Woman’s sex-ad nightmare triggers landmark CJEU ruling

Published: 4 December 2025
Last updated: 4 December 2025
monitor-with-marketplace-visual

The Court of Justice of the European Union (CJEU), Europe’s top court, has ruled that online marketplaces are considered data controllers under the General Data Protection Regulation (GDPR), even if an ad is placed by a user.

The ruling stems from a case that was brought before court in August 2018 by Russmedia Digital, a Romanian company that ran an online marketplace where users could publish ads free of charge.

Around that time, an unknown user published an advertisement, stating that a woman was offering sexual services. The ad included photos of the woman, which were used without her consent, along with her phone number.

ADVERTISEMENT

The woman in question contacted Russmedia Digital to remove the advertisement, which was done within the hour. However, the ad had already appeared on other websites, where it remained accessible.

The woman launched a lawsuit in Romania, arguing that her honor, reputation, and privacy were violated because of the ad. The Court of First Instance of Cluj-Napoca upheld her claim and ordered Russmedia Digital to pay her €7,000 in non-material damages.

russmedia-non-material-damages
Image by Cybernews.

The owner of the website appealed the decision at the Specialized Court of Cluj. The judge ruled in favor of the company, stating that it merely offered a service that wasn’t liable for the content that was published by its users.

The woman then lodged an appeal with the Court of Appeal of Cluj, which, in turn, asked the CJEU for guidance on the interpretation of the GDPR in this case.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

According to the EU’s highest court, operators of online marketplaces should be considered data controllers, meaning that online marketplaces must screen and verify ads before they are published. In addition, they must get consent from any person whose data appears in the ads they run, even if it’s placed by a user.

“In the absence of that consent, the operator of an online marketplace must refuse publication of the advertisement in question. Furthermore, the operator of an online marketplace must endeavour to prevent advertisements containing sensitive data that are published on its website from being copied and unlawfully published on other websites. To that end, it must implement appropriate technical and organisational security measures,” the CJEU said in a press release.

ADVERTISEMENT

Critics claim that the ruling will have major implications for data protection across all EU Member States.

“The ruling confirms that operators of online marketplaces are directly responsible for ensuring that personal data in advertisements is identified and verified before publication, setting a new standard for data protection compliance across the EU. This carries significant implications to remain compliant,” Nienke Kingma, expert on data protection and privacy with Pinsent Masons, explains in a blog post.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT