Online marketplaces must vet ads for personal info, rules CJEU

The Court of Justice of the European Union (CJEU) ruled that marketplace platforms are data controllers under the GDPR when they process personal data for their own commercial purposes, putting a legal responsibility on their operators to vet adverts in advance.

The decision means marketplace sites have proactive responsibilities for user-generated content which may contain personal data - especially if that information is of a sensitive nature - and means such websites must now screen and verify all ads before publication, rather than post-moderating them after complaints, if they contain sensitive information.

They will also need to obtain consent from anyone whose sensitive information is in the advert if they are not the person placing it.

"The ruling confirms that operators of online marketplaces are directly responsible for ensuring that personal data in advertisements is identified and verified before publication, setting a new standard for data protection compliance across the EU,” explained Nienke Kingma, an expert on data protection and privacy with Pinsent Masons.

“This carries significant implications to remain compliant.”

The ruling comes after Romanian website operator Russmedia Digital published an advert on one of its websites on 1 August 2018 advertising sexual services from a woman, along with photographs of her and her phone number. The woman said this was untrue and harmful, and demanded its removal.

The company took the advert down within an hour, but it had already appeared on other websites where it remained accessible.  As a result, the woman took Russmedia to court, and the Court of First Instance of Cluj-Napoca ordered the company to pay €7,000 in damages.

A specialised court in Romania overturned that decision, describing the company as a hosting service and ruling it was not liable, but after an appeal by the woman, the court of appeal referred the case to the CJEU for guidance on EU law and how the website related to GDPR obligations.

The CJEU ruling means marketplace operators will not be able to rely on the e-Commerce directive for liability exemptions in future, and requires them to take steps to stop sensitive adverts from being copied and republished elsewhere.

Companies operating in that space will now need to put in place processes to make sure they scan ads for personal data and can confirm that the ad is compliant with the new regime created by the court ruling.

"This judgment makes clear that online marketplaces cannot avoid their obligations under the GDPR by relying on the liability exemptions for hosting providers in the e-Commerce Directive,” said Thijs Kelder, an EU technology law expert with Pinsent Masons.

“This ruling fundamentally changes the compliance landscape by placing the most explicit limits on the e-Commerce Directive’s liability exemptions to date.

“It also increases the operational risks on these platforms, meaning more robust risk management procedures will need to be implemented by the operators.”

Further analysis of the judgment will be required to determine the full extent of its implications, which will ultimately depend on a full comprehensive examination of the judgment and on how data protection authorities, courts, and online marketplaces choose to interpret and implement the new requirements in practice, he said.