A landmark ruling by the ECJ makes platforms co-responsible for user data, while Brexit also ensures separate data protection systems in the EU and Great Britain.
Online platforms in Europe are reorganizing their data protection structures following a landmark ruling by the European Court of Justice. The era of the “neutral host” is finally over.
BERLIN/BRUSSELS. As of today, digital marketplaces and social networks in Europe have to take significantly more responsibility for their users’ data. The trigger is the so-called “Russmedia” verdict of the European Court of Justice (ECJ) from December 2025, the consequences of which are now having a full impact. At the same time, new, different data protection rules are coming into force in the United Kingdom – a dilemma for international corporations.
ECJ ends era of “neutral host”
Table of Contents
At the center of the upheaval is the judgment in the Case C-492/23. The ECJ ruled that platforms that “optimize” or promote user content through algorithms are considered joint responsible persons (Joint Controller) according to the GDPR apply. You can no longer hide behind the claim that you only provide neutral infrastructure.
Advertisement
Platforms that use algorithms to recommend content now risk not only reputational damage, but also severe sanctions if there is no data protection impact assessment (DPIA). The free e-book explains in a practical way when a DPIA is mandatory, which risks need to be assessed, and provides ready-made Word templates, an inspection checklist and sample wording for reports to supervisory authorities. Templates that can be implemented quickly save time and reduce liability risks. Download free DPIA template & instructions
This has far-reaching consequences: Platforms must now check whether personal data is lawfully processed in a private classified ad – and that before she goes online. The case, which originally originated from the Romanian portal Publi24, breaks the liability shield for active content brokers. Legal departments are currently revising their data processing contracts on a massive scale.
Brexit divides European data protection
The situation is further complicated by reforms in the United Kingdom. The new one has been in effect there since February 5, 2026 Data (Use and Access) Act. It replaces the principle “prohibited unless” with “permitted as long as” for certain data uses.
So while companies in the EU have to introduce stricter controls, their British branches may be able to handle data more flexibly. Compliance experts report an enormous effort: They have to set up separate data protection systems for the EU and UK markets in order to prevent the different standards from being mixed up.
Messengers like WhatsApp under the strictest supervision
Added to this is the pressure from the Digital Services Act (DSA). At the end of January 2026, the EU Commission downgraded further services, including WhatsAppas “Very Large Online Platforms” (VLOPs). They are therefore subject to the strictest transparency and risk management obligations.
The supervisory authorities are making it clear: algorithms that sort and recommend content are no longer a neutral tool. They are the core of data processing – and the platform must therefore take responsibility for them. This perspective calls into question business models that previously relied on automatic personalization.
Who bears the costs of the new responsibility?
The reorganization is more than bureaucracy. It fundamentally shifts the economic risk model of the digital world. Industry experts expect that the costs of preliminary checks and the compliance effort will be passed on primarily to commercial users.
For medium-sized platforms, expenses for separate systems and transfer checks are likely to increase noticeably. The crucial question now is: How do national data protection authorities such as the German supervisory authority implement the ECJ ruling in practice? Until then, there will be a phase of active restructuring at corporate headquarters – and the search for ways to minimize liability risks in this new, more responsible era.
Advertisement
PS: Is your company at risk of a fine for failing to conduct a data protection impact assessment? Our free e-book provides complete instructions: ready-made sample templates, practical checklists and step-by-step instructions that data protection officers and legal departments can use to create a legally compliant DPIA and defend it against supervisory authorities. Ideal for quickly implementing the new ECJ requirements and reducing liability risks. Request a free DPIA template now
date: 2026-02-09 12:56:00