“`html
EU Court Solidifies GDPR’s ‘Quasi-Constitutional’ Status in Landmark Platform ruling
Table of Contents
The General Court of Justice of the European Union has delivered a important ruling affirming the primacy of the General Data Protection Regulation (GDPR) and clarifying the responsibilities of online platforms regarding user data. The decision, stemming from a preliminary ruling request submitted on July 24, 2023, by the Bucharest Court of Appeal in Romania, establishes a functional hierarchy within European law, positioning data protection as a near-constitutional principle.
The case centered on the qualification of Russmedia, an online platform, under the GDPR; the scope of its obligations as a data controller; and the applicability of an exemption from liability under Directive 2000/31/EC. The Court’s judgment is particularly noteworthy for its unique approach to regulating the activities of digital platforms, implicitly recognizing the GDPR’s autonomous interpretation and explicitly outlining its relationship with other regulatory instruments.
Defining the Data Controller & ‘Ex Ante’ Obligations
At the heart of the ruling lies the Court’s interpretation of the “data controller” definition within the GDPR. Drawing on established case law – including judgments in Fashion ID (CJEU July 29, 2019, case C-40/17), Business Academy (CJEU June 5, 2018, case C-210/16), and National Center for Public Health (CJUE Dec.5, 2023, aff. C-683/21) – the Court emphasized that qualification hinges on influence over the means of processing and the determination of processing purposes.
The Court examined specific details presented by the referring court, noting that Russmedia’s terms of service grant it the power to reproduce, modify, distribute, and delete advertisements. Moreover, the platform controls the presentation, classification, and duration of ad displays, operating within a defined commercial framework. These actions, the Court concluded, directly contribute to determining both the means and purposes of data processing, thereby establishing Russmedia as a data controller under the GDPR (pts 67-73).
“Joint liability does not presuppose that each person responsible has access to the data,” the Court clarified, referencing the Fashion ID judgment (CJEU July 29, 2019, case C-40/17, pt 69). It further stated that such liability can arise from converging decisions, even without a shared determination of processing (pt 61; CJEU Dec. 5, 2023, National…). This broadens the scope of responsibility for data processing activities.
Diverging Opinions & the Advocate General’s Analysis
The scope of this ruling is further illuminated by comparing it to the conclusions of Advocate General szpunar, presented on February 6, 2025. Szpunar proposed a substantially different analysis, as reported by Dalloz news on February 11, 2025, with commentary from Mr. Clément-Fontaine. The contrast between the two perspectives underscores the key points of contention and the Court’s intentional choice to prioritize a robust interpretation of the GDPR.
Implications for Platforms & the Future of Data Protection
This judgment signals a significant shift in the regulatory landscape for online platforms. The Court’s affirmation of an autonomous GDPR interpretation, particularly in defining the role of data controller and establishing “ex ante” obligations, sets a precedent for future cases. Platforms can no longer rely on a limited interpretation of their responsibilities and must proactively implement measures to ensure data protection compliance.
The ruling’s implications extend beyond Russmedia, impacting a wide range of online services that facilitate user-generated content or advertising. It reinforces the notion that data protection is not merely a procedural requirement, but a basic right with quasi-constitutional standing within the European Union legal framework.
