EU Court Ruling Forces Marketplaces to Verify User Data Before Publishing: Is Your Platform Compliant?
Does your online marketplace publish user-generated listings without verifying the personal data they contain? A landmark ruling from the Court of Justice of the European Union in Russmedia Digital (C-492/23) just fundamentally changed how platforms must handle personal data - and the compliance burden is substantial.
Marketplaces Are Now Data Controllers
The Court ruled that marketplace operators qualify as data controllers under the General Data Protection Regulation (GDPR) for personal data contained in user-posted listings - even when platforms neither create the content nor know the advertiser’s identity. The rationale? By deciding to make listings public and exploiting them commercially, platforms exercise control over personal data processing.
This isn’t a minor technical clarification. It’s a categorical rejection of the passive intermediary defense that many platforms have relied upon.
What does this mean? A data controller is the entity that determines why and how personal data is processed - and bears primary legal responsibility for compliance. Previously, many platforms argued they were merely data processors (entities that process data on behalf of controllers) or passive hosts with no active role.
What You Must Do Now
Assess Joint Controllership: You must evaluate whether a joint controllership relationship exists with users posting listings under Article 26 GDPR. This requires formal arrangements defining each party’s responsibilities and ensuring data subjects (the individuals whose personal information is being processed) can exercise their rights against either controller.
Implement Mandatory Pre-Publication Verification: Before publishing any listing, your platform must:
Identify whether it contains special category data (Article 9(1) GDPR - health data, racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, sexual orientation, etc.)
Verify if the advertiser is the data subject themselves
Confirm explicit consent from the data subject if they’re not the advertiser
Refuse publication without explicit consent or another valid Article 9(2) legal basis
Why is special category data important? This type of sensitive personal data receives extra protection under GDPR because its misuse could lead to discrimination or harm. For example, a job listing that mentions someone’s health condition or a rental ad revealing religious preferences would contain special category data.
Deploy Enhanced Security Measures: Article 32 GDPR compliance now demands technical tools to prevent or limit unlawful copying and republication of sensitive data by third parties. Passive hosting is no longer sufficient.
The Compliance Reality Check
The Court explicitly rejected Advocate General Szpunar’s opinion that would have treated platforms as mere data processors without proactive verification duties. This represents a fundamental shift toward active gatekeeping obligations.
For major platforms like Facebook Marketplace and regional marketplaces such as Avito, Le Bon Coin, and Njuškalo, the operational implications are staggering. How do you systematically screen millions of listings for special category data before publication? What verification mechanisms can confirm advertiser identity and consent at scale?
Your Action Plan
If you operate classified ads, rental listings, job boards, or any user-generated marketplace:
Audit immediately: Review your current publication workflow. Do you have any pre-publication screening for personal data?
Implement technical controls: Deploy automated detection systems for special category data and identity verification mechanisms.
Update legal documentation: Revise terms of service, privacy policies, and user agreements to reflect joint controllership arrangements.
Train your team: Ensure content moderation teams understand GDPR obligations and can identify special category data.
The question isn’t whether this ruling affects your platform - it’s whether you can implement compliant verification processes before enforcement actions begin. Organizations that continue operating under the old passive intermediary model face significant regulatory risk and potential fines up to €20 million or 4% of global annual turnover - whichever is higher.
The era of “we’re just a platform” is over. Are you ready for active data stewardship?