Unlike earlier judgements, where platforms benefited from liability priviliges under the "notice and takedown" principle, this decision introduces ex-ante review obligations for particularly sensitive personal data under Article 9 GDPR, effectively bringing 25 years of safe harbor protection in the data protection context to an end.
Background: Liability Privilege and Web 2.0
Platforms and publishers benefited from liability privilges originally enshrined in the E-Commerce Directive and now continued under the Digital Services Act. This framework, commonly referred to as the "notice and takedown" principle (Articles 12 to 15), shielded publishers from automatic liability for unlawful content created by users or third parties, provided that they:
- acted solely as technical intermediaries
- did not actively edit or control the content
- did not adopt ormodify the content as their own
- removed unlawful content without undue delay upon obtaining knowledge of it
The case: What happened?
In August 2018, an unknown individual published a fake advertisement on pub24, a platform operated by Russmedia Digital. The listing included a manipulated photograph of a woman, falsely portraying her as a sex worker and displaying her mobile phone number. Within one hour, the ad had spread across hundreds of other platforms.
Russmedia removed the advertisement immediately after being contacted by the victim. By that point, however, the further dissemination of the content could no longer be stopped. After seven years of proceedings, the case culminated in the landmark judgment of the European Court of Justice in December 2025.
What did the ECJ decide?
- No liability privilege in data protection matters
The liability privilege under the Digital Services Act (“notice and takedown”) does not apply to data protection violations. Compliance obligations shift to a point prior to publication. - Joint controllership
Publishers are jointly liable alongside all other parties involved, even where the content originates from anonymous third parties. - Ex-ante review obligation for sensitive data
Publishers must implement technical and organizational measures to review, prior to publication, content involving data covered by Article 9 GDPR. The standard set by the Court requires publishers to “do everything possible” to prevent the unlawful dissemination of illegal content.
However, this obligation to conduct prior review applies exclusively to sensitive personal data within the meaning of Article 9 GDPR. A general obligation to monitor or review all content would remain impermissible.
Further details on Article 9 GDPR and special categories of personal data can be found in this blog article.
Comparison with other landmark judgments
Parallels to Schrems II
Similarities include:
- the absence of an immediately available technical solution on the market
- a shift of compliance obligations to an earlier stage in the process
- the need to develop new technological approaches and approaches
- the creation of market opportunities for compliance solutions
Why Russmedia is more significant
Unlike Schrems II, whose practical impact was politically mitigated through the Trans-Atlantic Data Privacy Framework, the obligations arising from the Russmedia judgment are not based on an international data transfer issue. Instead, they stem from an interpretation of the existing GDPR itself.
This is therefore not a case of temporary legal uncertainty or a regulatory gap, but a fundamental reinterpretation of publisher responsibility under applicable law. As the decision was issued by the Grand Chamber of the European Court of Justice, it is binding on all national courts and will shape future interpretation across all Member States.
Who is affected by the judgment?
Publishers and platforms
The ruling directly affects:
- Online marketplaces: platforms that allow users to publish listings
- News portals with comment functions: websites featuring user-generated content
- Social media platforms: any platform hosting user-generated content that contains personal data
- Review platforms: rating portals where users post content about other individuals
AdTech companies
- Programmatic advertising: the entire chain from DSPs and SSPs to ad exchanges
- Ad servers: systems responsible for delivering advertisements
- DMPs and CDPs: platforms that collect and process data
Broader implications
User-generated content
The judgment extends beyond advertising to all user-generated content containing personal data on:
- social media platforms
- review platforms
- marketplaces
- media comment sections
Household exemption
Article 2(2)(d) GDPR provides an exemption for purely personal or household activities. However:
- applies to: small private groups, typically up to 50 to 100 individuals
- does not apply to: public internet posts reaching broader audiences
Conclusion: Platforms remain fully responsible for public user-generated content.
The decision is more focused than some commentary suggests, yet its implications for data protection law are profound.
Open questions and uncertainties
Technical feasibility
- Can filters reliably detect Article 9 inferences in real-time advertising environments?
- What error rates are acceptable under “state of the art” requirements?
- How can inferences be assessed when they require contextual understanding?
Legal clarity
- Will the scope expand over time beyond Article 9 data?
- How will national courts interpret the requirement to “do everything possible”?
- What constitutes adequate identity verification?
- Are two-banner consent solutions legally sufficient?
Commercial impact
- Will the costs of ex-ante review affect advertising prices on impacted platforms?
- Does this favor traditional publishers with human editorial processes?
- Will smaller platforms be pushed out of the market due to compliance costs?
- Can programmatic advertising survive in its current form?
Scope of application
The Russmedia judgment directly concerns Article 9 data. However, the Court’s interpretation of the GDPR accountability principle has implications beyond special categories of data.
The Court suggests a risk-based approach: the more sensitive the data, the stricter the required safeguards. For example, precise GPS location data would require stronger protective measures than basic user identifiers. This does not mean that publishers have no obligations when processing non-sensitive data; rather, the level of compliance is calibrated to the respective risk.
What comes next
In the second part of this series, we outline concrete implementation strategies: the three core measures publishers should implement now, how programmatic advertising can adapt, and which practical steps should be taken within the next three to six months before enforcement begins.
About this webinar
This article is based on a webinar featuring attorney and data protection expert Tilman Herbrich of Spirit Legal, who analyzed the implications of the Russmedia judgment for the digital advertising industry.
.webp)
.webp)
_compressed.webp)
