expected?
11-14-2025
Bundestag approves NIS2 implementation law – What companies need to know and do now
11-13-2025
Digital Omnibus: EU Commission presents draft
10-28-2025
AI ACT: Should ChatGPT be classified as High-Risk AI?
10-15-2025
EU DIGITAL LAW: Will there be an extension of the deadline for the implementation of the AI Act, the Data Act, and the Cyber Resilience Act (Digital Omnibus)?
10-01-2025
DATA ACCESS WITHIN THE COMPANY GROUP: Are companies permitted to access the IT systems of parent, sister, or subsidiary companies?
09-25-2025
New draft bill for the implementation of the AI Regulation
09-22-2025
Landmark ECJ ruling on the pseudonymization of personal data

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.