Provisional text

OPINION OF ADVOCATE GENERAL

SZPUNAR

delivered on 6 February 2025 (1)

Case C‑492/23

X

v

Russmedia Digital SRL,

Inform Media Press SRL

(Request for a preliminary ruling from the Curtea de Apel Cluj (Court of Appeal, Cluj, Romania))

( Reference for a preliminary ruling – Approximation of laws – Electronic commerce – Directive 2000/31/EC – Protection of personal data – Regulation (EU) 2016/679 – Liability of intermediary service providers – Information society service provider also acting as personal data controller – Liability – Scope )

I.      Introduction

1.        The questions referred for a preliminary ruling in the present case concern the provisions of Directive 2000/31/EC (2) and Regulation (EU) 2016/679. (3)

2.        Those questions have arisen in a dispute between an individual and the operator of an online marketplace on which an advertisement was published, without the individual’s consent, indicating that that individual was offering sexual services. The unique aspect of this case is that the advertisement in question contained personal data.

3.        By its questions, which relate to the GDPR, the referring court is seeking to determine in that regard, first, whether the operator of an online marketplace such as that at issue in the dispute in the main proceedings has failed to fulfil its obligations under that regulation and, second, whether such an operator can be considered eligible for the exemption from liability provided for in Article 14(1) of Directive 2000/31 in respect of an advertisement published on that online marketplace. The present reference for a preliminary ruling therefore gives the Court the opportunity to give a ruling on the relationship between the systems established by those two instruments of EU law.

II.    Legal context

A.      European Union law

1.      Directive 2000/31

4.        Article 1 of Directive 2000/31, headed ‘Objective and scope’, states in paragraph 5, inter alia, that it ‘shall not apply to … questions relating to information society services covered by Directives 95/46/EC ^[(4)^] and 97/66/EC ^[(5)^]’.

5.        Articles 12, 13 and 14 of the directive, which appear in Section 4 – headed ‘Liability of intermediary service providers’ – of Chapter II of that directive, which is itself headed ‘Principles’, refer to an information society service provider that exercises, respectively, a ‘mere conduit’ activity, a type of storage called ‘caching’ or a hosting activity. Those provisions also establish the conditions under which such service providers are exempt from liability for information provided by users of their services.

6.        Article 14(1) of that directive, headed ‘Hosting’, provides:

‘Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that:

(a)      the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or

(b)      the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.’

7.        Article 15 of that directive, headed ‘No general obligation to monitor’, provides:

‘1.      Member States shall not impose a general obligation on providers, when providing the services covered by Articles 12, 13 and 14, to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity.

2.      Member States may establish obligations for information society service providers promptly to inform the competent public authorities of alleged illegal activities undertaken or information provided by recipients of their service or obligations to communicate to the competent authorities, at their request, information enabling the identification of recipients of their service with whom they have storage agreements.’

2.      The GDPR

8.        Article 2 of the GDPR, headed ‘Material scope’, provides, in paragraph 4:

‘This Regulation shall be without prejudice to the application of [Directive 2000/31], in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that directive.’

9.        Article 4 of that regulation, headed ‘Definitions’, reads as follows:

‘For the purposes of this Regulation:

…

(7)      “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8)      “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

…

(11)      “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

…’.

10.      Article 5 of that regulation, headed ‘Principles relating to processing of personal data’, provides:

‘1.      Personal data shall be:

(a)      processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

(b)      collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes … (“purpose limitation”);

…

(f)      processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

2.      The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’

11.      Article 6 of that regulation, headed ‘Lawfulness of processing’, provides in paragraph 1:

‘Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)      the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

…’.

12.      Article 7 of the GDPR, headed ‘Conditions for consent’, provides, in paragraph 1:

‘Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.’

13.      Articles 24 to 26 of that regulation can be found in Section 1 – headed ‘General obligations’ – of Chapter IV of the regulation, which is itself headed ‘Controller and processor’.

14.      Article 24 of that regulation, headed ‘Responsibility of the controller’, states, in paragraph 1:

‘Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.’

15.      Article 25 of that regulation, headed ‘Data protection by design and by default’ provides, in paragraphs 1 and 2:

‘1.      Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2.      The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.’

16.      Article 26 of the GDPR, headed ‘Joint controllers’, states, in paragraph 1:

‘Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.’

B.      Romanian law

17.      Article 11 of Legea nr. 365/2002 privind comerțul electronic (Law No 365/2002 on electronic commerce) of 7 June 2002, (6) as amended by Legea nr. 121/2006 pentru modificarea și completarea nr. 365/2002 privind comerțul electronic (Law No 121/2006 amending and supplementing Law No 365/2002 on electronic commerce) of 4 May 2006 (7) (‘Law No 365/2002’), provides as follows:

‘1.      Service providers shall be subject to the legal provisions governing civil and criminal liability and liability for administrative offences, unless otherwise provided for in this law.

2.      Service providers shall be liable for information supplied by them or on their behalf.

3.      Service providers shall not be liable for information transmitted or stored or to which they provide access under the conditions laid down in Articles 12 to 15.’

18.      Article 14 of that law, headed ‘Permanent storage of information, hosting’, provides:

‘1.      Where an information society service consists of the storage of information provided by a recipient of that service, the provider of that service shall not be liable for the information stored at the request of a recipient if either of the following conditions is met:

(a)      the service provider is not aware of the illegal nature of the activity or of the information stored and, as regards claims for damages, is not aware of facts or circumstances from which it would follow that the activity or information in question could infringe the rights of a third party;

(b)      if the service provider becomes aware of the illegal nature of the activity or information concerned or of facts or circumstances from which it would follow that the activity or information in question could infringe the rights of a third party, the service provider acts expeditiously to remove it or to block access to it.

2.      The provisions of paragraph 1 shall not apply where the recipient is acting under the authority or the control of the service provider.

3.      The provisions of this article shall not affect the right of a judicial or administrative authority to require that the service provider terminate or prevent a data breach, or to establish government procedures to restrict or terminate access to information.’

III. The facts of the dispute in the main proceedings, the questions referred and the procedure before the Court

19.      Russmedia Digital SRL (‘Russmedia’), a company incorporated under Romanian law, is the owner of the online marketplace www.publi24.ro on which advertisements for, inter alia, the sale of goods or the provision of services from various locations in Romania can be published, either free of charge or for a fee.

20.      On 1 August 2018, an unidentified person published an advertisement on that online marketplace, the content of which was disparaging and offensive towards the appellant in the main proceedings, in that it stated that that individual offered sexual services (‘the advertisement at issue’). That advertisement contained photographs of the appellant in the main proceedings, which had been used without her consent, originating from the account she held lawfully on a social networking site, along with her telephone number. The identity of the person posting that advertisement was not verified prior to publication. When contacted by the appellant in the main proceedings, Russmedia removed the advertisement from its online marketplace less than an hour later. However, the same advertisement has been placed online, indicating the original source, by other websites with advertising content, where it can still be accessed.

21.      Arguing that the advertisement at issue infringed her rights, the appellant in the main proceedings brought an action against Russmedia.

22.      The Judecătoria Cluj-Napoca (Court of First Instance, Cluj-Napoca, Romania) upheld that action and ordered Russmedia, on the basis of Article 253 of the Romanian Civil Code, (8) to pay the appellant in the main proceedings the sum of EUR 7 000 in respect of non-material damage caused to her by the infringement of her right of personal portrayal and right to honour and reputation, the breach of her right to privacy, and the improper processing of her personal data. That court took the view that the advertisement at issue constituted a failure by Russmedia to meet the obligations imposed on it by the GDPR. That court held that the fact that Russmedia had authorised the online publication and subsequent dissemination of the advertisement had seriously infringed the rights of the appellant in the main proceedings.

23.      The Tribunalul Specializat Cluj (Specialised Court, Cluj, Romania) upheld Russmedia’s appeal, ruling that the action brought by the appellant in the main proceedings was unfounded on the grounds that Russmedia was not the author of the advertisement at issue. The court held that Russmedia was merely providing a service for storing advertisements, without being actively involved ‘in the content’ of those advertisements and that, in those circumstances, the exemption from liability provided for in Article 14(1) of Law No 365/2002 was therefore applicable.

24.      According to the appeal court, Russmedia removed the advertisement at issue from its online marketplace less than an hour after being contacted by the appellant in the main proceedings. That court found that Russmedia was exempted from liability for the damage claimed since that company was not the author of the advertisement concerned and had blocked it – having regard to Article 11(3) and Article 14(1)(b) of Law No 365/2002 – as soon as it became aware that it could potentially infringe the rights of the appellant in the main proceedings.

25.      With regard to the data controller’s obligation to verify, before publishing an advertisement, whether the author of the advertisement has the right to use the personal data contained in that advertisement, the appeal court then held that Article 11 of the implementing rules for Law No 365/2002 was applicable. According to that provision, a provider of information society services is not required to check the information stored. (9)

26.      Finally, the appeal court held that Russmedia could not be criticised for failing to take steps to prevent the advertisement at issue from being distributed online. In the court’s view, the service provided consisted of publishing that advertisement and the measures to block public access to it were implemented as soon as the appellant in the main proceedings alerted Russmedia. Consequently, the court held that Law No 365/2002, which exempts the company from liability for non-material damage caused by the content of advertisements posted on www.publi24.ro by users, was applicable in the present case.

27.      The appellant in the main proceedings brought an appeal against that decision before the Curtea de Apel Cluj (Court of Appeal, Cluj) which is the referring court.

28.      In that appeal, the appellant in the main proceedings submits, inter alia, that Law No 365/2002 is not a special law in relation to the GDPR and that, consequently, the appeal court should have analysed Russmedia’s liability from the point of view of the provisions of that regulation.

29.      Furthermore, the appellant in the main proceedings states that Russmedia’s role was not limited to providing customers with the specific technical means of accessing the hosting server. She submits that it also played a management role, intervening in the content of advertisements to ensure good information management. That company, as manager of the website in question, stored and processed the information content. Processing and storing the data and making them available to the public in a certain form involves both an analysis of the data and information contained in the advertisements and the management of those data and information, which is necessary to guarantee easy access to the public, and that indicates the direct involvement of that company. Consequently, Article 14 of Law No 365/2002 is not applicable in the present case. The appellant in the main proceedings also submits that the exemption from liability provided for in that provision does not apply if liability is established under other statutory instruments, such as the GDPR, which she believes is the case here.

30.      The referring court allowed the appeal, holding that the Tribunalul Specializat Cluj (Specialised Court, Cluj) had failed to consider the applicability of the provisions of the GDPR to the circumstances of the case, set aside the judgment on appeal and retained the case with a view to issuing a new appeal ruling.

31.      In that regard, the referring court states that it believes there is no obligation for operators of online marketplaces to carry out prior verification of advertisements published by users. However, the court observes that, according to the judgment in L’Oréal and Others, (10) only an operator of an online marketplace that does not play an active role consisting in providing assistance in order to optimise the presentation of the offers for sale or to promote those offers can rely on the exemption from liability referred to in Article 14(1) of Directive 2000/31. Furthermore, in accordance with that judgment, (11) the operator of an online marketplace cannot rely on that exemption from liability if it was aware of facts or circumstances on the basis of which a diligent economic operator should have realised that the offers for sale in question were unlawful and, in the event of it being so aware, failed to act expeditiously. In the same vein, according to the judgment in Papasavvas, (12) a newspaper publishing company which operates a website on which the online version of a newspaper is posted cannot rely on that exemption from liability since it has knowledge of the information posted and exercises control over that information.

32.      The referring court observes that the case-law of the Court refers only to offers posted online that were held to be illegal because of an analysis of facts and circumstances expressly communicated to the data controller after the advertisement in question had been published. However, the Court has never had occasion to consider a situation such as that existing in the present case. The unique aspect of the case in the main proceedings lies in the fact that the content of the advertisement published by a user who was not identified at the time the matter was brought before the court was manifestly unlawful and deeply harmful to the data subject. Accordingly, the referring court considers that it was not necessary to provide notification to the controller in order to grasp and analyse the potentially unlawful nature of the information published.

33.      In addition, the referring court draws attention to the fact that the advertisement at issue, although deleted from the Russmedia website on which it was originally published following notification from the appellant in the main proceedings, has been reproduced in its entirety by numerous other websites, along with all the data and photographs of the appellant in the main proceedings and indicating the original source, without any protection measures concerning personal data. The damage has therefore become permanent and is still continuing today.

34.      Furthermore, the referring court observes that the sexual services referred to in the advertisement at issue and allegedly offered by the appellant in the main proceedings could be associated with serious offences punishable under the Romanian Criminal Code, such as procuring and human trafficking.

35.      Lastly, the referring court highlights the fact that, in view of the terms and conditions of use of its online marketplace, Russmedia does not appear to be a mere passive user of the data. Although that company does not claim any right of ownership over the content provided, published, uploaded or transmitted, it nevertheless retains the right to use the content, including the right to copy it, distribute it, transmit it, publish it, reproduce it, modify it, translate it, transfer it to partners and remove it at any time, without the need for any reason for doing so.

36.      Therefore, the Curtea de Apel Cluj (Court of Appeal, Cluj) ruled, by decision of 15 June 2023, received at the Court Registry on 3 August 2023, to stay the proceedings and refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Do Articles 12 to 14 of [Directive 2000/31] also apply to a storage and hosting information service provider that makes available to users a website on which free or paid advertisements may be published, which claims that its role in publishing users’ advertisements is purely technical (making the platform available), but which, through the general terms and conditions of use of the website, indicates that it does not claim ownership over the content that is provided, published, uploaded or transmitted, yet retains the right to use the content, including by means of copying it, distributing it, transmitting it, publishing it, reproducing it, modifying it, translating it, transferring it to partners and removing it at any time, without the need for any reason for doing so?

(2)      Must Article 2(4), Article 4(7) and (11), Article 5(1)(f), Article 6(1)(a), Articles 7, 24 and 25 of [the GDPR] and Article 15 of [Directive 2000/31] be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to verify before publishing an advertisement whether the person publishing the advertisement and the owner of the personal data referred to in the advertisement are the same person?

(3)      Must Article 2(4), Article 4(7) and (11), Article 5(1)(f), Article 6(1)(a), Articles 7, 24 and 25 of [the GDPR] and Article 15 of [Directive 2000/31] be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to verify in advance the content of advertisements published by users, in order to exclude advertisements which are potentially unlawful in nature or likely to infringe a person’s private and family life?

(4)      Must Article 5(1)(b) and (f), Articles 24 and 25 of [the GDPR] and Article 15 of [Directive 2000/31] be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to apply safeguards which prevent or limit the reproduction and redistribution of the content of the advertisements published through it?’

37.      The Romanian Government and the European Commission submitted written observations. The appellant in the main proceedings and the Commission were represented at the hearing held on 2 July 2024.

IV.    Analysis

38.      The first question seeks to establish whether Russmedia is able to rely on the exemption from liability provided for in Article 14(1) of Directive 2000/31, while the second, third and fourth questions relate to whether that company has failed to fulfil its obligations under the GDPR.

39.      In the past, the Court has indicated that Article 14(1) of Directive 2000/31, which is the subject of the first question, seeks to restrict the situations in which intermediary service providers may be held liable pursuant to the applicable national law. (13) In view of the development of EU law in that area, I am of the opinion that the exemption from liability laid down in that provision should also apply where a service provider is held liable on the basis of EU law or national provisions transposing EU law. (14)

40.      The order for reference suggests that Russmedia could have liability in the main proceedings based on a breach of the GDPR. (15) Given that circumstance, it might seem desirable a priori to analyse first the second, third and fourth questions, by which the referring court seeks to establish whether Russmedia has failed to fulfil its obligations under the GDPR. However, for the sake of clarity, I will examine the questions in the order in which they are posed. I will therefore begin by analysing the issue raised by the order for reference from the perspective of Directive 2000/31, and will then move on to examine that issue from the viewpoint of the GDPR. Lastly, in the final section of my analysis, I will examine the interactions between that regulation and that directive.

41.      All the questions referred for a preliminary ruling in fact concern the more fundamental question of the relationship between the provisions of Directive 2000/31 and those of the GDPR. I will examine that question after identifying the relevant provisions of those two instruments of EU law, because the legal characterisations, based on the categories provided for by those instruments, lie at the heart of the four questions referred for a preliminary ruling.

A.      The first question referred

42.      By its first question, the referring court seeks to determine whether Article 14(1) of Directive 2000/31 must be interpreted as meaning that the provider of an information society service that makes available to users an online marketplace on which free or paid advertisements can also be considered eligible for the exemption from liability provided for in that legal provision where that provider indicates, in the general terms and conditions of use of its online marketplace, that, while it does not claim any right of ownership over the content that is provided, published, uploaded or transmitted, it nonetheless retains the right to use that content, including by means of copying it, distributing it, transmitting it, publishing it, reproducing it, modifying it, translating it, transferring it to partners and removing it at any time, without the need for any reason for doing so.

43.      I will therefore analyse that question (Section 1) which, in essence, seeks to determine whether Russmedia can be characterised as an ‘intermediary service provider’ that can, a priori, rely on the exemption from liability provided for in Article 14(1) of Directive 2000/31. In so far as the referring court also appears to have doubts as to whether, in view of the unique aspects of the main proceedings, the conditions required under that provision for a party to be exempt from liability in a specific case are satisfied in the present case, I will also analyse that question for the sake of completeness (Section 2).

1.      The concept of ‘intermediary service provider’

(a)    The scope of the question and the premiss on which it is based

44.      I think it is important to highlight both the premiss underlying the first question and its scope.

45.      In that respect, in the first place, as I have already observed, (16) Articles 12, 13 and 14 of Directive 2000/31 provide for exemptions from liability applicable to services provided by information society service providers that exercise, respectively, a mere conduit activity, caching or hosting.

46.      Although the first question refers to those three provisions, the referring court suggests that Russmedia is providing a service that consists of hosting information supplied by users. Furthermore, Article 14 of Law 365/2002, the applicability of which has been debated before the national courts, (17) appears to be a transposition of Article 14 of Directive 2000/31, which concerns hosting services. I therefore consider that the first question refers to that provision of EU law and that the working assumption of the referring court is that the service provided by Russmedia constitutes an information society service and consists, in principle, of hosting information provided by users of its online marketplace.

47.      In the second place, with regard to the scope of the first question, the cautious wording of that question suggests that the referring court is not ruling on the role played by Russmedia in the provision of its hosting service. Indeed, it is clear from the question that the statement describing Russmedia’s role as purely technical is taken from the company’s own assertions. (18) Although the referring court does not appear to challenge that assertion, I will nevertheless address it, as its merits are strongly contested by the appellant in the main proceedings. (19)

48.      In the third place and lastly, the referring court states that Russmedia ‘does not appear to be a mere passive user of the data (intermediary service provider), since, although [that company] does not claim an ownership right over the content provided, published, uploaded or transmitted, it nevertheless retains the right to use [that] content’. The wording of the first question reflects that concern of the referring court. Indeed, that question seeks to determine whether ‘a … service provider that makes available to users [an online marketplace] … but which, through the general terms and conditions of use of the website, indicates that it … nevertheless retains the right to use the content’ can be considered eligible for the exemption from liability provided for in Article 14(1) of Directive 2000/31.

49.      The references in the order for reference to the purely technical or passive nature of Russmedia’s activity reflect the Court’s case-law, according to which the exemption from liability provided for in Article 14(1) of Directive 2000/31 only applies in cases where the service provider is acting solely as an ‘intermediary service provider’, within the meaning intended by the legislature in the context of Section 4 of Chapter II of that directive. On that point, it follows from recital 42 of that directive that the exemptions from liability established in the directive cover only cases in which the activity of the information society service provider is of a mere technical, automatic and passive nature, which implies that that service provider has neither knowledge of nor control over the information which is transmitted or stored. (20) It is in the light of the case-law discussed above that the first question should be examined.

(b)    The role played by the operator of an online marketplace

50.      Although the referring court does not provide detailed information about the operation of Russmedia’s online marketplace, it appears that that company determines the layout of advertisements and publishes them free of charge or for a fee on its online marketplace, where advertisements are grouped into different categories chosen by the user advertisers and where other users can carry out searches using a simple search engine and rank the results. A user advertiser must register with Russmedia to publish an advertisement online. A user’s identity is not checked, either when that user is registered or when the advertisement is published. That is the picture of how that online marketplace operates that emerges from the order for reference, the written submissions from the parties and those made at the hearing, and my own research. It is for the referring court to verify the accuracy of those observations before making its decision in the main proceedings.

51.      In a case involving the operator of an online marketplace, the Court stated that, in order to ascertain whether that operator can be exempted from liability under Article 14 of Directive 2000/31, it is necessary to examine whether that provider confines itself to providing that service neutrally by a merely technical and automatic processing of the data provided by its customers or whether it plays an active role of such a kind as to give it knowledge of, or control over, those data. (21)

52.      On that point, the Court has held that the mere fact that the operator of an online marketplace stores offers for sale on its server, sets the terms of its service, is remunerated for that service and provides general information to its customers cannot have the effect of denying it the exemptions from liability provided for by Directive 2000/31. (22)

53.      In addition, with regard to one of the conditions required under Article 14(1) of Directive 2000/31 for an intermediary service provider to be exempt from liability, which I will return to later, (23) the Court has found that the fact that the operator of an online content-sharing platform automatically indexes content uploaded to that platform, that that platform has a search function and that it recommends videos on the basis of users’ profiles or preferences is not a sufficient ground for the conclusion that that condition has not been met. (24) A fortiori, nor is that circumstance capable of depriving that operator of the possibility of relying on the exemption from liability provided for in that legal provision. Indeed, the question as to whether the conditions for exemption from liability laid down in Article 14(1)(a) and (b) of that directive have been met arises only if the service provider concerned can be described as a ‘hosting provider assuming a neutral role’ in relation to the information that it stores and can, a priori, rely on that exemption.

54.      It would therefore appear, at first sight, that Russmedia plays a neutral role with regard to information stored at the request of user advertisers and that it can rely on the exemption provided for in Article 14(1) of Directive 2000/31. We must now dispel the doubts raised by the referring court, reflected in the wording of the first question, which essentially seeks to determine whether, when examining if that exemption is applicable, primary consideration should be given to the terms and conditions of use of an online marketplace or, rather, to the actions actually undertaken by the operator of the marketplace.

(c)    The relevance of the terms and conditions of use

55.      As a reminder to the reader, in accordance with the terms and conditions of use of its online marketplace, Russmedia does not claim any right of ownership over the content provided, published, uploaded or transmitted, but reserves the right to use that content, including by copying it, distributing it, transmitting it, publishing it, reproducing it, modifying it, translating it, transferring it to partners and deleting it at any time, without the need for any reason for doing so.

56.      I note at the outset that the dispute in the main proceedings does not concern any harm caused to the appellant in the main proceedings by Russmedia’s intervention in the advertisement at issue, which was accessible on its online marketplace. That is not, therefore, a situation in which the damage results from content provided by the user of an online marketplace and modified or manipulated by the operator of the marketplace.

57.      That said, it should be noted that, having regard to the terms and conditions of use of its online marketplace, Russmedia does not appear to have any obligation towards user advertisers with regard to the preparation or presentation of the content of advertisements stored at their request. However, that company reserves the right to use that information, without the need for any reason for doing so.

58.      In that regard, although the terms and conditions of use of an online marketplace may determine how an information society service functions and make it possible to understand the role played by its provider, the contractual arrangements under which that provider may take action in relation to the information stored, without being obliged to do so, cannot, in themselves, be decisive when the question arises as to whether the role of that provider is neutral. In its case-law, the Court emphasises the effective participation of the provider of an information society service in the preparation and presentation of information provided by users of the service. On the other hand, when examining whether the exemption from liability provided for in Article 14(1) of Directive 2000/31 is applicable, actions that a service provider is authorised to take under the terms and conditions of use of its platform but that it does not implement in practice should be ignored. In other words, that examination should take into account the actions actually undertaken by the provider of such a service.

59.      Specifically, the Court has held that when the operator of an online marketplace provides assistance which entails, in particular, optimising the presentation of the offers for sale in question or promoting those offers, it must be considered not to have taken a neutral position between the customer-seller concerned and potential buyers but to have played an active role of such a kind as to give it knowledge of, or control over, the data relating to those offers for sale. (25) Similarly, the Court has held, in essence, that a newspaper publishing company cannot rely on the exemption from liability provided for in Article 14(1) of Directive 2000/31 in respect of information contained in the electronic edition of the paper version of the newspaper published by that company, since the company has, in principle, knowledge about the information that it posts and exercises control over that information. (26)

60.      To summarise, in the passages of case-law I have just cited, the operating procedures of an online marketplace imply prior knowledge and control of the information stored. However, in the present case, as the Commission observed at the hearing, there is nothing to indicate that Russmedia intervenes in the creation, optimisation or presentation of advertisements, or that it checks the individual content of those advertisements prior to publication. The control that that company could exercise by virtue of the terms and conditions of use of its online marketplace is merely potential and ex post. It also appears that Russmedia has no knowledge of the information stored that would justify denying that company the exemption from liability provided for in Article 14(1) of Directive 2000/31.

61.      Moreover, as the Commission has observed, terms and conditions of use of a platform similar to those of Russmedia are not unusual for intermediation services. (27) It is important to highlight in that regard that the fact that an intermediary service provider reserves the right to use information provided by users of its service is in line with the valuable role played by intermediary service providers in preventing illegal online content.

62.      In order to meet the conditions required to exempt an intermediary service provider from liability provided for in Article 14(1)(a) and (b) of Directive 2000/31, the intermediary service provider must respond and remove or block illegal content as soon as such content is identified. The service provider may reserve the right to delete such content at any time, in particular to demonstrate its ability to take such action.

63.      Given those factors, the fact that, in the terms and conditions of use of its online marketplace, Russmedia reserves the right to use content stored at the request of users of its service should not mean that that company is considered ineligible for the exemption from liability provided for in Article 14(1) of Directive 2000/31.

(d)    Interim conclusion

64.      In view of the above, my proposed answer to the first question referred is that Article 14(1) of Directive 2000/31 must be interpreted as meaning that the provider of an information society service that makes available to users an online marketplace on which free or paid advertisements are posted may also be considered eligible for the exemption from liability provided for in that legal provision where that provider indicates, in the general terms and conditions of use of its online marketplace, that, while it does not claim any right of ownership over the content that is provided, published, uploaded or transmitted, it nonetheless retains the right to use that content, including by means of copying it, distributing it, transmitting it, publishing it, reproducing it, modifying it, translating it, transferring it to partners and removing it at any time, without the need for any reason for doing so, provided that that service provider does not take any action that would cause it to cease to be classified as a neutral hosting provider.

65.      For the sake of completeness, it is appropriate to consider whether the conditions to which that exemption is subject are satisfied in the present case, having regard to the unique nature of the dispute in the main proceedings.

2.      The conditions required for an intermediary service provider to be exempted from liability

66.      The order for reference highlights the unique aspects of the present case, which appear to be linked to the conditions required under Article 14(1) of Directive 2000/31 for exemption from liability for stored information. The referring court has drawn the Court’s attention to the manifestly unlawful and deeply harmful nature of the advertisement at issue and to the fact that the advertisement is available on numerous other websites on which it has been reproduced.

(a)    The manifestly illegal nature of the information stored

(1)    Identifying manifestly illegal content

67.      The referring court observes that it should not have been necessary to notify Russmedia of the unlawful content in order to enable that company to identify and analyse any possible unlawfulness in the information published. Indeed, according to that court, the content of the advertisement at issue was manifestly unlawful and deeply harmful to the appellant in the main proceedings. The referring court therefore appears to start from the premiss that, because of its clearly illegal nature, Russmedia should have been aware of that advertisement and its unlawful content. Accordingly, to be considered eligible for the exemption from liability, Russmedia should have – promptly and without waiting for a request to that effect – withdrawn the advertisement or made access to it impossible, in accordance with Article 14(1)(b) of Directive 2000/31.

68.      The aim of Article 14(1)(a) of Directive 2000/31 is to exempt a hosting provider from liability for information stored where it has no knowledge of the illegal activity or information. When a hosting provider is held liable in an action for damages, as in this case, a stricter condition for exemption from liability becomes applicable. In such a case, the service provider is considered ineligible for the exemption from liability provided for in Article 14(1) of that directive where that service provider was aware of facts or circumstances on the basis of which a diligent economic operator should have identified the illegality in question and failed to act in accordance with Article 14(1)(b) of that directive. (28) As required by Directive 2000/31, the illegality of the activity or information must be ‘apparent’ or, in other words, readily identifiable. (29)

69.      Nevertheless, the service provider may only lose the right to the exemption from liability provided for in Article 14(1) of Directive 2000/31 if it was actually aware of facts or circumstances on the basis of which the illegality of the activity or information can be objectively identified by a diligent economic operator. Regardless of whether the case relates to an action for damages, it is not enough for the service provider to be aware, in a general sense, of the fact that its service is also used to share illegal content. The service provider must be aware of facts or circumstances relating to specific illegal information and activities. (30)

70.      Therefore, the condition required under Article 14(1)(a) of Directive 2000/31 is not met where, on the basis of information available to it, the service provider identifies or is unaware of the illegal nature of the data stored or is mistaken as to the legality of such data. While the illegal nature of an item of information or an activity must be assessed objectively, according to the criterion of the diligent economic operator, awareness of facts revealing such illegality is in principle assessed taking into account the information actually available to the service provider concerned.

71.      In such a situation, it cannot be presumed that the operator of an online marketplace is aware of the content of any illegal and harmful advertisements. Moreover, introducing such a presumption would mean requiring the operator to monitor all the data of each of its advertisers actively in order to identify advertisements that are manifestly illegal and harmful. Such a monitoring obligation seems to me difficult to reconcile with the reasoning underpinning Directive 2000/31.

72.      Indeed, a monitoring obligation of that nature, introduced ‘by the back door’, would be incompatible with Article 15(1) of Directive 2000/31, which provides that Member States are not to impose a general obligation on hosting providers to monitor the information which they store, or a general obligation actively to seek facts or circumstances indicating illegal activity. Accordingly, a hosting provider cannot be required to monitor generally the information it stores on the basis of national measures. (31)

73.      Consequently, the condition provided for in Article 14(1)(a) of Directive 2000/31 cannot be regarded as not having been met simply because an advertisement published on an online marketplace is manifestly illegal and deeply harmful to the person concerned by that advertisement. For the sake of completeness, I should add that Directive 2000/31 does not ignore situations where the provider of a hosting service adopts a business or organisational model that encourages or promotes the dissemination of illegal content.

(2)    A platform involved in illegal activities

74.      It should be noted that recital 44 of Directive 2000/31 states that a service provider that deliberately collaborates with one of the recipients of its service in order to undertake illegal acts goes beyond the activities of ‘mere conduit’ or ‘caching’ referred to, respectively, in Articles 12 and 13 of that directive. As a result such service providers cannot benefit from the liability exemptions established for those activities. Although that recital does not mention the hosting activity covered in Article 14 of the directive, there is no reason why the same reasoning should not apply to that activity. Indeed, in the judgment in YouTube and Cyando, (32) the Court held that an operator of an online platform that contributes, beyond merely making the platform available, to giving the public access to content in breach of copyright, cannot be regarded as a neutral hosting provider that is able to benefit from the exemption from liability provided for in Article 14(1) of Directive 2000/31.

75.      In that judgment, to determine whether an operator gave the public such access, the Court appeared to rely, indirectly, on its analysis of the concept of ‘act of communication’, as provided for in Directive 2001/29/EC. (33) According to that analysis, inspired by the Court’s ruling on the Pirate Bay sharing platform, (34) an operator provides such access when it intervenes in the unlawful communication of protected content by users of its platform, with full knowledge of the consequences of its conduct, to provide access to such content to other internet users. According to the Court, in order to determine whether that is the case, it is important to take into account all the factors characterising the situation in question and making it possible to draw conclusions, directly or indirectly, as to whether or not the operator deliberately intervened in the unlawful communication of that content.

76.      If that approach is transposed to the circumstances of the present case, it would mean that the operator of an online marketplace that has adopted a business and/or organisational model that encourages users of its platform to disseminate manifestly illegal and deeply harmful content or that promotes and facilitates the unlimited and uncontrolled dissemination of such content would cease to be classified as a neutral hosting provider under Article 14(1) of Directive 2000/31. However, there is no indication that Russmedia has adopted such a model.

(3)    Developments in EU law on the moderation of online content

77.      It could be argued that the view that Directive 2000/31 – in principle and subject to exceptional circumstances – (35) does not oblige hosting service providers to detect any manifestly illegal and deeply harmful content might seem unsatisfactory, given the risks that the dissemination of such content could generate with regard to the rights of their users and third parties.

78.      However, as I have observed in a different context, (36) Directive 2000/31 is a product of its time and the EU legislature was seeking to establish a basic regime which specifically protects the freedom to provide information society services. Consequently, that directive merely imposes information obligations on any provider of information society services, (37) without making any distinction between the different categories of hosting services. That is because that directive is based on the premiss that, within the limits it sets, Member States establish obligations that service providers operating within their territory must fulfil. In particular, the discretion afforded to Member States is circumscribed by the prohibition on imposing a general monitoring obligation, laid down in Article 15 of that directive.

79.      The basic regime introduced by Directive 2000/31 has gradually been supplemented by sector-specific acts requiring appropriate measures to be put in place to protect certain categories of users from specific content, such as content relating to terrorism or child pornography. (38)

80.      The EU legislature has recently made substantial amendments to the legal framework applicable to online platforms. The Digital Services Act differentiates the obligations of platforms according to certain criteria and also regulates, to a certain extent, the issue of moderation of illegal content. (39) However, that new legal framework does not touch on the present case and the Court should not, in my view, introduce, by judicial decision, an obligation that is not only not provided for by Directive 2000/31 – which is applicable to the facts in the main proceedings – but is also contrary to Article 15 of that directive.

(b)    Redistribution of the content of the advertisements published

81.      Another aspect to which the referring court has drawn the Court’s attention concerns the fact that, although Russmedia withdrew the advertisement at issue from its online marketplace following the request from the appellant in the main proceedings, that advertisement is still accessible on numerous other websites that have reproduced it from Russmedia’s online marketplace, indicating the original source. The referring court did not directly refer a question concerning that circumstance from the point of view of Directive 2000/31. On the other hand, it does make reference to it in the context of its fourth question, which concerns the measures required by the GDPR to ensure the security of personal data processing. However, at the hearing, in response to questions from the Court, that circumstance was debated by the parties in the context of the condition of exemption from liability provided for in Article 14(1)(b) of that directive. In the light of those considerations, and in order to provide the referring court with an answer that is of assistance, I will analyse the question as to whether the condition laid down in Article 14(1)(b) of Directive 2000/31 is met where, after becoming aware of facts or circumstances that make the illegal nature of the information stored readily identifiable, the hosting provider promptly removes that information from its website, but it is still accessible on other websites that have reproduced it from that hosting provider’s site.

82.      In that regard, the referring court does not specify whether the advertisement at issue was redistributed to the operators of other websites by Russmedia or whether it was copied by them without Russmedia’s knowledge. That point was debated at the hearing. I will examine those two scenarios, with a view to providing a helpful answer to the referring court.

(1)    Reproduction of advertisement at issue by partners

83.      At the hearing, the Commission alluded to a situation in which Russmedia, in accordance with the terms and conditions of use of its online marketplace, transmits advertisements that have been published on its online marketplace to partners with which it has a contractual relationship and that are listed on its site and, therefore, known to user advertisers.

84.      In such a case, the question could arise of whether the service provided by the operator of an online marketplace consists in the neutral hosting of information stored at the request of a recipient of its service. It is important to remember that Article 14(1) of Directive 2000/31 only applies if the service provider provides such a service.

85.      On that point, I should note that when the operator of an online marketplace transmits information provided by a recipient of its service to its partners, in an individualised and/or human-assisted manner, so that they can publish it on other websites, its role is similar to that of a promoter of that information. In such a case, I have doubts as to whether that operator’s service falls fully within the scope of Article 14(1) of Directive 2000/31. However, when the information stored at a user’s request is reproduced by the operators of other websites and the operator’s role in that transmission is purely technical and automated, it could be considered that that provision is fully applicable.

86.      That being so, the order for reference does not contain any factual information making it possible to determine which of those two hypotheses corresponds to the situation in the main proceedings. More importantly, the question of whether the condition provided for in Article 14(1)(b) of Directive 2000/31 is met only arises if Russmedia can be classified as a ‘hosting provider’ under that provision. I will therefore analyse the condition provided for in Article 14(1)(b) of that directive on the basis that Russmedia is a hosting provider under that provision and that the advertisement at issue was reproduced by that company’s partners under the conditions described by the Commission at the hearing. (40)

87.      The wording of Article 14(1)(b) of Directive 2000/31 establishes that the exemption from liability only applies if the hosting provider acts expeditiously to remove or to disable access to the illegal information. Therefore, that provision does not merely state that the hosting provider must remove or block access to illegal information. Indeed, the legislature has chosen a general wording according to which, in essence, a service provider must promptly put an end to an illegal activity carried out by means of or on its service.

88.      Admittedly, the wording of that condition could be understood as meaning that the EU legislature was not aiming to establish concrete results to be achieved, but simply to ensure that efforts were made in that respect. However, the general wording of Article 14(1)(b) of Directive 2000/31 also leaves a certain amount of discretion for a service provider (‘to remove or to disable access to the information’), enabling it to adopt an appropriate, proportionate and effective measure. That provision must be read in that way, in the light of several recitals in that directive.

89.      Indeed, recital 46 of Directive 2000/31 states that the removal of information must take place in observance of ‘procedures established for this purpose at national level’ and that the directive in question ‘does not affect Member States’ possibility of establishing specific requirements which must be fulfilled expeditiously prior to the removal or disabling of information’. However, there is nothing to suggest that such procedures and requirements have been established by the applicable national legislation.

90.      In any event, recital 41 of Directive 2000/31 states that the directive strikes a balance between the different interests at stake and establishes principles upon which industry agreements and standards can be based. With regard specifically to the condition provided for in Article 14(1)(b) of that directive, recital 46 states that the service provider must remove or disable access to the information in the observance of the principle of freedom of expression. In that regard, the Court has stated that the exemption from liability provided for in Article 14(1) of that directive reflects the balance that the directive seeks to strike between the various interests at stake, which include observance of freedom of expression, as safeguarded by Article 11 of the Charter of Fundamental Rights of the European Union (‘the Charter’). (41)

91.      I conclude that, in order for the condition provided for in Article 14(1)(b) of Directive 2000/31 to be considered fulfilled, the illegal information must be removed in such a way as to reconcile the requirements of protecting those different rights and freedoms and striking a fair balance among them.

92.      In that regard, on the one hand, just as respect for freedom of expression is safeguarded by the Charter and referred to in recital 46 of Directive 2000/31, respect for private life is also safeguarded by the Charter, in Article 7. On the other hand, given the need to strike a balance between the interests at stake, the objective of effectively protecting a person’s reputation and honour cannot be pursued by imposing an excessive obligation on the hosting provider. (42)

93.      That being the case, for the condition provided for in Article 14(1)(b) of Directive 2000/31 to be deemed to have been met while respecting the rights at stake, a hosting provider providing a service that is used to redistribute the information it stores to its contractual partners should take reasonable steps to ensure that that content is, where appropriate, also removed or blocked by its partners. For example, a clause to that effect could be included in contracts signed with those partners.

(2)    Reproduction of the advertisement at issue by third parties

94.      During the hearing, the parties discussed not only the case in which an advertisement is reproduced by partners of the operator of an online marketplace, but also the case in which a publicly accessible advertisement is reproduced by third parties, without the knowledge or consent of that operator. The question at issue was whether, in the light of the considerations stated in point 91 of the present Opinion, the operator of an online marketplace must take steps in relation to third parties, in order to satisfy the condition provided for in Article 14(1)(b) of Directive 2000/31. That question must be answered in the negative.

95.      The condition provided for in Article 14(1)(b) of Directive 2000/31 is based on the idea that a hosting service provider must promptly implement all measures within its power to put an end to any illegal activity carried out by means of or on its service. However, the question as to whether that condition is met cannot depend on measures outside its control.

96.      Without prejudice to the additional comments I have just made on the conditions required under Article 14(1) of Directive 2000/31 for an intermediary service provider to be exempt from liability, I maintain my proposed answer to the first question, stated in point 64 of the present Opinion.

B.      The second, third and fourth questions referred

97.      By its second, third and fourth questions, the referring court is asking, in essence, whether Article 5(1)(b) and (f), Article 6(1)(a) and Articles 7, 24 and 25 of the GDPR must be interpreted as meaning that a provider of information society services with an activity consisting in hosting advertisements, whether free or paid, on a website at the request of its users is required to verify in advance the identity of the advertiser (second question) and the content of the advertisements published (third question) and to implement security measures to prevent or limit the copying or redistribution of the content of advertisements containing personal data (fourth question).

98.      Those questions also concern Article 2(4) and Article 4(7) and (11) of the GDPR, and Article 15 of Directive 2000/31. However, to provide an answer to those questions that is of assistance it is sufficient to interpret the provisions of the GDPR, mentioned in the previous point of the present Opinion, which determine the obligations and responsibilities of anyone involved in the processing of personal data.

99.      In addition, in order to answer those questions, it is first necessary to determine in what capacity such a service provider is involved in the processing of personal data. In that regard, the second, third and fourth questions appear to be based on the premiss that Russmedia acted as a ‘controller’ under Article 4(7) of the GDPR. They refer to that provision and make reference to a ‘service provider, which is the personal data controller’. Like the Commission, I have my doubts about that legal characterisation. Therefore, in so far as it could have an impact on the answers to the questions referred for a preliminary ruling, I will look first at the legal characterisation of the operator of a marketplace according to the categories provided for by the GDPR (Section 1), and then return to the question of the obligations and responsibilities of that operator (Section 2).

1.      Legal characterisations

(a)    Parties involved in the processing of personal data

100. Article 4(7) of the GDPR defines the concept of ‘controller’ as meaning the person who or which, alone or jointly with others, determines the purposes and means of the processing of personal data. That regulation mentions another party involved in data processing, namely the ‘processor’. That is defined in Article 4(8) of that regulation as the person which processes personal data on behalf of the controller.

101. The characterisation of a party involved in data processing according to the categories laid down in the GDPR determines the obligations and responsibilities of that party. Those obligations and responsibilities are defined by the provisions referred to in the second, third and fourth questions.

102. Any processing of personal data must comply with the principles relating to data processing laid down in Article 5(1) of the GDPR and satisfy the conditions for lawfulness of processing laid down in Article 6 of that regulation. It is the data controller that assumes responsibility for compliance with those principles (43) and, where processing is based on consent, must be able to demonstrate that the data subject has consented to processing of his or her personal data, as required by Article 7(1) of the regulation. In the same spirit, Articles 24 and 25 of that regulation lay down general obligations for the controller to implement appropriate technical and organisational measures to ensure that processing is performed in compliance with that regulation.

103. Furthermore, the capacity in which a party involved in processing acts also determines the extent of that party’s liability for breaches of the GDPR.

104. Indeed, in accordance with the first sentence of Article 82(2) of the GDPR, ‘any controller involved in processing shall be liable for the damage caused by processing which infringes [that] Regulation’. The controller is responsible and liable not only for any processing of personal data that it itself carries out, but also for any such processing carried out on its behalf. (44) On the other hand, in accordance with the second sentence of Article 82(2) of that regulation, ‘a processor shall be liable for the damage caused by processing only where it has not complied with obligations of [that] Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller’.

(b)    The purpose and means of processing

105. In order to establish whether an entity involved in the processing of personal data may be regarded as a controller within the meaning of Article 4(7) of the GDPR, it is necessary to examine whether that entity actually exerted influence, for its own purposes, over the determination of the purposes and means of the processing in question.

106. The purpose of a processing operation concerns the question of why the data are being processed. (45) In principle, it is the person that initiated the processing that decides.

107. The outlines of the concept of ‘means’ are less clear and need to be determined in the context of the changes in the economic and technological structures in which data are processed. Broadly speaking, while the purpose of a processing operation concerns the reason why the data are processed, the means answer the question of how that objective will be achieved. Determining the means involves, in particular, deciding what data are processed, (46) who may access them and how (47) and, in so far as such a decision may put an end to the processing operations, the duration of the processing. Decisions about the physical or digital tools or media (48) used to collect, present or distribute data also help to determine the means of processing.

108. However, the data controller is not required to determine every technical and organisational aspect of the processing. The decision to entrust the processing of data to a processor may result not only from a desire to lessen the workload of the controller, but also from the fact that the controller does not have the technical knowledge or the means necessary to organise the processing. Such an interpretation, guided by economic realities, is corroborated by the provisions of the GDPR.

109. Indeed, while, in accordance with Article 28(3) of the GDPR, a contract or other legal act on the basis of which a controller entrusts processing to a processor must define the purpose of the processing, that legal basis need not provide an exhaustive answer to the question of how the data will be processed. It need only determine the subject matter and duration of the processing, the nature and purpose of the processing, and the type of personal data and categories of data subjects. Accordingly, on the one hand, sensitive issues that are fundamental to the legality of the processing are reserved for the data controller. On the other hand, although a processor acts on behalf of a controller and follows its instructions, it can, and indeed must, determine the technical and organisational measures for processing, without overstepping its role as processor. In other words, determining the non-essential means of processing is not sufficient to grant the status of controller to a person involved in data processing.

110. It is on the basis of the criteria laid down in points 106 to 109 of the present Opinion that the referring court will have to decide whether Russmedia can be considered a controller. With a view to providing the national court with points for interpretation under EU law that will be of assistance in resolving the dispute before it, I will examine that issue.

(c)    The operator of an online marketplace and the GDPR

111. First of all, I would like to point out that the processing of personal data contained in advertisements published on an online marketplace must be distinguished from the processing of the data of user advertisers who create accounts with the marketplace operator in order to publish their advertisements. The creation of such accounts and other actions relating to data provided by user advertisers constitute processing operations for which that operator is responsible and liable under the GDPR. In essence, the operator decides which data are required to register an account and, when setting up that procedure for registering user advertisers, determines the purpose for which the data are processed.

112. The order for reference raises the question as to whether the operator of an online marketplace also exerts influence, for its own purposes, over the determination of the purposes and means of processing of any personal data contained in advertisements published on its online marketplace.

113. In that respect, with regard to the purpose of processing the data contained in an advertisement posted online, the publication of an advertisement on an online marketplace is generally intended to promote the product or service offered by a user advertiser to the public. That purpose is therefore determined by the user advertiser concerned. By contrast, the operator of that online marketplace does not appear to exert any influence, for its own purposes, on the reason why those advertisements are published. The case before us is a perfect illustration of the specific manner in which online marketplaces operate. Indeed, the advertisement at issue was put online not to promote the service of a user advertiser, but to cause harm to the appellant in the main proceedings. The operator exerted no influence on the regrettable motivation of the author of that advertisement.

114. When it comes to determining the means of processing, it is the user advertiser who influences the answer to the question of how the data are processed. The user advertiser decides whether data are included in the advertisement and, if so, which data. Conversely, it is highly likely that the operator of an online marketplace is not even aware that an advertisement contains personal data. Furthermore, while it is true that the operator determines the layout of the advertisements and other technical and organisational aspects of how the online marketplace operates, I should note, in the light of the observations I have made in point 109 of the present Opinion, that the influence of the operator on the determination of the non-essential means of processing does not mean that it should be regarded as a controller.

115. Accordingly, the operator of an online marketplace, such as Russmedia, does not appear to exert any influence, for its own purposes, over the determination of the purpose and means of processing of any personal data contained in advertisements posted on that online marketplace. If that operator is involved in processing those data, it acts as processor, on behalf of a user advertiser and under its responsibility. Given that circumstance, users of a hosting service must be characterised as ‘data controllers’ within the meaning of the GDPR. (49)

116. In view of the unique nature of this case, it is appropriate to add some further details to the points I have just made.

117. In the first place, irrespective of whether, under the GDPR, a data subject may be considered to be the controller of his or her own personal data, (50) it is important to note that, in the present case, the person who placed the advertisement at issue online was not himself or herself the subject of the data contained in that advertisement.

118. In the second place, under the terms and conditions of use of its online marketplace, Russmedia reserves the right to use the information stored at the request of user advertisers. It may copy it, distribute it, transmit it, publish it, reproduce it, modify it, translate it, transfer it to partners and remove it at any time, without the need for any reason for doing so. Once such action is taken in relation to the data contained in an advertisement, that company could be considered to be a data controller with regard to a specific processing operation, with all the obligations and responsibilities that that entails. A person may be responsible for processing operations for which that person determines the purposes and means. By contrast, and without prejudice to any civil liability provided for in national law in that respect, that person cannot be considered to be a controller, within the meaning of the GDPR, in the context of operations that precede or are subsequent in the overall chain of processing for which that person does not determine either the purposes or the means. (51)

119. In the third place, the points I have just made are in line with the position of the Article 29 Working Party, (52) in its Opinion 1/2010 of 16 February 2010 on the concepts of ‘controller’ and ‘processor’. (53) According to that Working Party, an internet service provider providing hosting services is in principle a processor of the personal data published online by its customers, who use that provider for their website hosting and maintenance. If, however, the internet service provider further processes for its own purposes the data contained on the websites then it is the data controller with regard to that specific processing. Moreover, that position is also in line with that of the European Data Protection Board in its Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted on 7 July 2021, (54) according to which a hosting service that does not determine whether the data it hosts are personal data and does not process data in any other way than storing them for its customers is a processor.

120. Accordingly, subject to the factual verifications to be carried out by the referring court, the Court should, in my view, draw that court’s attention to the desirability of reconsidering how Russmedia has been characterised. Indeed, like the Commission, I am of the opinion that that company does not act as a controller, but rather as a processor in relation to the processing operations resulting from the publication of the advertisement at issue. It is on the basis of that premiss that I will now examine the second, third and fourth questions.

2.      The obligations and responsibilities of the operator of an online marketplace

(a)    The case where the operator of an online marketplace is considered to be a processor in relation to the processing of data contained in advertisements

121. In the context of the obligations and responsibilities incumbent upon the operator of an online marketplace under the GDPR, it is relevant to distinguish between, on the one hand, the processing of personal data contained in advertisements published on that marketplace and, on the other hand, the processing of data of user advertisers who create accounts with that operator.

(1)    The processing of the data contained in advertisements

122. If Russmedia was in fact a processor of the personal data contained in the advertisements, it was not its responsibility to check whether the processing was authorised and legal. In fact, as I have already stated, (55) under the provisions referred to in the second question, it is the data controller that assumes responsibility for compliance with the principles relating to the processing of personal data. By the same token, under the provisions cited in the third question, the processor is not required to verify in advance the content of the information being processed.

123. The fourth question seeks to establish whether Russmedia should have implemented security measures to prevent or limit the copying or redistribution of the content of advertisements containing personal data. That question concerns the interpretation of Article 5(1)(b) and (f) and Articles 24 and 25 of the GDPR. Those provisions also concern the obligations of the controller rather than the processor.

124. That being said, Article 32 of the GDPR lays down the obligations of the controller and a potential processor as regards the security of that processing. (56)

125. Specifically, Article 32(1) of the GDPR stipulates that the controller and processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by that processing, taking into account the state of the art, the costs of implementation but also the nature, scope, context and purposes of the processing concerned, along with the risks. Similarly, Article 32(2) of that regulation states that, in assessing the appropriate level of security, account must be taken in particular of the risks that are presented by processing, in particular from accidental or illegal destruction, loss, alteration or unauthorised disclosure of, or access to, personal data.

126. In so far as Article 32(2) of the GDPR concerns the obligations of a processor, that provision presupposes that the processing of data in accordance with the controller’s instructions is authorised and legal. A processor cannot be required to monitor the actions of the data controller on behalf of which it is processing data. However, it must adopt measures to safeguard the security of personal data processing against interference from third parties. Indeed, Article 32(1) of that regulation gives specific expression to the principles of integrity and confidentiality set out in Article 5(1)(f) of the regulation. (57) In accordance with those principles, data must be processed by or on behalf of the controller in such a way as to ensure appropriate security of the data, including protection against unauthorised or illegal processing and against loss.

127. If advertisements posted on an online marketplace can be reproduced by the operators of other sites – in accordance with the terms and conditions of use of that marketplace – that are listed there and, therefore, are known in advance by user advertisers, the processor should implement measures enabling it to require the removal of advertisements removed from its own platform. It may turn out that the processing is not or has ceased to be legal, and the platform through which an advertisement is redistributed should also be able to put an end to an infringement of the GDPR by its partners. Such an outcome is consistent with the situation concerning compliance, by a hosting service provider, with the condition provided for in Article 14(1)(b) of Directive 2000/31. (58)

128. However, contrary to what the referring court seems to envisage in the fourth question, it does not seem to me that a processor should be required to prevent or limit the copying or redistribution of advertisements containing personal data. It is not for the processor to determine who can access those data and how.

(2)    The processing of the data of user advertisers

129. The obligations and responsibilities of the operator of an online marketplace are greater when it comes to processing the data of user advertisers who create accounts with that operator. In the context of that processing, the operator is the data controller and Articles 24 and 25 of the GDPR are fully applicable to its activities. (59)

130. Article 24 of the GDPR lays down a general obligation on data controllers to implement appropriate technical and organisational measures to ensure that data processing is performed in accordance with that regulation. Article 25 of that regulation requires the data controller to implement, both at the time of the determination of the means for processing and at the time of the processing itself, appropriate technical and organisational measures designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of that regulation and protect the rights of data subjects.

131. As is clear from Articles 24 and 25 of the GDPR, the measures in question must address the risks specific to the context in which the personal data are processed. The identification of specific risks and the determination of appropriate means must, of course, be left to the referring court, which has all the facts concerning the relevant criteria with regard to those provisions, nevertheless I would like to add the following clarifications.

132. As stated in recital 75 of the GDPR, risks to the rights and freedoms of natural persons may result from personal data processing, in particular where, inter alia, the processing may give rise to identity theft and where data subjects might be prevented from exercising control over their personal data. In general, an identity is stolen with the aim of carrying out fraudulent actions that cause harm to the data subject or third parties. Furthermore, in the case of online platforms, irresponsible use of such platforms can lead to infringement of the rights of individuals, and the prospect of the person responsible for such infringements being able to act with impunity exacerbates those risks.

133. Consequently, if the data controller manages an online marketplace accessible to user advertisers who, when using that marketplace, could impersonate another person for fraudulent purposes, it must implement measures to reduce that risk. As required by Article 25 of the GDPR, in order to meet the requirements of that regulation and protect the rights of data subjects, that risk must be taken into account by the controller both at the time of the determination of the means for processing and at the time of the processing itself.

134. That being the case, the operator of an online marketplace must, in my opinion, implement technical or organisational measures enabling it to verify the identity of user advertisers. Such a verification would, first, limit the risk of illegal or unfair processing of personal data relating to data subjects and, second, make it possible to combat irresponsible use of that online marketplace, as it would challenge the sense of impunity of anonymous users.

135. I should point out that the assumption of anonymous use of the internet does not preclude verification of the identity of user advertisers. A user advertiser’s data may not be accessible to any user of a platform. Such data may be verified and stored only by the data controller so that it can comply with its obligations under the GDPR. For verification purposes, the operator may request a telephone number and use that to confirm registration. Such a solution is not unusual for online platforms.

136. It is true that such a measure does not eliminate all risk of identity theft. However, the GDPR merely requires the controller to adopt technical and organisational measures intended to avoid, in so far as it is at all possible, any personal data breach. (60) That is therefore not an obligation to achieve a specific result, but a best endeavours obligation. In any event, the order for reference suggests that Russmedia did not implement any measures enabling it to check the identity of the author of the advertisement at issue at the time of registration or at the time of publication of that advertisement.

137. That being the case, I propose to answer the second, third and fourth questions to the effect that Article 5(1)(f), Article 6(1)(a) and Articles 7, 24 and 25 of the GDPR must be interpreted as meaning that the provider of an information society service with activity consisting in hosting advertisements, whether free or paid, on a website at the request of its users acts as processor in respect of the personal data contained in the advertisements posted on its online marketplace. In that context, it is not required to verify the content of the advertisements posted or to implement security measures to prevent or limit the copying and redistribution of the content of the advertisements published by means of its services. However, it must implement appropriate organisational and technical measures to ensure the security of processing vis-à-vis third parties. On the other hand, such a service provider acts as a data controller with regard to the personal data of user advertisers registered on its website. In that context, it is required to verify the identity of those user advertisers.

138. For the sake of completeness, and in case the Court does not agree with my analysis, I will now briefly examine the obligations and responsibilities of the operator of an online marketplace considered to be a data controller, within the meaning of Article 4(7) of the GDPR, in relation to the personal data contained in advertisements posted on its online marketplace. Indeed, as I stated above, (61) the second, third and fourth questions seem to be based on the premiss that Russmedia is acting as a ‘data controller’.

(b)    The case where the operator of an online marketplace is considered to be a data controller in relation to the processing of data contained in advertisements

139. First of all, I would point out that the fact that the operator of an online marketplace is a data controller does not necessarily mean that a user advertiser on that online marketplace cannot also be considered a data controller. (62)

140. In fact, the GDPR recognises the existence of joint responsibility that does not necessarily imply equal responsibility on the part of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of the processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.

141. However, I will focus on the obligations and responsibilities of the operator of an online marketplace in so far as, in the present case, it is the responsibility of such an operator for the processing of personal data contained in an advertisement posted on its online marketplace that is at issue.

142. The purpose of the second and third questions is to determine whether the operator of a website is required to verify, before publishing an advertisement, the identity of the person posting the advertisement and that of the person targeted by the advertisement respectively, as well as the content of advertisements sent by users.

143. In that regard, I am not convinced that the operator of an online marketplace is obliged to ensure that a user advertiser is in fact the person to whom the data contained in an advertisement relate. An online marketplace can also be used by a user advertiser to publish an advertisement relating to another person.

144. However, a data controller must check whether the processing of personal data is based on the consent of the data subject concerned or some other legitimate basis, laid down by law. That obligation is imposed by Article 5(1)(a), Article 6(1) and Article 7(1) of the GDPR.

145. Accordingly, if the operator of an online marketplace is acting as data controller, it must ensure that the person whose data are contained in an advertisement has consented to the processing. Logically, that operator must also check the content of any advertisement submitted by a user advertiser, to verify whether it contains personal data.

146. In accordance with the principle of fairness provided for in Article 5(1)(a) of the GDPR, the data controller must also ensure that the data are processed fairly in relation to the data subject. In addition, under Articles 24 and 25 of that regulation, it must also implement technical and organisational measures to ensure that processing is performed in accordance with that regulation. In doing so, it must take into account the risks specific to the context in which the personal data are processed.

147. Risks to the rights and freedoms of natural persons and in particular risks of non-material or other damage may result from the processing of publicly accessible personal data in an online environment.

148. Where the operator of an online marketplace is responsible for processing the data contained in advertisements posted on that marketplace, it must check the advertisements before they are published online, verify whether their processing is based on the consent of the data subject or on some other legitimate basis laid down by law, and introduce measures to prevent processing that is harmful to data subjects. If that operator fails to comply with those principles, it may be held liable for breaches of that regulation, in accordance with Article 82 of the GDPR.

149. The fourth question is intended to establish whether the operator of an online marketplace must implement security measures to prevent or limit the copying and redistribution of the content of the advertisements published by means of its services.

150. If, given the context in which the processing is carried out, there is a possibility that the advertisements might be reproduced by other sites and that the personal data might subsequently be processed in a manner incompatible with the purposes for which they were collected, the data controller may consider implementing such measures, which must be appropriate. However, I am not convinced that the operator of an online marketplace, which, from the point of view of the operator and the user advertisers, makes economic sense because the advertisements posted there are publicly accessible, should be obliged to limit the redistribution of those advertisements. Furthermore, the usual objective of putting content online is generally to make it accessible to all internet users, which implies some form of redistribution. In any event, having regard to the points I have made in point 148 of the present Opinion, the advertisement at issue should not have been published on Russmedia’s online marketplace without the consent of the data subject.

151. Without prejudice to the above additional comments on the obligations and responsibilities of a data controller, I maintain my position that the operator of an online marketplace is a processor of personal data contained in advertisements posted on that marketplace. (63) That being the case, all that remains is to examine the relationship between Directive 2000/31 and the GDPR.

C.      The relationship between the system imposed by Directive 2000/31 and that imposed by the GDPR

152. The second and third questions relate, in particular, to Article 2(4) of the GDPR, which concerns the relationship between that regulation and Directive 2000/31. In addition, those questions refer both to the provisions of that regulation that determine the obligations and responsibilities of a data controller and to Article 15 of the directive. Those questions therefore seem to assume the parallel application of the GDPR and the abovementioned directive.

153. However, before considering such a parallel application of those two instruments of EU law (Section 2), I must point out that there is a certain tension between the hypothesis referred to in the first question and that referred to in the second, third and fourth questions (Section 1).

1.      A neutral hosting provider as data controller

154. As a reminder, it follows from my analysis that Russmedia was acting as processor in relation to the processing of personal data contained in advertisements published on its online marketplace. (64) However, the working assumption of the referring court is that that company was acting in the capacity of a data controller. That being the case, the order for reference raises the question as to whether the operator of an online marketplace can wear two hats, namely that of neutral hosting provider of information stored at the request of users of its service, within the meaning of Article 14(1) of Directive 2000/31, and that of data controller for the personal data contained in that stored information. On the one hand, the first question seeks to establish whether Russmedia is an intermediary service provider within the meaning of Section 4 of Chapter II of that directive. On the other hand, the second, third and fourth questions seem to start from the premiss that that company must be characterised as a ‘data controller’ under the GDPR.

155. In that regard, I am aware that, in its case-law, the Court has not ruled out the possibility that a personal data controller under the GDPR might play a neutral role with regard to information containing such data and be eligible for the exemption from liability provided for in Article 14(1) of Directive 2000/31. That observation has also been made by academic writers with regard to national case-law. (65)

156. Admittedly, the Court initially held, in the judgment in Google Spain and Google, that the operator of a search engine is a data controller in respect of personal data contained in information published or placed on the internet by third parties that is found, indexed and stored by that operator. (66) Subsequently, in the judgment in Google France and Google, the Court considered whether the operator of that search engine could benefit from the exemption from liability provided for in Article 14(1) of Directive 2000/31. (67) However, that second judgment related not to the operation of that search engine, but a referencing service. Moreover, in that judgment, the Court left it to the referring court to determine whether the role played by that operator corresponded to that of an intermediary service provider under that provision. (68)

157. More importantly, on the one hand, as I have indicated above, (69) an intermediary service provider, within the meaning intended by the legislature in Section 4 of Chapter II of Directive 2000/31, cannot play a role that would give it knowledge of or control over the data stored and must therefore confine itself to providing that service neutrally by means of merely technical processing. On the other hand, the role of data controller involves determining the purpose and means of processing of personal data and, in particular, exerting an influence on whether data are subject to processing operations such as registration, modification or dissemination and, if so, on the determination of such data. (70) The exerting of such influence is incompatible with the neutral role that a provider of an information society service must maintain, with regard to information stored at the request of users, in order to be eligible for the exemption from liability provided for in Article 14(1) of Directive 2000/31. Similarly, as I have clarified, (71) the GDPR places obligations and responsibilities on data controllers that require them to act proactively. In essence, to comply with the principles relating to the processing of personal data, the data controller must be aware of the data concerned and exercise control over them. Such control cannot be reconciled with the neutral role of such a service provider.

158. Accordingly, if, on the one hand, a hosting service consists of storing information that constitutes personal data under the GDPR and if, on the other hand, the provider of that service is considered to be a data controller within the meaning of that regulation, then the role of that provider is not confined to neutral storage of such information. Consequently, the provider of such a service assumes an active role with regard to that information and is ineligible for the exemption from liability provided for in Article 14(1) of Directive 2000/31.

159. The tension between the hypothesis referred to in the first question and that referred to in the second, third and fourth questions corroborates the interpretation of the GDPR according to which the operator of an online marketplace acts not as a data controller for the personal data contained in the advertisements that it stores at the request of user advertisers, but as a processor of those data. (72)

160. For the sake of completeness, I would point out that I cannot rule out the possibility that the EU legislature chose not to preclude the possibility that a hosting provider acting as a data controller could be eligible for the exemption from liability under the Digital Services Act. Although that regulation deleted Articles 12 to 15 of Directive 2000/31, (73) those provisions were nevertheless included in the regulation, as interpreted by the Court. That regulation adds, in Article 7, that ‘providers of intermediary services shall not be deemed ineligible for the exemptions from liability referred … solely because they, in good faith and in a diligent manner, carry out voluntary own-initiative investigations … or take the necessary measures to comply with the requirements of Union law and national law in compliance with Union law’. (74) The first part of that provision, relating to ‘voluntary own-initiative investigations’, has elements in common with the case-law of the Court already developed under Directive 2000/31. (75) The second part, relating to ‘measures to comply with the requirements of Union law’, added by the same regulation, would enable a hosting provider to fulfil the obligations imposed on it by the GDPR and maintain its role as a neutral intermediary service provider. However, Directive 2000/31 does not contain a clause to that effect and there is no need to introduce one by way of interpretation of that directive.

161. We now need to establish whether a party involved in the processing of personal data as a processor that may be held liable for a breach of the GDPR in relation to the processing of such data can rely on the exemption from liability provided for in Article 14(1) of Directive 2000/31.

2.      Parallel application of the GDPR and Directive 2000/31

162. The issue raised by the order for reference stems from the fact that information stored at the request of a recipient of the service contained personal data that had been processed in breach of the GDPR. Hence the question arising between the parties in the main proceedings, which has long been the subject of academic debate: (76) can a party involved in the processing of personal data that may be held liable for a breach of the GDPR rely on the exemption from liability provided for in Article 14(1) of Directive 2000/31?

163. In that regard, I must point out that, in accordance with my analysis of those two instruments of EU law, the provider of an information society service that is the data controller for the personal data contained in the information stored at the request of the users of that service cannot rely on the exemption from liability provided for in Article 14(1) of Directive 2000/31. (77) As a result, the following analysis is intended solely to determine whether a service provider acting as a processor of such data can rely on that exemption. I would like to point out that my analysis of the provisions of the GDPR leads me to propose that the Court conclude that Russmedia acted as a processor. (78)

164. Furthermore, it should be noted that the referring court does not specify whether, in the dispute in the main proceedings, Russmedia is liable for a breach of the GDPR under Article 82 of that regulation or under the civil liability rules under national law. Indeed, the infringement of a rule relating to the protection of personal data may at the same time give rise to an infringement of other rules, such as those on consumer protection (79) or personality rights, and the EU legislature did not intend to bring about an exhaustive harmonisation of the remedies available in respect of infringements of the provisions of the GDPR. (80)

165. In any event, with regard to civil liability, both Directive 2000/31 and the GDPR contain provisions that provide guidance on the relationship between those two instruments of EU law.

(a)    The relevant provisions of Directive 2000/31

166. Article 1(5)(b) of Directive 2000/31, headed ‘Objective and scope’, provides that that directive does not apply to questions relating to information society services covered by the rules of EU law applicable to personal data. Specifically, that provision refers to Directives 95/46 and 97/66 which have been replaced by the GDPR (81) and Directive 2002/58/EC, (82) respectively.

167. Furthermore, recital 14 of Directive 2000/31, which concerns the issues referred to in Article 1(5) of that directive, states that the protection of individuals with regard to the processing of personal data is solely governed by Directives 95/46 and 97/66, ‘which are fully applicable to information society services; these Directives already establish [an EU] legal framework in the field of personal data and therefore it is not necessary to cover this issue in [Directive 2000/31] in order to ensure the smooth functioning of the internal market, in particular the free movement of personal data between Member States; the implementation and application of [that directive] should be made in full compliance with the principles relating to the protection of personal data’.

168. In the past, the Court has previously considered the interpretation of Article 1(5)(b) of Directive 2000/31.

169. Initially, the judgment in Promusicae (83) raised the question as to whether EU law required Member States to lay down, in order to ensure effective protection of copyright, an obligation to communicate personal data in the context of civil proceedings. In that case, the referring court referred to several directives that, in its view, could have formed the legal basis for such an obligation.

170. In that regard, the Court held that it follows from Article 1(5)(b) of Directive 2000/31 that such an obligation, assuming that it is provided for in that directive, cannot affect the requirements of the protection of personal data. (84) The Court therefore seemed to envisage the parallel application of that directive and the instruments of EU law relating to the protection of personal data.

171. Subsequently, in the judgment in La Quadrature du Net and Others, (85) the Court examined whether Directive 2000/31 precluded national legislation requiring providers of access to online public communication services and hosting service providers to retain, generally and indiscriminately, personal data relating to those services. The referring court found that that question fell within the scope of that directive and took the view that Article 15 of that directive did not, in itself, establish a prohibition in principle on data relating to content creation being retained, which could be derogated from only exceptionally. (86)

172. The Court held that Directive 2000/31 is not applicable in the field of the protection of the confidentiality of communications and of natural persons as regards the processing of personal data in the context of information society services, such protection being governed by Directive 2002/58 or by the GDPR, as appropriate. (87)

173. The categorical nature of that response stems from the context in which it was given.

174. Indeed, on the one hand, we must not lose sight of the fact that recital 15 of Directive 2000/31/EC specifically addresses the confidentiality of communications and states that, in accordance with Directive 97/66, as stated in Article 1(5)(b) of Directive 2000/31, ‘Member States must prohibit any kind of interception or surveillance of such communications by others than the senders and receivers, except when legally authorised’. Directive 2002/58, which replaced Directive 97/66, confirms that prohibition and lays down the conditions under which Member States may derogate from it. Similarly, under the GDPR, the discretion afforded the Member States regarding derogations relating to the protection of personal data is limited by Article 23 of that regulation.

175. On the other hand, in order to reach the conclusion referred to in point 171 of the present Opinion, the Court stated that the protection of the confidentiality of communications and of natural persons in relation to the processing of personal data is governed only by Directive 2002/58 and the GDPR, ‘and it should be noted that the protection that Directive 2000/31 is intended to ensure cannot, in any event, undermine the requirements under Directive 2002/58 and [the GDPR]’. (88)

176. Accordingly, first, the case-law relating to Article 1(5)(b) of Directive 2000/31 suggests, that that directive does not apply to matters that are the subject of specific regulation under Directive 2002/58 and the GDPR. Second, Directive 2000/31 and the rules of EU law applicable to personal data apply in parallel as regards any other matter, but the provisions of that directive may not undermine the requirements relating to the protection of such data.

(b)    The relevant provisions of the GDPR

177. The interpretation that I have given in point 176 of the present Opinion is corroborated by Article 2(4) of the GDPR, which provides that that regulation applies ‘without prejudice’ to the application of Directive 2000/31, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that directive. (89)

178. Although, in the terminology of EU law, the observation that a legal instrument or one of its provisions applies ‘without prejudice’ to another instrument may cause the reader to reach various different conclusions, the GDPR specifies that it applies without prejudice, in particular, to the specific provisions of Directive 2000/31. The EU legislature therefore wanted to emphasise that that regulation does not limit the scope of the specific provisions of that directive. Accordingly, the GDPR cannot be considered to take precedence over Directive 2000/31 on the grounds that it was adopted after that directive.

(c)    Final remarks

179. In the light of the foregoing, both Directive 2000/31, as interpreted by the Court, (90) and the GDPR (91) are structured in such a way as to enable them to be applied in parallel to matters that are not specifically regulated under the GDPR. It therefore remains to be determined whether the GDPR contains a clause that fulfils a role comparable to that of Article 14(1) of that directive.

180. In that regard, Article 82(3) of the GDPR provides that a controller or processor, as the case may be, is exempt from liability for the damage caused by processing that infringes that regulation ‘if it proves that it is not in any way responsible for the event giving rise to the damage’. In the event of a personal data breach by a ‘third party’, within the meaning of Article 4(10) of that regulation, the controller or processor may be exempt from liability, on the basis of Article 82(3) of that regulation, by proving that there is no causal link between its possible breach of the data protection obligation and the damage suffered by the natural person. (92)

181. I believe that Article 82(3) of the GDPR does not constitute a clause providing exemption from liability that fulfils a role comparable to that of Article 14(1) of Directive 2000/31.

182. Article 14(1) of Directive 2000/31 only applies if an intermediary service provider can be held liable, under the rules applicable to that provider, for information stored at the request of users of its intermediation service. The question of whether that provision applies therefore only arises if the conditions required for the service provider to be liable for the information stored, as laid down in the applicable rules, are met. In that respect, the conditions for the right to compensation provided for in Article 82 of the GDPR are laid down in paragraphs 1 to 3 of that article. Article 82(3) of that regulation introduces only one condition for that liability. (93) Indeed, the controller’s liability under Article 82 of that regulation is subject to fault on the part of the controller, which is presupposed unless it proves that it is not in any way responsible for the event giving rise to the damage, within the meaning of paragraph 3. (94)

183. A processor that could be held liable under Article 82 of the GDPR is therefore not ineligible for the exemption from liability provided for in Article 14(1) of Directive 2000/31.

184. However, we should not lose sight of the fact that a processor may be liable under the second sentence of Article 82(2) of the GDPR only where it has not complied with the obligations of that regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. The obligations and responsibilities of the operator of an online marketplace acting as a processor in relation to the data contained in advertisements posted on its platform are therefore linked primarily to Article 32 of that regulation. (95)

185. That being said, as I have already observed, it is not clear whether, in the main proceedings, Russmedia’s liability for a breach of the GDPR could arise under Article 82 of that regulation or under national legislation. If that company can be held liable for a breach of that regulation under national legislation (and Article 82(3) of that regulation therefore does not apply), there is even less reason to find that the entity concerned is ineligible for the exemption from liability provided for in Article 14(1) of Directive 2000/31.

186. To conclude, I believe that a party involved in the processing of personal data as a processor that could be held liable for a breach of the GDPR in relation to the processing of such data can rely on the exemption from liability provided for in Article 14(1) of Directive 2000/31. My conclusion regarding the relationship between those two instruments of EU law is therefore not likely to alter my proposed answers to the questions referred for a preliminary ruling.

V.      Conclusion

187. In the light of all the foregoing considerations, I propose that the Court of Justice answer the questions referred for a preliminary ruling by the Curtea de Apel Cluj (Court of Appeal, Cluj, Romania), as follows:

(1)      Article 14(1) of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’)

must be interpreted as meaning that the provider of an information society service that makes available to users an online marketplace on which free or paid advertisements are posted may also be considered eligible for the exemption from liability provided for in that legal provision where that provider indicates, in the general terms and conditions of use of its online marketplace, that, while it does not claim any right of ownership over the content that is provided, published, uploaded or transmitted, it nonetheless retains the right to use that content, including by means of copying it, distributing it, transmitting it, publishing it, reproducing it, modifying it, translating it, transferring it to partners and removing it at any time, without the need for any reason for doing so, provided that that service provider does not take any action that would cause it to cease to be classified as a neutral hosting provider.

(2)      Article 5(1)(f), Article 6(1)(a) and Articles 7, 24 and 25 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that the provider of an information society service with activity consisting in hosting advertisements, whether free or paid, on a website at the request of its users acts as processor in respect of the personal data contained in the advertisements posted on its online marketplace. In that context, it is not required to verify the content of the advertisements posted or to implement security measures to prevent or limit the copying and redistribution of the content of the advertisements published by means of its services. However, it must implement appropriate organisational and technical measures to ensure the security of processing vis-à-vis third parties. On the other hand, such a service provider acts as a data controller with regard to the personal data of user advertisers registered on its website. In that context, it is required to verify the identity of those user advertisers.

---

1      Original language: French.

---

2      Directive of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ 2000 L 178, p. 1).

---

3      Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).

---

4      Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

---

5      Directive of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector (OJ 1998 L 24, p. 1).

---

6      Monitorul Oficial al României, Part I, No 483 of 5 July 2002.

---

7      Monitorul Oficial al României, Part I, No 403 of 10 May 2006.

---

8      Although this provision is not reproduced in the order for reference, it lays down the defences in law for a person whose non-pecuniary rights have been infringed or threatened. Such a person may apply to the courts, in particular, for compensation or, where applicable, a financial remedy for the damage caused to him or her, if that damage is attributable to the person who committed the harmful act.

---

9      The implementing rules for Law No 365/2002 were approved by Hotărârea Guvernului nr. 1.308/2002 (Government Decision No 1308/2002) and constitute a regulatory administrative act. Article 11(1) of that decision provides that ‘information society service providers that offer the services referred to in Articles 12 to 15 of [Law No 365/2002] are not required to monitor the information which they transmit or store, nor are they required actively to seek data on activities or information having the appearance of unlawful activity in the sector of the information society services that they supply’.

---

10      Judgment of 12 July 2011 (C‑324/09, ‘the judgment in L’Oréal and Others’, EU:C:2011:474, paragraph 116).

---

11      See the judgment in L’Oréal and Others (paragraph 124).

---

12      Judgment of 11 September 2014 (C‑291/13, EU:C:2014:2209, paragraph 46).

---

13      See judgment of 23 March 2010, Google France and Google (C‑236/08 to C‑238/08, EU:C:2010:159, paragraph 107).

---

14      See, with regard to the provisions transposing EU law, Wilman, F., The Responsibility of Online Intermediaries for Illegal User Content in the EU and the US, Edward Elgar, Cheltenham – Northampton, 2020, p. 18, paragraph 2.18. See also, with regard to EU law as such, recital 17 of Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ 2022 L 277, p. 1) (‘the Digital Services Act’).

---

15      Indeed, according to the court of first instance, the actions attributed to Russmedia were unlawful because they infringed the GDPR. Similarly, the proceedings between the parties before the court of second instance and the referring court concern the question as to whether Article 14(1) of Directive 2000/31 can be relied on to exempt a service provider from liability for an infringement of that regulation. See point 28 of the present Opinion.

---

16      See point 5 of the present Opinion.

---

17      See point 29 of the present Opinion.

---

18      Russmedia argued that ‘its role in publishing users’ advertisements is purely technical (making the platform available)’.

---

19      See point 29 of the present Opinion.

---

20      See judgment of 23 March 2010, Google France and Google (C‑236/08 to C‑238/08, EU:C:2010:159, paragraphs 112 and 113).

---

21      See the judgment in L’Oréal and Others (paragraph 113).

---

22      See the judgment in L’Oréal and Others (paragraph 115).

---

23      In essence, this provision establishes that such a service provider may not have knowledge of the unlawful activity or information. See point 68 of the present Opinion.

---

24      See, to that effect, judgment of 22 June 2021, YouTube and Cyando (C‑682/18 and C‑683/18, ‘the judgment in YouTube and Cyando’, EU:C:2021:503, paragraph 114).

---

25      Judgment in L’Oréal and Others (paragraph 116).

---

26      Judgment of 11 September 2014, Papasavvas (C‑291/13, EU:C:2014:2209, paragraph 45).

---

27      By way of illustration, as the Commission observed at the hearing, a similar clause appeared in the terms and conditions of use of the video-sharing platform at issue in the judgment in YouTube and Cyando (paragraph 30). Furthermore, the Commission indicated in its written observations that the terms and conditions of use of Russmedia’s online marketplace do not appear to be substantially different from those of the operator of the platform at issue in the judgment in L’Oréal and Others.

---

28      See, to that effect, the judgment in L’Oréal and Others (paragraph 122) and the judgment in YouTube and Cyando (paragraph 115).

---

29      See, to that effect, the judgment in YouTube and Cyando (paragraph 113).

---

30      See, to that effect, the judgment in YouTube and Cyando (paragraphs 111 and 112).

---

31      See, to that effect, judgment of 3 October 2019, Glawischnig-Piesczek, C‑18/18, EU:C:2019:821, paragraph 42.

---

32      Paragraph 108 of that judgment.

---

33      Directive of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (OJ 2001 L 167, p. 10).

---

34      See judgment of 14 June 2017, Stichting Brein, C‑610/15, EU:C:2017:456, paragraphs 36, 45 and 48.

---

35      See point 76 of the present Opinion.

---

36      See, to that effect, my Opinions in cases Airbnb Ireland and Others (C‑662/22 to C‑667/22, EU:C:2024:18, points 4 and 5).

---

37      See Articles 5 to 7 and 10 of Directive 2000/31.

---

38      See, by way of illustration, Article 5 of Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online (OJ 2021 L 172, p. 79) and Article 28b of Directive 2010/13/EU of the European Parliament and of the Council of 10 March 2010 on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (Audiovisual Media Services Directive) (OJ 2010 L 95, p. 1, and corrigendum OJ 2010 L 263, p. 15), as amended by Directive (EU) 2018/1808 of the European Parliament and of the Council of 14 November 2018 (OJ 2018 L 303, p. 69).

---

39      See Article 35(1)(c) of the Digital Services Act.

---

40      See point 83 of the present Opinion.

---

41      See, to that effect, the judgment in YouTube and Cyando (paragraph 113).

---

42      See, to that effect, judgment of 3 October 2019, Glawischnig-Piesczek (C‑18/18, EU:C:2019:821, paragraph 44).

---

43      See Article 5(2) of the GDPR.

---

44      See judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras (C‑683/21, EU:C:2023:949, paragraph 36).

---

45      See, to that effect, judgment of 11 January 2024, État belge (Data processed by an official journal) (C‑231/22, EU:C:2024:7, paragraph 31).

---

46      See judgments of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein (C‑210/16, EU:C:2018:388, paragraph 37), and of 5 December 2023, Nacionalinis visuomenės sveikatos centras (C‑683/21, EU:C:2023:949, paragraph 32), which suggest that the person that plays an active role in determining the circle of persons whose data will be processed and decides which data will be processed is a data controller.

---

47      See, to that effect, judgment of 11 January 2024, État belge (Data processed by an official journal) (C‑231/22, EU:C:2024:7, paragraph 33), which implies that a choice of communication channels through which data can be consulted by third parties essentially amounts to determining the means of processing.

---

48      See, to that effect, judgments of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629, paragraph 77), and of 11 January 2024, État belge (Data processed by an official journal) (C‑231/22, EU:C:2024:7, paragraph 33).

---

49      See, to that effect, van der Sloot, B., ‘Welcome to the Jungle: The Liability of Internet Intermediaries for Privacy Violations in Europe’, Jipitec, vol. 6, No 3, 2015, p. 217.

---

50      See, on this question, Helberger, N, and van Hoboken, J, ‘Little Brother Is Tagging You – Legal and Policy Implications of Amateur Data Controllers’, Computer Law International (CRi), No 4, 2010, p. 101 et seq., and Finck, M., ‘Cobwebs of Control: The Two Imaginations of the Data Controller in EU Law’, International Data Privacy Law, vol. 11, No 4, 2021, pp. 338 to 341.

---

51      See, to that effect, judgment of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629, paragraph 74).

---

52      With the entry into force of the GDPR, that Working Party has been replaced by the European Data Protection Board (see Article 68 and Article 94(2) of that regulation).

---

53      Available on the following website: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf, p. 25.

---

54      Available on the following website: https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf, paragraph 40.

---

55      See point 102 of the present Opinion.

---

56      See, to that effect, judgment of 25 January 2024, MediaMarktSaturn (C‑687/21, EU:C:2024:72).

---

57      See, to that effect, judgment of 21 December 2023, Krankenversicherung Nordrhein (C‑667/21, EU:C:2023:1022, paragraph 68).

---

58      See point 93 of the present Opinion.

---

59      See point 111 of the present Opinion.

---

60      See, to that effect, judgment of 14 December 2023, Natsionalna agentsia za prihodite (C‑340/21, EU:C:2023:986, paragraph 30).

---

61      See point 99 of the present Opinion.

---

62      See, on that question, point 115 of the present Opinion.

---

63      See point 137 of the present Opinion.

---

64      See point 120 of the present Opinion.

---

65      See, to that effect, Keller, D., ‘The Right Tools: Europe’s Intermediary Liability Laws and the EU 2016 General Data Protection Regulation’, Berkeley Technology Law Journal, vol. 33, No 1, 2018, p. 373.

---

66      See judgment of 13 May 2014, Google Spain and Google (C‑131/12, EU:C:2014:317).

---

67      See judgment of 23 March 2010, Google France and Google (C‑236/08 to C‑238/08, EU:C:2010:159, paragraphs 106 to 120).

---

68      See judgment of 23 March 2010, Google France and Google (C‑236/08 to C‑238/08, EU:C:2010:159, paragraphs 114 to 119).

---

69      See point 49 of the present Opinion.

---

70      See points 113 to 115 of the present Opinion.

---

71      See point 148 of the present Opinion.

---

72      On that legal characterisation, see point 120 of the present Opinion.

---

73      See Article 89 of the Digital Services Act.

---

74      My emphasis.

---

75      See, to that effect, the judgment in YouTube and Cyando (paragraph 115).

---

76      According to some academic writers, the exemption from liability provided for in Article 14(1) of Directive 2000/31 applies cumulatively with the GDPR. See, to that effect, Keller, D., ‘The Right Tools: Europe’s Intermediary Liability Laws and the EU 2016 General Data Protection Regulation’, Berkeley Technology Law Journal, vol. 33, No 1, 2018, p. 371, and Sartor, G., ‘Providers’ Liabilities in the New EU Data Protection Regulation: A Threat to Internet Freedom?’, International Data Privacy Law, vol. 3, No 1, 2013, pp. 5 and 8. Other authors are of the opinion that those two regimes do not overlap. See, to that effect, Riordan, J., The Liability of Internet Intermediaries, Oxford University Press, Oxford, pp. 383 and 384.

---

77      See point 157 of the present Opinion.

---

78      See point 120 of the present Opinion.

---

79      See, to that effect, judgment of 28 April 2022, Meta Platforms Ireland (C‑319/20, EU:C:2022:322, paragraph 78).

---

80      See, to that effect, judgment of 4 October 2024, Lindenapotheke (C‑21/23, EU:C:2024:846, paragraph 60).

---

81      Under Article 94(2) of the GDPR, references to Directive 95/46 are to be construed as references to the GDPR.

---

82      Directive of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37). Under Article 19 of Directive 2002/58, references made by EU law to Directive 97/66 are to be construed as being made to the former directive.

---

83      Judgment of 29 January 2008 (C‑275/06, EU:C:2008:54, paragraphs 41 and 56).

---

84      See, to that effect, judgment of 29 January 2008, Promusicae (C‑275/06, EU:C:2008:54, paragraph 57).

---

85      Judgment of 6 October 2020 (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 193).

---

86      See, to that effect, judgment of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 194).

---

87      See judgment of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 212).

---

88      See judgment of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 200).

---

89      See also recital 21 of the GDPR.

---

90      See point 176 of the present Opinion.

---

91      See point 178 of the present Opinion.

---

92      See judgment of 14 December 2023, Natsionalna agentsia za prihodite (C‑340/21, EU:C:2023:986, paragraph 72).

---

93      See, to that effect, judgment of 21 December 2023, Krankenversicherung Nordrhein (C‑667/21, EU:C:2023:1022, paragraph 94).

---

94      See, to that effect, judgment of 4 October 2024, Agentsia po vpisvaniyata (C‑200/23, EU:C:2024:827, paragraph 163).

---

95      See point 126 of the present Opinion.