Online marketplaces ‘must verify ads data’
Lawyers at Pinsent Masons say that a recent ruling by the EU’s highest court is likely to have “major implications” for data protection across the 27 member states.
The Court of Justice of the European Union (CJEU) ruled that online marketplaces were responsible for verifying personal information in ads.
The court found that marketplace platforms were data controllers under the GDPR when they processed personal data for their own commercial purposes, putting a legal responsibility on their operators to vet adverts in advance.
Proactive responsibilities
Pinsent Masons says that the decision means that marketplace sites have proactive responsibilities for user-generated content that may contain personal data – especially if that information is of a sensitive nature.
According to the firm, it also means such websites must now screen and verify all ads before publication, rather than post-moderating them after complaints, if they contain sensitive information.
They will also need to obtain consent from anyone whose sensitive information is in the advert if they are not the person placing it.
"The ruling confirms that operators of online marketplaces are directly responsible for ensuring that personal data in advertisements is identified and verified before publication, setting a new standard for data-protection compliance across the EU,” said Nienke Kingma, an expert on data protection and privacy with Pinsent Masons.
Case concerned Romanian operator
The ruling came after Romanian website operator Russmedia Digital published an advert on one of its websites on 1 August 2018 advertising sexual services from a woman, along with photographs of her and her phone number. The woman said that this was untrue and harmful, and demanded its removal.
The company took the advert down within an hour, but it had already appeared on other websites, where it remained accessible.
As a result, the woman took Russmedia to court, and the Court of First Instance of Cluj-Napoca ordered the company to pay €7,000 in damages.
A specialised court in Romania overturned that decision, describing the company as a hosting service and ruling it was not liable. After an appeal by the woman, however, the court of appeal referred the case to the CJEU for guidance on EU law and how the website related to GDPR obligations.
Limits on exemptions
Pinsent Masons says that the CJEU ruling means that marketplace operators will not be able to rely on the EU’s e-commerce directive, which provides for liability exemptions for hosting providers, in future.
The firm says that the ruling requires such operators to take steps to stop sensitive adverts from being copied and republished elsewhere.
Thijs Kelder, an EU technology law expert with Pinsent Masons said that the ruling “fundamentally changes the compliance landscape” by placing the most explicit limits on the e-commerce directive’s liability exemptions to date.
“It also increases the operational risks on these platforms, meaning more robust risk-management procedures will need to be implemented by the operators,” he stated, adding that further analysis of the judgment was needed to determine the full extent of its implications.