From intermediaries to co-responsible parties: the new standard of responsibility for digital platforms in Europe and its effect on Chile

Articles31 December 2025
With the forthcoming entry into force of Law No. 19,628 and its amendment by Law No. 21,719 on Personal Data Protection, the transition to a new standard of personal data protection that will govern marketplaces, social networks, and local intermediation platforms faces increasingly urgent challenges.

The Russmedia ruling (CJEU, 2 December 2025, C-492/23) redefines the liability of online market and platform operators when processing personal data in advertisements published by third parties, especially when they include sensitive data, affirming the prevalence of the European Union's General Data Protection Regulation (GDPR) over the "safe harbours" of Directive 2000/31 (Directive on electronic commerce).


The case arises from an advertisement on the Romanian website Publi24.ro that falsely attributed sexual services to the applicant, using photos and a telephone number without her consent. Although Russmedia quickly removed the advertisement, it was replicated by other sites.


After conflicting rulings in Romania, the matter was referred to the CJEU to determine whether a marketplace can be held liable (or jointly liable) for the processing of personal data contained in advertisements hosted by third parties and whether it can invoke the exemptions from liability under Directive 2000/31 in relation to the obligations arising from the GDPR.


The CJEU adopted a broad view of data controller, consistent with Chilean law on personal data protection, understanding it to be any entity that "alone or jointly with others determines the purposes and means of the processing" of personal data.


Thus, even though the advertising user, who defines the content and data included in the advertisement, is primarily responsible, the marketplace operator may also be held responsible for the processing of personal data contained in the advertisements when:

  • It publishes data for its own commercial or advertising purposes, which go beyond the mere technical provision of hosting to the advertiser;
  • Its terms of use allow it to reuse or disseminate the information;
  • It defines parameters of visibility, duration or segmentation that influence the dissemination of the data.

In this regard, what is relevant for attributing the status of controller is the activity that is actually carried out on the data (dissemination, monetisation, configuration), and not only the way in which the operator defines itself, for example, as a 'mere intermediary'.


With regard to the application of the exemption from liability contained in Directive 2000/31, the CJEU concludes that the GDPR applies without prejudice to Directive 2000/31 and that the rules of the Directive cannot undermine the requirements of the GDPR, since the latter is precisely the specialised legislation.


Consequently, the operator of an online marketplace, acting as the controller of the personal data contained in advertisements published on its online marketplace, cannot invoke Directive 2000/31 in relation to non-compliance with the obligations arising from the GDPR. This does not prevent the operator from invoking the "safe harbours" in relation to other claims not related to personal data protection.


The most disruptive aspect of the ruling is that the Court establishes enhanced obligations when sensitive personal data is involved, as it requires the operator, prior to publication, to identify such content, verify whether the advertiser is the data subject and, if not, require explicit consent or apply a valid exception. This is shared by national legislation, as Law No. 19,628, amended by Law No. 21,719, states that sensitive data may only be processed when the owner of the data gives their express consent, with some exceptions.


The Court links these requirements to the principle of proactive responsibility and the obligations of data protection by design and by default, principles shared by our regulations.

Therefore, from a technical perspective, the Russmedia ruling provides us with at least four new developments:

  • Extension of joint controllership: The idea that operators who structure, display and monetise third-party advertisements share responsibility with the advertising users, even without intervening in the specific content or knowing its illegality ex ante, is consolidated.
  • Establishment of ex ante obligations: Advertisements containing sensitive data must be identified prior to publication, based on a "general" risk expectation that such content will be uploaded to the platform.
  • Identity verification and explicit consent: It imposes an obligation to verify whether the advertiser is the person to whom the sensitive data refers and, if not, to require proof of explicit consent, thereby strongly questioning models that allow anonymous publication of advertisements with personal content from third parties.
  • Separation between the intermediary regime and the personal data regime: The ruling determines that the status of intermediary in Directive 2000/31 does not neutralise the security, design and proactive responsibility obligations of the GDPR.

Even so, the CJEU clarifies that these requirements do not amount to general monitoring prohibited under the Directive.


In Chile, where there is no similar "safe harbour", this decision provides criteria for assessing the joint responsibility of platforms that structure and monetise third-party content, and for designing ex ante obligations with regard to sensitive data. Sectors such as marketplaces, social networks, dating apps, professional reviews or user-generated content will need to review security measures, traceability and contractual limits to prevent illegal replication.


Finally, the ruling opens the debate on how to balance protection against false or degrading advertisements, the need to identify those who publish third-party data, and the preservation of spaces for anonymous expression.


________________________

[1] Article 2, letter n). Law 19.628 and its amendment by Law 21.7189, on Personal Data Protection. 

[1] Article 4.7. GDPR

[1] Shared by Article 13 of the Chilean Civil Code, which states that "the provisions of a law relating to particular things or businesses shall prevail over the general provisions of the same law when there is a conflict between them". 

_______________________

[1] The exceptions contained in the GDPR are exhaustive and are contained in Art. 9.2. GDPR. 

[1] Article 16 of Law 19.628 and its amendment by Law 21.719 on Personal Data Protection. 

[1] Law 19.628 and its amendment by Law 21.719, on Personal Data Protection, structurally incorporates the concept of "proactive responsibility" into the data protection regime in Chile, which translates into specific obligations and materialises, for example, in the obligation to maintain a record of processing activities, carry out impact assessments, implement preventive and security measures, document decisions, and be able to demonstrate to the authority that the principles and obligations are being complied with. 

[1] Article 14 quater. Law 19,628 and its amendment by Law 21,719 on Personal Data Protection. 

[1] Article 15. No general obligation to supervise.

Una pasarela de vidrio suspendida sobre una estructura moderna con sombras proyectadas.

Related partners

LATEST FROM #ECIJA