EU Regulation Evaluation: Picture Rights and False Claims, Information Safety and Middleman Immunity: the case of Russmedia – Cyber Tech

Lorna Woods, Professor
Emerita, College of Essex

Picture credit score: US Division
of Protection

This Grand Chamber judgment of
the Courtroom of Justice in X v
Russmedia Digital and Inform Media Press (Case C-492/23) handed down on
2 December 2025 considerations the scope of knowledge safety rights and middleman
immunity within the context of the non-consensual use of somebody’s picture.  The judgment identifies:

– when somebody has
tasks underneath the GDPR,

– the connection between these
regulatory obligations and middleman immunity, and

– the steps an knowledge controller
may take to fulfill these GDPR obligations.

It has been described as
reshaping the obligations of on-line operators within the EU, whereas others have
questioned how far the factors within the judgments could also be generalised to different
conditions.

Judgment

The Info

Russmedia owns a web based
market on which ads could also be revealed. An unidentified person
posted an commercial falsely representing X as providing sexual providers. The
advert included X’s pictures (although there isn’t any suggestion that these had been
intimate photographs) and telephone quantity, all with out her consent. As soon as notified,
Russmedia eliminated the advert inside an hour however the commercial had been
shared throughout a number of third get together web sites and remained accessible. X sued in
the nationwide courts in respect of her picture rights, rights to status and
knowledge safety rights. The Romanian courts struggled with the query of
whether or not Russmedia may declare the good thing about middleman immunity (underneath the
e-Commerce Directive (Directive
2000/31), provisions now changed by the Digital
Providers Act (DSA)) and the extent of the obligations underneath the GDPR.

Is Russmedia topic to
Obligations underneath the GDPR?

Obligations underneath GDPR come up when
(1) private knowledge are (2) processed by (3) an information controller.

The CJEU commenced its evaluation
by noting the the data contained within the advert about X was private knowledge
for the needs of the GDPR and furthermore that claims about an individual’s intercourse life
(implied within the advert) constituted “delicate” private knowledge as protected by
Article 9 GDPR, and that remained the case whether or not or not the declare was
true.  Classification of the information as
particular class knowledge means that there’s a larger threshold to indicate lawful
processing of these knowledge. 

The Courtroom additional famous that “the
operation of loading private knowledge on a webpage constitutes processing” for the
functions of the GDPR (para 54) and subsequently lined the publication of the
advert.

Whereas this places the advert inside
the scope of the GDPR, its obligations apply to knowledge controllers and
processors, so the query was whether or not, given Russmedia had no management over
the content material of the advert, was it a controller or joint controller? The Courtroom
reiterated earlier jurisprudence to say (para 58) that:

any pure
or authorized one who exerts affect over the processing of such knowledge, for his
or her personal functions, and who participates, because of this, within the dedication of
the needs and technique of that processing, could also be considered a controller in
respect of such processing.

It famous additionally that there could also be
multiple entity which is a controller in respect of processing – that is
the thought of joint controllers, though they might not have equal accountability
relying on the details (para 63).  Joint
determination making just isn’t vital for there to be joint controllers.

Whereas the take a look at for “controller”
requires that the particular person processing the information does so for their very own functions,
the Courtroom added that this might embrace the scenario “the place the operator of an
on-line market publishes the private knowledge involved for industrial or promoting
functions which transcend the mere provision of a service which she or he
supplies to the person advertiser”  (para
66).  The Courtroom on this case pointed to
the truth that the phrases of use give Russmedia “appreciable freedom to take advantage of
the data  revealed on that
market” together with “the precise to make use of revealed content material, distribute it,
transmit it, reproduce it, modify it, translate it, switch it to companions and
take away it at any time” (para 67). Russmedia is subsequently not publishing solely
on behalf of the person inserting the advert. The Courtroom additionally famous that Russmedia
make the information within the advert accessible, permits the inserting of nameless adverts
and units the parameters for the dissemination of adverts (prone to comprise
private knowledge).

On account of discovering that the
advert publishing platform was a joint controller the GDPR obligations chew in
relation to the advert and should be capable of exhibit that the advert is
revealed lawfully, which incorporates the requirement for consent for delicate
knowledge (para 84 and 93) and the requirement for accuracy.  The CJEU notes that when revealed on-line and
accessible to any Web person, such knowledge could also be copied and reproduced on
different web sites, in order that it could be troublesome, if not unattainable, for the information
topic to acquire their efficient deletion from the Web.  The provides to the seriousness of the dangers
dealing with the information topic.

The GDPR additionally requires the
implementation of technical and organisational measures – and this ought to be
thought of within the design of the service in order that such knowledge controllers can
determine adverts containing delicate knowledge earlier than they’re revealed and to
confirm that such delicate knowledge is revealed in compliance with the rules
of the GDPR (para 106).  Additional, the
controller should be sure that there are security measures in place in order that adverts
containing delicate knowledge and never copied and unlawfully revealed elsewhere
(para 122).

Are the GDPR Obligations
Affected by Middleman Immunity?

Whereas the immunity provisions within the
e-Commerce Directive are far-reaching, the e-Commerce Directive specified that
it was to not apply to the
Information Safety Directive (the laws in  power on the time the e-Commerce Directive
was drafted) and that included the immunities; the Courtroom concluded that this
meant the e-Commerce Directive couldn’t intervene with the GDPR. It additionally
specified that GDPR necessities right here can’t be categorized as normal
monitoring (which is prohibited by the e-Commerce Directive (and now the DSA)).

Conclusions, Implications and
Questions

The ruling on this case doesn’t
match current trade observe. It isn’t a bolt out of the blue, nevertheless,
however builds on current jurisprudence (eg Trend ID (Case
C-40/17)).  Whereas the obligations
required of Russmedia on this case might point out, to some, a landmark shift in
the Courtroom’s method, the judgment does depend on the particular details within the case
and, particularly, the purpose that “delicate” knowledge, which successfully requires
express consent, is in concern. In precept, this may very well be related to different
types of delicate content material, notably non-consensual intimate photographs (NCII).
Definitely, it re-emphasises knowledge safety as a route for victims’ redress, if
not stopping hurt within the first place.

The ruling clarifies {that a} vary
of actions sometimes carried out by platforms – structuring, categorizing,
and monetizing person content material, can quantity to figuring out “the needs and means
of processing private knowledge”, the take a look at for accountability as a controller underneath
the GDPR (article 4 GDPR). In taking this method, it differed from the
Opinion of its Advocate-Normal (AG’s Opinion, para 120).  The Courtroom famous that the definition of
controller within the GDPR is broad – and that is to assist the safety of
people’ basic rights to privateness and knowledge safety. As soon as a physique is
a controller, that physique should be capable of exhibit compliance with the information
safety rules, and take applicable technical and organisational
measures to make sure knowledge processing is carried out in accordance with the
GDPR. 

Right here, a number of the factors that the
Courtroom relied on to find out that Russmedia was a joint controller may nicely
be related to different providers and never simply on-line marketplaces. For instance,
many websites have broad phrases of service just like these the Courtroom highlighted
right here; different providers additionally permit nameless posting and a key function of many
providers is the making obtainable of that content material for promoting income
functions, in addition to controlling how content material is promoted. (Observe the choice of
the courtroom in YouTube
and Cyanado (Joined Instances C-682/18 and C-683/18), which instructed that
automated content material curation didn’t imply {that a} service just isn’t impartial, just isn’t
immediately related right here because it pertains to the circumstances for sustaining
middleman immunity – and see Russmedia, AG’s Opinion, para 155)  It’s unclear what number of of those standards want
to be current for a service to represent a controller in relation to the
private knowledge in third get together content material it publishes (although the Courtroom appears to
checklist them as options, suggesting any of them would suffice), or whether or not
much less far-reaching phrases of service could also be ample to cease a platform being a
joint controller.  The place these circumstances
are happy, its influence needn’t be restricted to promoting however to natural
content material containing third get together private knowledge too.

The Courtroom’s affirmation that the
clear wording of the e-Commerce Directive, excluding the Information Safety
Directive (the predecessor laws to the GDPR) from its scope, meant that
an middleman can’t escape its personal knowledge safety tasks doesn’t
have an effect on immunity from legal responsibility in respect of illegal content material.  Observe that this determination was primarily based on the
wording of the e-Commerce Directive. This language has not been carried over to
the DSA, which is expressed to function with out prejudice to, inter alia, the
GDPR. It isn’t clear if or how this might change the Courtroom’s interpretation.
Immunity provisions from the e-Commerce Directive have been carried throughout to
the DSA (albeit with a “carve out” in respect of client regulation in Article 6(3)
DSA). Whereas the EDPB has revealed steerage
on the interaction of the GDPR and the DSA, it has appeared on the query of the
influence of the DSA necessities on knowledge safety reasonably than the influence of
knowledge safety on the DSA.

The judgment means that
providers ought to design checks into their providers to make sure compliance with the
knowledge safety obligations together with pre-publication checks as as to whether
delicate knowledge is included and to verify the identification of the particular person posting the
materials. After all, whereas some types of posts (eg NCII) clearly represent
delicate private knowledge, the outer edges of this class may not be clear
lower. The Courtroom right here famous that the class ought to be interpreted broadly (para
52). It may very well be that a number of the obligations may very well be handed on to the person
importing the advert by way of phrases of service, although this may be able to
being abused by some customers.  Additional, the
CJEU expects the location to stop third get together scraping as far as is feasible –
the judgment doesn’t introduce strict legal responsibility on this regard.  What technical measures could be ample
in observe stays unsure.   That is
very totally different from the reactive response required to keep up immunity underneath
the e-Commerce Directive – and which has been the dominant framing till now.
Assuming the place on immunity doesn’t change, providers might need to
implement new methods, in all probability together with automated instruments and should finally
have an effect on alternative of enterprise mannequin for some providers.

There are questions on how
this ruling impacts the DSA. How does a pre-check system differ from normal
monitoring. Normal monitoring is prohibited underneath Article 8 DSA (although
particular monitoring just isn’t)? The CJEU said that methods to make sure GDPR
compliance couldn’t be categorized as “normal monitoring” (para 132) – however did
not clarify this assertion any additional. There’s an argument to say that each one
content material will have to be scanned to determine that which comprises delicate
private knowledge – and in contrast to checking towards a database of identified CSAM
photographs, for instance, which may be thought of particular monitoring, this can be a
extra open ended obligation. It’s unclear whether or not there are different routes to
pre-check which don’t contain content material scanning.  The necessities to verify whether or not the particular person
posting the private knowledge is the particular person to which the information relates (or is
in any other case lawfully processing) might make, for instance, anonymity troublesome to
preserve and it’s unclear what degree of identification verification could be
acceptable.  There are additionally questions
about how this method of pre-checks impacts the neutrality of the platform and
consequently the likelihood for the platform to say immunity (in respect of
different claims regarding the content material) underneath Article 6 DSA.

The place within the UK could also be
barely totally different, nevertheless. Part 6(1)
European Union (Withdrawal) Act supplies that selections of the CJEU
post-dating 31 December 2020 don’t bind UK courts though they might have
regard to such judgments. The provisions
which might have had the impact of eradicating the standing of binding precedent
from selections of the CJEU made on or earlier than that date have not been
introduced into power (however they continue to be on the statute ebook), because the Labour
Authorities revoked
the related graduation laws. 
Moreover, outdated case regulation from the Northern Irish courts (pre-dating
Brexit), CG
v. Fb, instructed the the e-Commerce Directive (the related regulation
on the time) may apply to knowledge safety claims.