The CJEU ruling by the Court of Justice of the European Union on Tuesday has made it clear that online marketplaces are responsible for the personal data that appears in advertisements on their platforms. The Court of Justice of the European Union decision makes clear that platforms must get consent from any person whose data is shown in an advertisement, and must verify ads before they go live, especially where sensitive data is involved. The CJEU ruling comes from a 2018 incident in Romania. A fake advertisement on the classifieds website publi24.ro claimed a woman was offering sexual services. The post included her photos and phone number, which were used without her permission. The operator of the site, Russmedia Digital, removed the ad within an hour, but by then it had already been copied to other websites. The woman said the ad harmed her privacy and reputation and took the company to court. Lower courts in Romania gave different decisions, so the case was referred to the Court of Justice of the European Union for clarity. The CJEU has now confirmed that online marketplaces are data controllers under the GDPR for the personal data contained in ads on their sites.

CJEU Ruling: What Online Marketplaces Must Do Now

The court said that marketplace operators must take more responsibility and cannot rely on old rules that protect hosting services from liability. From now on, platforms must:

• Check ads before publishing them when they contain personal or sensitive data.
• Confirm that the person posting the ad is the same person shown in the ad, or make sure the person shown has given explicit consent.
• Refuse ads if consent or identity verification cannot be confirmed.
• Put measures in place to help prevent sensitive ads from being copied and reposted on other websites.

These steps must be part of the platform’s regular technical and organisational processes to comply with the GDPR.

What This Means for Platforms Across The EU

Legal teams at Pinsent Masons warned the decision “will likely have major implications for data protection across the 27 member states.” Nienke Kingma of Pinsent Masons said the ruling is important for compliance, adding it is “setting a new standard for data protection compliance across the EU.” Thijs Kelder, also at Pinsent Masons, said: “This judgment makes clear that online marketplaces cannot avoid their obligations under the GDPR,” and noted the decision “increases the operational risks on these platforms,” meaning companies will need stronger risk management. Daphne Keller of Stanford Law School warned about wider effects on free expression and platform design, noting the ruling “has major implications for free expression and access to information, age verification and privacy.”

Practical Impact

The CJEU ruling decision marks a major shift in how online marketplaces must operate. Platforms that allow users to post adverts will now have to rethink their processes, from verifying identities and checking personal data before an ad goes live to updating their terms and investing in new technical controls. Smaller platforms may feel the pressure most, as the cost of building these checks could be significant. What happens next will depend on how national data protection authorities interpret the ruling and how quickly companies can adapt. The coming months will reveal how verification should work in practice, what measures count as sufficient protection against reposting, and how platforms can balance these new duties with user privacy and free expression. The ruling sets a strict new standard, and its real impact will become clearer as regulators, courts, and platforms begin to implement it.

how proper JWT governance helps your organization stay compliant with SOC 2, ISO 27001, and GDPR. Explore best practices, governance frameworks, and how SSOJet ensures secure token management.

The post JWT Governance for SOC 2, ISO 27001, and GDPR — A Complete Guide appeared first on Security Boulevard.

A coalition of 127 civil society organizations and trade unions have banded together to oppose proposed changes that they warn could severely weaken EU data protection and privacy laws like GDPR. In an open letter released this week, the groups expressed “serious alarm at the forthcoming EU Digital Omnibus proposals, part of a wide deregulation agenda. What is being presented as a ‘technical streamlining’ of EU digital laws is, in reality, an attempt to covertly dismantle Europe's strongest protections against digital threats. “These are the protections that keep everyone’s data safe, governments accountable, protect people from having artificial intelligence (AI) systems decide their life opportunities, and ultimately keep our societies free from unchecked surveillance,” the groups added. Many of the same groups expressed concerns about the Digital Omnibus process earlier this year, but with a comprehensive proposal expected from the European Commission next week and reports that drafts of the legislation would significantly weaken GDPR and other privacy protections, the groups are stepping up their efforts.

GDPR, AI Rules Could Be Weakened in Digital Omnibus Process

Netzpolitik said that GDPR and other protections in several areas would be “significantly reduced to allow for greater data usage” under the Digital Omnibus proposals, including making it easier to train AI systems with personal data. Online tracking and cookie restrictions would also be weakened. “Storing and reading non-essential cookies on users' devices would no longer be permitted only with their consent,” Netzpolitik said. “Instead, the full range of legal bases offered by the GDPR would be opened up. This includes the legitimate interests of website operators and tracking companies. Users would then only have the option of opting out retroactively.” Article 9 of the GDPR concerning special categories of data would also be targeted. Article 9 offers special protection for data that includes "ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership." It also includes the processing of genetic data, biometric data for identification purposes, health data, and data about a person's sex life or orientation. “The Commission aims to define sensitive data more narrowly,” Netzpolitik said. “Only data that explicitly reveals the aforementioned information would then be afforded special protection. This means that if, for example, a person indicates their sexual orientation in a selection field, this would still be afforded special protection. However, if a data processor infers a person's presumed sexual orientation based on perceived interests or characteristics, current restrictions would no longer apply.” Protections for genetic and biometric data are more likely to remain unchanged “due to their unique and specific characteristics."

Groups Decry ‘Rushed and Opaque’ Process

The 127 civil society groups and trade unions charged that the Digital Omnibus process “is being done under the radar, using rushed and opaque processes designed to avoid democratic oversight.” The same approach has been used with other Omnibus proposals with damaging results, they said. “As a result, supposedly minimal changes under the guise of ‘simplification’ have already jeopardised Europe’s core social and environmental protections,” they said. The Digital Omnibus, they said, will reportedly weaken “the only clear rule that stops companies and governments from constantly tracking what people do on their devices, part of the ePrivacy framework. This will make it a lot easier for those in power to control people’s phones, cars or smart homes, while also revealing sensitive information about where people go, and with whom.” EU AI rules could also be weakened, the groups said, including guardrails to ensure “that AI is developed safely and without discrimination, as well as delaying key elements like penalties for selling dangerous AI systems.” Currently, AI tools that could affect important decisions like whether people can obtain benefits must register in a public database. Under the proposed changes, they said, “those providing AI tools could unilaterally and secretly exempt themselves from all obligations – and neither the public nor authorities would know.” “By recasting vital laws like the GDPR, ePrivacy, AI Act, DSA, DMA, Open Internet Regulation (DNA), Corporate Sustainability Due Diligence Directive and other crucial laws as ‘red tape’, the EU is giving in to powerful corporate and state actors who oppose the principles of a fair, safe and democratic digital landscape and who want to lower the bar of EU laws for their own benefit,” they charged. They urged the European Commission to stop any attempts to reopen the GDPR, ePrivacy framework, AI Act and other “core digital rights protections.”

AI’s growth exposes new risks to data in use. Learn how confidential computing, attestation, and post-quantum security protect AI workloads in the cloud.

The post AI Demands Laser Security Focus on Data in Use  appeared first on Security Boulevard.

As businesses increasingly rely on AI chatbots, securing conversational AI is now mission-critical. Learn about common chatbot vulnerabilities, AI risk management strategies, and best practices — from data encryption and authentication to model protection — to safeguard user trust, privacy, and compliance in the digital era.

The post When Chatbots Go Rogue: Securing Conversational AI in Cyber Defense  appeared first on Security Boulevard.