What happens if an advertisement contains personal data and that data is 'sensitive' – for example, where it suggests that the individual offers sexual services – and is untrue? Who bears responsibility under the (EU) GDPR: the advertiser, publisher, or both?

These were the issues before the EU's highest court in Russmedia (C‑492/23), where the Court made a number of findings clarifying the roles and responsibilities of advertisers and publishers that process personal data contained within ads. In particular, the CJEU found that: 

• Personal data will fall within the scope of Article 9(1) of the EU GDPR (i.e. special category personal data) where it indirectly reveals protected characteristics, such as information about an individual's sex life or sexual orientation. It is immaterial that the information in question is untrue [paras. 52 and 53].
• A website operator (publisher) processes personal data when it publishes an ad containing personal data – the act of loading personal data onto a webpage constitutes 'processing' for the purposes of the EU GDPR [para. 54]. Although the case concerned an online marketplace, this reasoning is capable of applying equally to more traditional publishers.
• The publisher is a controller in respect of that processing. It is immaterial that the ad was created by an "anonymous user advertiser," or that the publisher had any actual influence over the content of the ad or awareness of its untrue and harmful nature [paras. 54 and 55]. While the advertiser principally determines the purposes and means of the processing (and therefore is a controller), the publisher is also a controller because it exerts influence over the processing for its own purpose. In particular, it publishes the personal data "for commercial or advertising purposes which go beyond the mere provision of a service which he or she provides to the user advertiser" [paras 66 and 67]. Further, by making its online marketplace available, the publisher participates in determining the means of publication [para. 70] and sets the parameters for the dissemination of ads [para. 72].
• The publisher and the advertiser "must be considered joint controllers" when the ad is published, as they jointly determine the purposes and means of processing within the meaning of Article 26 of the EU GDPR [para 92].
• Controllers are required to implement appropriate technical and organisational measures (TOMs) to ensure, and to be able to demonstrate, that processing is performed in accordance with the EU GDPR (Article 24), and to ensure the effective implementation of data protection principles that meet the requirements of the EU GDPR and protect the rights of data subjects through privacy by design and by default (Article 25) [para 94].
• The publication of personal data on an online marketplace (and, by extension, an ad containing personal data on any website) entails significant risks for individuals, as that data becomes accessible to any internet user and may be copied and reproduced elsewhere. Those risks are heightened where special category data is involved [paras. 95 and 96].
• Where the publisher "knows or ought to know" that ads containing sensitive data are liable to be published, it is obliged to implement TOMs to identify such ads before publication and to be in a position to assess whether the sensitive data is being published in accordance with the principles of the GDPR (including lawfulness, fairness and transparency) [para. 97].
• Because the data in question is special category data, the publisher must also ensure that the data subject has given their explicit consent to the publication, or that another Article 9 condition applies [para. 98]. In addition, the publisher must ensure that its identity and contact details are provided to the data subject [para. 100].
• Where special category data is contained in an ad, the publisher must implement TOMs to ensure an appropriate level of security, including measures aimed at preventing loss of control over the data. To that end, the Court indicated that publishers should consider technical measures capable of blocking the copying and reproduction of online content [paras. 121, 122 and 126].

Although the facts of this case involved an anonymous user advertiser acting in bad faith, and the website concerned was an online marketplace rather than a traditional media outlet, the Court's findings are likely to have broader implications for publishers and the advertisers whose ads appear on publishers' websites. 

The Court's clarification of party roles is helpful. It is not uncommon for advertisers to characterise publishers and other supply chain participants as mere processors of personal data contained within ads. However, this judgment reinforces that publishers may themselves be controllers, and joint controllers, in many circumstances. This raises practical questions about how advertisers and publishers can comply with the requirement to put in place a transparent Article 26 joint controller arrangement, particularly given the complexity of the advertising ecosystem and the number of intermediaries that may sit between them.

That said, it remains unclear whether many of the Court's findings should be confined to situations in which the publisher knows or ought to know that ads containing sensitive data are liable to be published. In traditional media, many publishers (and the vendors that represent them) operate policies prohibiting ads that are likely to reveal sensitive data about identifiable individuals. If you are a publisher or vendor, now may be a good time to revisit those policies. 

More generally, questions remain about the compliance burden in relation to ads that contain only 'ordinary' personal data. Arguably, publishers must still take steps to ensure compliance with the GDPR principles, but what those steps look like in practice is far from clear.

Finally, it remains to be seen how these issues would be approached by the UK Information Commissioner's Office (ICO) or the UK courts. The ICO has previously demonstrated a willingness to take a more relaxed approach than the CJEU when assessing whether inferences about individuals amount to special category data, and it will be interesting to see whether a similar approach is adopted in this context.