- Introduction
The judgment delivered by the Court of Justice of the European Union (Grand Chamber, 2 December 2025) constitutes a significant development in EU digital law, particularly with regard to the interaction between intermediary liability and data protection. The Court was called upon to clarify the relationship between Directive 2000/31/EC on electronic commerce (hereinafter, the E-Commerce Directive) and Regulation (EU) 2016/679 (the General Data Protection Regulation, GDPR), in a case concerning the dissemination of sensitive personal data through an online classifieds platform. The ruling addresses a long-standing tension within EU law: the need to preserve the functional neutrality of online intermediaries while ensuring a high level of protection for fundamental rights, especially the rights to privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. By adopting a functional and substantive approach to the qualification of platform operators, the Court contributes to an evolving jurisprudence that increasingly scrutinises the real influence exercised by platforms over the circulation of personal data.
- The Facts and Preliminary Questions
The dispute originated from the publication, on an online marketplace for classified advertisements, of content containing photographs and explicit references to an identifiable woman’s sexual life. The advertisements were uploaded by third parties and made publicly accessible without the data subject’s consent. The platform operator argued that it merely provided a technical hosting service and therefore benefited from the liability exemption set out in Article 14 of the E-Commerce Directive. The referring national court expressed doubts as to whether such an exemption could shield the platform from obligations arising under the GDPR, particularly where the data at issue fell within the special categories of personal data under Article 9 GDPR. Accordingly, several preliminary questions were referred to the Court of Justice, essentially asking whether the platform operator could be regarded as a controller or joint controller, whether the hosting exemption limited the applicability of data protection rules, and how the processing of sensitive data should be assessed in this context.
- The Normative Framework: Distinct Objectives and Complementary Functions
In its reasoning, the Court carefully distinguishes between the objectives and scope of the E-Commerce Directive and those of the GDPR. The E-Commerce Directive establishes a conditional exemption from liability for certain categories of intermediary service providers, including hosting providers, provided that they play a neutral and passive role and act expeditiously upon obtaining knowledge of illegal content (Article 14). At the same time, Article 15 of the Directive prohibits the imposition of general monitoring obligations.
By contrast, the GDPR lays down a comprehensive framework governing the lawful processing of personal data, grounded in principles such as lawfulness, fairness, transparency and accountability. Its application depends not on the classification of a service as “hosting”, but on whether an entity determines the purposes and means of the processing, in whole or in part. The Court emphasises that these two instruments operate on different normative levels. While the E-Commerce Directive concerns liability for unlawful content, the GDPR governs the conditions under which personal data may be lawfully processed. As a result, reliance on the hosting exemption cannot, in itself, exclude the application of data protection obligations.
- The Functional Qualification of the Platform Operator
A central aspect of the judgment lies in the Court’s approach to the qualification of the platform operator. Rejecting a formalistic reliance on abstract labels, the Court adopts a functional analysis based on the actual role played by the platform in the processing of personal data. According to the Court, an operator may qualify as a controller or joint controller where it exerts influence over the purposes or means of the processing. Such influence may manifest through the organisation and structuring of content, the establishment of rules governing publication, the enhancement of visibility through categorisation or ranking mechanisms, or the monetisation of user-generated content. What matters is not whether the platform created the content, but whether it actively shapes the conditions under which personal data are disseminated. This reasoning aligns with earlier case law concerning the notion of controller under EU data protection law, yet it extends that logic to contexts traditionally regarded as neutral. In doing so, the Court acknowledges the economic and technical power exercised by platforms over information flows and rejects the assumption that hosting services are necessarily passive by design.
- Sensitive Personal Data and the Requirement of Explicit Consent
The Court places particular emphasis on the nature of the data at issue. Information relating to an individual’s sexual life clearly falls within the special categories of personal data listed in Article 9(1) GDPR, the processing of which is in principle prohibited. Such data may only be processed under the limited exceptions set out in Article 9(2), most notably where the data subject has given explicit consent. In the present case, the absence of consent rendered the processing inherently unlawful. The Court underlines that the online dissemination of sensitive data significantly amplifies the risk of harm, given the potential for wide and lasting accessibility. This consideration reinforces the need for strict compliance with the GDPR and limits the ability of platforms to invoke their intermediary status as a shield against responsibility. The judgment thus confirms that, where sensitive data are involved, the threshold for lawful processing is particularly high, and the obligations imposed on entities participating in such processing are correspondingly stringent.
- Hosting Exemptions and Data Protection Obligations
Another key contribution of the judgment concerns the relationship between the hosting exemption under Article 14 of the E-Commerce Directive and the obligations arising under the GDPR. The Court makes clear that the hosting exemption does not override or derogate from data protection law. Even where a platform benefits from a limitation of liability for illegal content, it remains subject to the GDPR if it qualifies as a controller or joint controller. Moreover, the prohibition of general monitoring obligations under Article 15 of the E-Commerce Directive does not preclude the adoption of targeted and proportionate measures aimed at preventing manifestly unlawful data processing. The Court thus recognises that compliance with the GDPR may require platforms to implement technical and organisational safeguards, particularly in relation to sensitive data, without imposing a general obligation to monitor all user activity.
- Conclusions
The judgment of 2 December 2025 contributes to a more coherent and rights-oriented interpretation of EU digital law. It confirms that the protection of personal data, particularly sensitive data under Article 9 GDPR, cannot be subordinated to intermediary liability exemptions under the E-Commerce Directive. By redefining platform responsibility through a functional lens, the Court reinforces the central role of data protection within the European digital ecosystem. By focusing on the substantive role played by platforms, the Court avoids the risk that formal classifications could be used to circumvent the GDPR. The decision reflects a realistic understanding of platform governance and acknowledges the capacity of intermediaries to influence data flows in meaningful ways: whether a platform qualifies as a controller requires a case-by-case assessment. This might probably lead to divergent outcomes across Member States. Furthermore, increased exposure to liability could incentivise platforms to adopt overly cautious moderation practices, potentially affecting freedom of expression and access to information. Looking ahead, the ruling is likely to influence the interpretation of newer regulatory instruments, including the Digital Services Act, and to shape future debates on the appropriate balance between innovation, freedom of communication and the protection of fundamental rights online.
