(CN) - Online marketplaces just lost their cover of neutrality on Tuesday as Europe's top court ruled they're responsible for leaks of user-posted content and other misuses of personal data.

The Court of Justice made it clear that when a platform controls how content appears, sets the rules for its use and profits from its visibility, it stops being a neutral host and becomes a data controller under EU privacy law, meaning it decides why and how people's information is processed and must answer for it.

The EU's General Data Protection Regulation, or GDPR, is the bloc's landmark privacy law that gives people control over how their personal information is used. It's designed to hold companies accountable when they collect, store, or share personal data, setting some of the toughest privacy standards in the world.

The court stressed that the fake post at the center of the case exposed sensitive personal details protected under the GDPR, noting that such data merits "specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms" of the person involved.

Under the GDPR, a "controller" is anyone who decides why and how that data is processed. Even if users upload the content themselves, a company that decides how it's displayed, organized or reused still shares legal responsibility.

Those controllers have to prove that every step - from publishing to storing information - is lawful, secure and truly necessary. The court made clear that these rules don't just apply to big social networks or ad sites but to any online service built on user content.

It all started in Romania in 2018, when a woman stumbled across a fake listing on Publi24, a popular classifieds site where people buy, sell and advertise just about anything. The anonymous post falsely described her as a sex worker, using her photos and phone number, and soon spread to copycat sites across the web. 

Publi24 is run by Russmedia Digital, one of Romania's biggest online media companies. The platform took the ad down within an hour of her complaint, but the damage was done - copies lingered online for years. Arguing that her privacy and dignity had been violated, she decided to take Russmedia to court.

A lower court first ruled in her favor, granting about 7,000 euros (about $8,129) in damages, but that victory didn't last long. An appellate court overturned the decision, agreeing with Russmedia's claim that it was just a neutral hosting provider under Romania's e-commerce rules. 

Refusing to give up, the woman appealed once more, and the Romanian Court of Appeal asked Europe's top judges in Luxembourg to decide whether platforms can really sidestep GDPR responsibilities when illegal or harmful content appears on their sites.

Luxembourg's judges answered clearly: they cannot. The GDPR doesn't expect them to police every single post, but it does require real safeguards - things like verifying who's posting, checking for sensitive information and blocking anything that uses personal data without clear consent. The court said those steps are vital because once private details hit the internet, scrubbing them out later can be nearly impossible.

The court also drew a clear line between Europe's two main digital rulebooks: the GDPR, which protects personal data, and the EU's e-commerce directive, which shields platforms from liability when they act as neutral hosts. Those laws, the judges said, work hand in hand rather than against each other. 

The e-commerce directive's safe harbor covers only platforms that act as neutral conduits - simply storing or transmitting data without shaping or influencing it. Once a company starts curating, promoting, or profiting from user content, the judges said, it steps out of that safe zone and must follow the full set of EU privacy rules. 

In this case, they found that Russmedia had gone beyond a passive role by reserving broad rights to "use published content, distribute it, transmit it, reproduce it, modify it, translate it, transfer it to partners and remove it at any time, without the need for any 'valid' reason for so doing."

Iulia Kis, the lawyer representing the Romanian woman who brought the case, said the decision marks a turning point for victims whose personal information is misused online.

"It strengthens the protection of victims whose personal data is illegally processed and whose sensitive information is published in online advertisements," she said, adding that it closes the legal gap that once allowed platforms to hide behind liability exemptions.

Russmedia Digital did not immediately respond to a request for comment.

The case now returns to the Romanian court, which will have to apply the Luxembourg ruling and decide what compensation, if any, the woman should receive.

But the impact won't stop there. The ruling sets a new EU-wide standard, making clear that platforms can be held liable for privacy breaches tied to user content. It marks a shift toward stronger accountability, where running a platform also means protecting the people who use it.

Courthouse News reporter Eunseo Hong is based in the Netherlands.

Source: Courthouse News Service