The CJEU ruling. For the first question, the CJEU finds that the operator of an online marketplace is a controller within the meaning of Art. 4(7) GDPR for personal data contained in the advertisements published on the platform. A platform operator may in particular be regarded as a controller where it “publishes the personal data concerned for commercial or advertising purposes which go beyond the mere provision of a service which he or she provides to the user advertiser”, and where it substantially influences the collection and transmission of the personal data or determines the parameters thereof. As such, it has the obligation, prior to the publication of the advertisements. to determine whether special categories of personal data, that is, sensitive data within the meaning of 9(1) GDPR, are contained in the advertisement,. to verify, in the case of such advertisements, whether the sensitive data relates to the person placing the advertisement, and. if that is not the case, to refuse the publication of the advertisement unless the user placing the advertisement can demonstrate that one of the exceptions under Art. 9(2) GDPR applies, such as an explicit consent to the publication of the sensitive data in the advertisement.. These obligations arise from the principles relating to processing (Art. 5 GDPR) and from the requirement of lawful processing (Art. 6 GDPR), together with the duty to implement those principles effectively and to take appropriate measures for that purpose (Articles 24 to 26 GDPR), as well as the specific provisions on sensitive data set out in Article 9 GDPR.. With regard to the identity of the person placing the advertisement, the GDPR requires the controller to demonstrate the lawfulness of the publication. In the present case, this means in particular that, for the sensitive data concerned, explicit consent must on the one hand be obtained and documented. On the other hand, the identity of the individual must be verified in accordance with the principle of accuracy under Art. 5(1)(d) GDPR. The appropriate means of doing so must be determined on a case-by-case basis and depend on the nature, scope, context and purposes of the processing, as well as the likelihood and severity of the risks to the rights and freedoms of the data subject.. Since Russmedia must have been aware that advertisements such as those in this specific case were possible, it was obliged to put measures in place at the design stage of the service to identify such advertisements before publication. According to Art. 25(1) GDPR, appropriate measures must be implemented at the time the means are determined in order to prevent unlawful processing.. Furthermore, the operator of an online marketplace cannot assume that the data subject has consented to the processing of their sensitive data in accordance with Art. 9(2)(a) GDPR solely on the basis of the publication of an advertisement if the identity of the person placing the advertisement is unclear. Consequently, the identity must be established in order to prove that explicit consent has been given. Without sufficient proof of identity or another exception for the processing of sensitive data under Art. 9(2) GDPR, the publication of the advertisement must be refused and this must be ensured by technical and organisational measures.. In addition, as the controller, the operator of an online marketplace is obliged to take technical and organisational measures in accordance with Art. 32 GDPR to prevent published advertisements containing sensitive data from being copied and unlawfully published on other websites.. Art. 32 GDPR establishes a duty of protection for the controller of personal data. Taking into account the state of the art, the controller must take appropriate measures to ensure a level of protection that is appropriate to the risk. In this specific case, sensitive data was processed. This can lead to a particularly serious infringement of the fundamental rights to privacy and the protection of personal data. As soon as an advertisement containing such data is published on the internet, the CJEU states that there is a risk of losing control over the data, which in particular renders the data subject’s right to erasure of their data under Art. 17 GDPR ineffective.. The controller is therefore obliged to take measures to prevent copies or replicas. However, the CJEU points out that uncontrolled dissemination does not automatically mean that the measures taken were not appropriate.. With regard to the second question, the Court held that the operator of an online marketplace, as a controller within the meaning of the GDPR for the personal data contained in published advertisements, may not rely on Articles 12 to 15 of Directive 2000/31/EC, and thus may not rely on the host-provider privilege, where it has infringed:. the accountability obligation under Art. 5(2) GDPR,. the obligations of the controller under Articles 24 to 26 GDPR and. the obligation to ensure the security of processing under Art. 32 GDPR. The CJEU draws the distinction between the GDPR and the E-Commerce Directive on the basis of Art. 1(5)(b) of Directive 2000/31/EC and Art. 2(4) GDPR.. The first of these provisions states that the Directive does not apply to matters covered by Directive 95/46/EC, which has since been replaced by the GDPR. Accordingly, the rules of the GDPR may not be affected by Directive 2000/31/EC, with the result that the operator of an online marketplace cannot rely on the liability exemption in so far as it falls, as a data controller, under the provisions of the GDPR. The obligations arising from the GDPR likewise do not constitute a general monitoring obligation within the meaning of Art. 15 of Directive 2000/31/EC.. Art. 2(4) GDPR provides that Articles 12 to 15 of Directive 2000/31/EC remain unaffected by the GDPR. According to the CJEU, this merely means that a controller under data-protection law may rely on those provisions in so far as the matter at issue does not concern the protection of personal data.. Data protection assessment. The CJEU’s judgment is once again a landmark decision. Major platforms in particular have so far resisted large-scale deletion of unlawful content and have rejected claims for damages by invoking the host-provider privilege.. The CJEU has now clarified that the provisions, which are now found in Art. 6 DSA, do not prevent liability insofar as the processing of personal data is concerned.. This will also have an impact on the decision of the BGH in the case of Künast v Meta (BGH VI ZR 64/24). Meta had removed a meme about Renate Künast but did not want to remove copies or prevent its further distribution. Künast then sued Meta for injunctive relief and damages. Only the Federal Court of Justice noted that the facts of the case were relevant to data protection law, whereupon it suspended the proceedings until a decision was made in the above-mentioned case. Now that it is no longer possible to invoke the host provider privilege for data protection violations, there is a good chance that the Federal Court of Justice will grant Künast not only the injunction but also the damages that the Frankfurt Higher Regional Court had previously denied her.. Unfortunately, in the absence of a preliminary question, the CJEU did not comment on the plaintiff’s objection that Russmedia could not invoke the exemption from liability because it was directly involved in the management and distribution of the content, as its provision to the public was subject to a specific analysis of the information by Russmedia. Whether and to what extent, for example, logarithmic curation of user content prevents recourse to the exemption from liability under Art. 6 DSA, based on the ECJ ruling on the electronic version of a newspaper (ECJ ruling of 11 September 2014, C-291/13), therefore remains unclear.
activeMind.legal