EU’s top court rules that online marketplaces are responsible for processing of data in ads

The European Union’s top court on Tuesday ruled that online marketplaces should be considered data controllers under the General Data Protection Regulation (GDPR), a determination which means they must get consent from any person whose data appears in an advertisement they run.

The decision means marketplace sites must now screen and verify all ads before publication, particularly when they contain sensitive data.

The ruling stems from a 2018 case in Romania involving an online marketplace which published a fake ad featuring personal information belonging to a woman the ad placer said was a prostitute.

The advertisement contained the woman’s phone number and photographs, which were used without her consent. She asked the website owner, Russmedia Digital, to remove the ad, which was done within an hour of her request. By that point, however, the ad had appeared on other websites.

“The operator of an online marketplace is responsible for the processing of personal data contained in advertisements published on its platform,” a Court of Justice for the European Union press release stated. 

“In that context, it must in particular identify, before publication, advertisements that contain sensitive data and verify that the advertiser is actually the person whose data appear in such an advertisement or that the advertiser has the explicit consent of that person.”

Experts called the decision significant. 

Data protection lawyers at Pinsent Masons predicted in a blog post that the ruling “will likely have major implications for data protection across the 27 member states” inside the European Union.

"The ruling confirms that operators of online marketplaces are directly responsible for ensuring that personal data in advertisements is identified and verified before publication, setting a new standard for data protection compliance across the EU,” Nienke Kingma, an expert on data protection and privacy with Pinsent Masons, said in the blog post.

“This carries significant implications to remain compliant.”

Daphne Keller, the director of platform regulation at the Stanford Law School program in law, science and technology, said on LinkedIn that she “truly can't imagine how hosting sites can comply.” Keller predicted many small sites will shut down in the wake of the ruling.

The CJEU “created half a dozen extremely serious fundamental rights problems,” Keller said. “This has major implications for free expression and access to information, age verification and privacy, anonymous speech, and possibly private communications.”