20 December 2025

Neil Jennings

It might not be a white Christmas, but the CJEU’s recent decision in Russmedia has certainly removed a critical grey zone from GDPR compliance and closed off a long-relied-upon neutrality argument derived from the e-Commerce Directive.

In short: if you operate an online platform that structures, monetises, or otherwise meaningfully shapes user-generated content, the CJEU has made it significantly harder to argue that you are a neutral party for GDPR purposes. Where ‘special category data’ is involved, you cannot rely on uploader warranties and may need to ensure that a valid Article 9 condition (most commonly explicit consent) exists before publishing any special category data.

What happened?

Russmedia operates an online marketplace in Romania, allowing users to upload adverts in relation to providing goods and services. In this particular case, an unverified individual posted an advertisement in relation to another individual, advertising sexual services, along with photographs and the individual's phone number. The platform operator quickly removed the content in question, but the CJEU said that wasn’t enough to comply with GDPR obligations, and that Russmedia was considered a controller (and potentially a joint controller) under GDPR. As such, one of those obligations is to have an appropriate lawful basis to process personal data - for special category data (as was published and later removed), the CJEU said Russmedia needed consent before the advertisement was published.

The controller(s) in question

This is the heart of the decision and the CJEU has essentially clarified an unnecessarily murky point of law. Platforms and hosting services may be considered controllers or joint controllers where they determine, in whole or in part, the purposes and means of processing personal data. In actual fact, they always were - such platforms controlled (at least partly) the how and why of personal data usage. The confusion stemmed from the e-Commerce Directive (the precursor to the DSA) that provided hosting services (“mere conduits”) with a liability defence for illegal, defamatory, etc. content where they removed it promptly.

The Court’s reasoning is not that platforms suddenly became controllers, but that they cannot deny controller responsibility where they shape the conditions under which personal data is made public. The reality? The Russmedia decision does not introduce new categories of GDPR obligation; rather, it clarifies how existing obligations apply in practice and removes a long-standing ambiguity.

Controller obligations

Technically, very little, aside from an element of certainty and indication that certain GDPR obligations might begin to be enforced. So the ‘just a host’ position disappears, and the required paper trail will become more important.

The main change is that controller obligations are now more certain, which means the platform / host / intermediary service must (i) now ensure they have the correct paper trail and controls in place, and (ii) where there is Art 9 data, obtain explicit, freely given and informed consent from the data subject before publication.

What didn’t change?

Actually very little. The territorial scope under GDPR remains the same, as does the general GDPR framework under which controllers and processors must operate. The Russmedia decision does not put in place a universal content moderation duty outside of the DSA, and there is no blanket KYC requirement for all personal data.

What did change?

Again, also very little. The main issue was not a change, but a clarification. Yes, the clarification will probably come with increased scrutiny, but the law remains the same. Simply put:

• The old e-Commerce Directive’s ‘neutral host’ argument officially no longer holds water in relation to GDPR compliance
• Intermediary services may be considered joint controllers in some circumstances under the GDPR
• As such, many intermediary services will need to demonstrate their GDPR compliance (e.g. joint controller agreements, authorised representatives in place, international data transfer obligations, etc.)

The main operational change (but not legal change) is in relation to special category data. Where an intermediary service publishes such data, because they must have a lawful basis to process this personal data as a joint controller, they must obtain the data subject’s explicit, freely given and informed consent. This is instead of requiring the uploader to confirm the data subject’s consent.

What about the Digital Services Act?

The Russmedia case does not relate to the DSA, other than clarifying that the DSA’s precursor legislation (e-Commerce Directive) does not prevent the GDPR from applying. So an intermediary service can still be subject to both GDPR joint controller obligations and DSA obligations at the same time. In the Russmedia case, the prompt removal of offending content removes liability under the DSA, but does nothing in relation to GDPR compliance. The Russmedia decision confirms that purely reactive notice-and-takedown is no longer effective to comply with GDPR when it comes to Art. 9 data.

Why does this matter now?

We have seen numerous GDPR enforcement actions this year. Both legally, geopolitically, and from a consumer perspective, data protection is more important than ever. Following this decision, three things are clear:

1. Regulators now have a clearer privacy-enforcement path in relation to intermediary services.
2. Platforms should re-assess their specific role and risk exposure.
3. Panic is not going to be helpful, and clarity is essential.

This content is informational only and not legal advice. GLF is not a law firm regulated by the SRA.