I can't use reply to this post, which may be some setting by the original post from
@mmasnick.bsky.social
I generally like his writing, not always agree, but he is such great source for the field. In this case, I do hope that people also read other commentary.
So if Russmedia starts prescreening for PII and in the process they see but fail to remove obvious counterfeit Prada bags, they still have a safe harbor under Art 7 when Prada sues? Super good question.
@hutko.bsky.social?
@jvh.bsky.social?
@gateklons.bsky.social?
Dec 5, 2025 17:40The piece is here, and it will be read by many in US circles that are expert in this area but don't have the time themselves to read the full ruling or do not understand the GDPR
bsky.app/profile/mmas...Finally had a chance to write up the CJEU's Russmedia ruling which appears to make it literally *impossible* to run a website in the EU that allows any user content. I just don't see how compliance is possible. At all. Hat tip to
@daphnek.bsky.social for calling it to my attention.
One of the main questions is: does the ruling require general monitoring for hosting intermediaries and online platforms?
Here I disagree with some of the analysis that is going around. The ruling means that some hosting intermediaries, under some circumstances are considered joint controllers under the GDPR for what is posted on their services.
This is not new, Facebook is clearly joint controller for a lot of personal data on their site. They explicitly invite and offer tools to manage the posting of personal data, like group foto's.
It is a different thing to be responsible under data protection law than to be liable for content/communication/information like in the situation of copyright infringement or defamation law.
The GDPR is a law that tries to ensure that personal data is processed fairly, lawfully, and transparently, and it offers very broad standing on rights for people, but it's not that there is no personal data processing in Europe, it has room for interpretation and is a human rights based instrument.
Specifically in this case, it is clear that some compliance would need to be organized for sites that allow ads, and which do so in ways that are not fully under the control of the advertisers. This is a subset of hosting activity.
Now what is important is that because we have the EU Charter and ECHR, you do not have to take draconian measures, like scanning all the content for all possible liability issues (See Sabam and fair balance cases).
And in practice, when thinking of how to comply, one can follow the state to the art. Ask GDPR lawyers and figure it out.
@gzf.bsky.socialAnd do a good job, there are plenty ways in which stuff can be improved in terms of ensuring that you are not basically a channel for garbage or scams. I am not going to review the evidence here, but there is plenty.
Back to Russmedia, and GDPR compliance, as a host you can add some stuff to the interfacing with advertisers, asking if they are posting personal data, if it is sensitive data, and then organize compliance (consent, or legitimate ground).
You can organize it in a way that puts the advertiser in the lead (and make them liable for damages, i would assume). This is not general monitoring in my book.
I am not saying the ruling is a good ruling. It has a lot of issues, it doesn't discuss freedom of expression for instance, which makes it easy to misinterpret. It's giving plenty of space for corrections, though, like many of the rulings in this space in the last 10 years.
