Switzerland: ECJ ruling Russmedia – The End of the Liability Privilege for Hosting Providers?

In its judgment C-492/23 of 2 December 2025 (Russmedia), the European Court of Justice comments on the question of whether a hosting provider, namely Russmedia, must take proactive action against content that violates privacy if it is qualified as a data controller. Some seem to see the end of the liability privilege, according to which such service providers only have to take action against illegal and unknown content after notification (notice-and-take-down). However, this seems to be based on a misunderstanding of the CJEU’s reasoning.

In this article, we classify these arguments and also explain the legal situation in Switzerland.

The liability privilege in the EU

The eCommerce Directive, which has been in force since 2000, introduced the principle of “no liability without knowledge” in the EU. In short, this means that a service provider is not liable for the content published by a user if:

• the service in question consists only in storing that content on behalf of the user (hosting);
• he has no actual knowledge of illegal content; and
• it removes or blocks illegal content quickly if it becomes aware of it.

This privilege is justified by the fact that the hosting provider plays a purely passive, technical and neutral role.

In the meantime, this liability regulation has been adopted into the Digital Services Act (DSA) and continues to apply there in the same form.

What happened in the Russmedia case?

The trigger was an advertisement on an online portal of Russmedia. An anonymous user used real photos of the victims as well as their private mobile phone number to (falsely) offer sexual services. Russmedia removed the ad within a short time after the person concerned had asked her to do so. Nevertheless, the plaintiff subsequently asserted non-pecuniary damage before the competent court, which it claimed from Russmedia. The case dragged on at the national level through several instances before it finally ended up before the ECJ.

Several questions were submitted to the ECJ, which together aimed to obtain an answer to the following problem: Can a hosting provider who also uses the content published by users for its own commercial purposes continue to rely on the liability privilege or must it ensure that data protection law (namely the General Data Protection Regulation, GDPR) is complied with?

What does the ECJ say?

First of all, it can be noted that the ECJ came to the conclusion that Russmedia is considered to be a (co-)controller under data protection law for the content published on the online portal. Specifically, Russmedia reserved the right to “use, distribute, transmit, reproduce, modify, translate, share with partners and remove at any time” published content. In the court’s view, this reservation in the terms of use already provides decisive “indications” that Russmedia processes the data not only for the advertiser but also out of commercial self-interest and thus participates in determining the purposes and means of the original publication. In addition, in the opinion of the ECJ, Russmedia has a significant influence on the worldwide dissemination of the personal data contained in the advertisements by actually determining the parameters for the distribution of the advertisements on its platform in accordance with the target audience and, among other things, by determining the presentation and duration of publication.

The supposed “hammer” of the ruling, however, lies in the fact that the ECJ subsequently comes to the conclusion that a hosting provider who claims to be responsible for the published content under data protection law cannot invoke the liability privilege of the eCommerce Directive (now the DSA). In the opinion of the ECJ, Russmedia should therefore have proactively identified special categories of personal data (such as information about sex life in the case in question) and ensured that it was only published by the data subject himself or with his consent. In addition, Russmedia should have taken appropriate technical measures to prevent the copying and dissemination of this data.

The ECJ did not address the question of whether Russmedia actually took note of the personal data in question, i.e. whether it actually used the disputed advertisement for its own commercial purposes. Rather, the ECJ justifies its opinion with the fact that issues covered by Directive 95/46/EC (the predecessor of today’s GDPR) were expressly excluded from the scope of the eCommerce Directive (which was in force at the time of publication of the disputed advertisement) (Art. 1(5)(b) and recital 14 of the eCommerce Directive).

The current DSA also expressly leaves the provisions of the GDPR unaffected (Art. 2(4)(g) DSA); it can therefore be assumed that the ECJ would have ruled in the same way under the new regime of the DSA.

How should the ECJ’s reasoning be classified?

The judgment and the reasoning are comprehensible and certainly in the spirit of the European legislator in substance.

However, the ECJ does not address an important point in its argumentation: A service provider can only benefit from the liability privilege of the eCommerce Directive/DSA if its service consists of “storing the information provided by a user on his behalf” (cf. Art. 14(1) eCommerce Directive and Art. 3(g)(iii) DSA). So the privilege clearly only refers to the hosting itself.

This means the following:

• If the hosting provider uses the published content for its own commercial purposes, at least this subsequent own use can no longer be considered a “hosting” service. It is clear that the liability privilege cannot be applied to such downstream processing.
• However, the service provider also leaves its passive intermediary role and must consequently lose the liability privilege if it co-determines decisive decisions about the “why” and “how” of the publication of the data on its platform and thus becomes at least jointly responsible for this process under data protection law. This view corresponds to the established case law of the ECJ, according to which platform operators are regularly qualified as joint controllers with the user for the publication or collection of data, provided that they have a significant say in data collection and processing via the function and parameterisation of the platform (cf. Facebook fan page judgment (C-210/16) and Fashion ID judgment (C-40/17).

It must be pointed out that the ECJ does not affirm the role of Russmedia as a co-controller solely because the company reserved the right in its terms of use to use the content posted by third parties for its own purposes; rather, he regards this circumstance as an indication. Instead, a decisive criterion for the assumption of joint responsibility in this case was the active and decisive participation in the publication of the user content, which resulted from the specific design and parameterization of the platform. By creating the technical and organizational framework for the publication of the data and thus pursuing its own economic interests, Russmedia significantly influenced the purposes and means of processing. Even in application of the case law of the ECJ in the Russmedia judgment, a service provider does not only become a (co-)controller if it contractually reserves the right to use the published content for its own purposes; it also needs more extensive co-determination.

The provision in the eCommerce Directive/DSA that the applicable data protection law remains unaffected and on which the ECJ relies in the Russmedia ruling must also be understood against this background: Anyone who is obliged under the GDPR to ensure the lawfulness of data processing should not be able to avoid it on the basis of the liability privilege.

The above is likely to be of particular relevance for online marketplaces, social networks and similar services, since on the one hand there is an inherent interest of the service provider in the organisation and preparation of the content published by users, for example to increase the attractiveness of its own platform. On the other hand, with such platforms, the service provider is often more involved in the design of data collection and processing than is the case, for example, with a pure web hosting provider, whose service is primarily limited to the provision of storage space.

The question therefore arises as to whether the service provider must confine itself to the purely passive, technical and automatic storage of information if it does not wish to run the risk of being held liable for illegal content on the part of its users. Recital 22 of the DSA provides at least some indications in that regard, stating that a hosting service provider may index and catalogue the information provided by users and stored at their instigation in order to make it findable by means of a search function integrated into its platform, without that alone being attributable to it for actual knowledge of the content. This clarification is key as it recognises that certain activities beyond mere storage are essential for the provision of a functional and user-friendly service. It can therefore be assumed that an additional function or service that goes beyond mere storage but still serves the purpose of the user – namely to make its content effectively accessible to third parties – does not per se mean that the service provider can no longer invoke the liability privilege. The decisive criterion is whether the service provider maintains a neutral, technical and passive role or whether it takes an active role that gives it knowledge of or control over the specific content. As long as the additional function (such as indexing) is automated and without editorial or curating interventions that suggest a content-related dispute, the passive character of the service is preserved.

The parallel to data protection law, in particular the distinction between controller and processor, supports this conclusion. If such an additional function or service is designed in such a way that the associated processing of personal data is carried out exclusively for the purposes and on the instructions of the user, the hosting provider is not considered a controller from a data protection point of view, but a processor (cf. Art. 4 No. 8 GDPR). A classification of the hosting provider as a processor can be seen as a strong indication that it also takes a passive role within the meaning of today’s DSA and can continue to invoke the liability privilege. The ECJ’s reasoning in the Russmedia ruling supports this view.

In summary, it can therefore be said that the “explosive power” of the Russmedia ruling lies not in the fact that the ECJ undermines the liability privilege, but in the fact that it takes up an aspect of provider liability that may have been overlooked in practice so far. In our opinion, it must continue to be possible for hosting providers to reserve the right to use the published user content for themselves. However, in view of the reasoning of the ECJ in the Russmedia ruling, it is recommended that hosting providers clearly identify and delimit such uses as their own processing operations in order to reduce as far as possible the appearance of participation in the publication of the content by the user.

How should the facts of the case be assessed in Switzerland?

In contrast to the EU, Switzerland does not have a specific liability regime for hosting providers or similar service providers, as is currently anchored in the DSA. The draft of the new Federal Act on Communication Platforms and Search Engines (KomPG), which the Federal Council submitted for consultation at the end of October 2025, also only provides for an obligation for communication platforms to set up a reporting procedure, but no associated liability relief.

The civil liability of hosting providers for content of their users that violates the privacy of their users is thus based on the general provisions of tort law in Art. 41 et seq. of the Code of Obligations (CO), the protection of personality in Art. 28 et seq. of the Civil Code (ZGB) and the Data Protection Act (DSG). For claims by data subjects in the event of data breaches that also constitute a violation of privacy, the FADP refers to the provisions of Art. 28 et seq. of the Swiss Civil Code.

The interaction of these standards results in the following, differentiated liability regime:

• According to Articles 28 and 28a of the Civil Code, a person whose personality has been violated may demand that anyone who participates in the violation remedy the unlawful situation. According to the case law of the Federal Supreme Court, even the mere cooperation objectively leads to an injury, even if the actor is not aware of it or cannot be aware of it (BGE 141 III 513, E. 5.3.1. with further references). In a recent decision, the Commercial Court of Zurich came to the conclusion that although the operator of a search engine would facilitate the finding of content that violates privacy, this is not sufficiently closely related to the offence itself; an “effect” is not sufficient, it requires actual “cooperation” (judgment of the Commercial Court of Zurich HG220030-O of 21 August 2024, E. 3.2.4.2.6).
• If content that infringes privacy is published on the platform of a hosting provider, the latter provides the technical infrastructure for the infringement. In contrast to the operator of a search engine, his service is much more closely related to the infringing content and thus causally contributes to its dissemination and maintenance, even if he has no concrete knowledge of the content published on it. This form of cooperation is sufficient to regularly establish a claim for removal directly against the hosting provider. The data subject can therefore request the service provider to delete or remove the infringing content. This claim exists regardless of fault and also applies if the hosting provider only acts as a processor for the user from a data protection point of view.
• However, in order for the data subject to be able to assert a claim for damages or satisfaction against the hosting service provider in accordance with Art. 41 et seq. CO in conjunction with Art. 28a para. 3 of the Swiss Civil Code, fault on the part of the provider must be proven in addition to the damage and illegality and the causal link. In the prevailing doctrine and based on the legal development abroad, such culpability (usually negligence) is only assumed if the hosting provider remains inactive despite a sufficiently concrete and substantiated indication of the obviously illegal content and does not immediately remove or block it. This means that there is also a de facto notice-and-take-down obligation in Switzerland, which has also been anchored in relevant industry standards (see, for example, the Code of Conduct Hosting (CCH), which was developed by Swiss hosting companies under the auspices of Swico). As long as the hosting provider has no knowledge of the infringement and acts immediately after the report has been made, it is protected from claims for damages by this liability privilege. As far as can be seen, however, this view has not yet been confirmed by the courts.
• In Switzerland, too, the aforementioned liability privilege is linked to the prerequisite that the provider takes on a passive role as a mere technical intermediary. If the hosting provider also uses the content published by its users – in particular personal data – for its own purposes (e.g. for personalized advertising, to create user profiles, for its own analyses or for disclosure to third parties), it leaves this passive role. He adopts the content as his own and, just as in the EU, becomes the controller under data protection law within the meaning of the DSG for the subsequent processing and is also fully liable for any violations of privacy.
• Currently, we are not aware of any rulings in which a Swiss court has dealt with the question of the degree of “co-determination” at which a hosting provider also becomes (co-)responsible for the publication of user content on its platform. However, experience has shown that Swiss courts are guided by EU case law, which is why there is a very high probability that a provider such as Russmedia would also be qualified as a co-controller under data protection law for the publication of user content in Switzerland. However, it should also apply in Switzerland that a provider does not become jointly responsible for the publication simply because it contractually reserves the right to use user content for its own purposes, but that further concrete acts of cooperation are required.
• As the (co-)controller for the publication of user content, the provider must proactively ensure compliance with the principles of data protection law from the outset. These include, in particular, the obligation to ensure the lawfulness of data processing (Art. 6 paras. 1 and 2 FADP) and the correctness of the processed personal data (Art. 6 para. 5 FADP). He must therefore ensure of his own accord that the data he uses for his own purposes has been collected lawfully and is correct in terms of content. These proactive, legal obligations of a controller are at odds with the reactive nature of the notice-and-take-down principle. A responsible person cannot claim that he “knew nothing” about the violation of privacy. His role requires him to check the lawfulness of the data processing for which he is responsible. The failure to carry out such an examination already establishes the accusation of negligence if the provider reserves an active role for itself through the design of its services and terms of use. The liability privilege that was created for the passive intermediary can therefore not claim to apply to the provider who adopts the data as his own by helping to shape the data processing and also (but not exclusively) a reservation of use, even according to the principles prevailing in Switzerland.

According to the points set out above, it is therefore likely that a Swiss court would reach a conclusion analogous to that of the ECJ in the Russmedia case, provided that the hosting provider is proven to be jointly responsible for the publication of user content. Swiss hosting providers are therefore also recommended to take steps to prevent such (co-)responsibility for user content as far as possible. This also includes clearly distinguishing between any use of the user’s own and the publication by the user, so as not to give the appearance of participation. If participation and thus joint responsibility is unavoidable (for example, because it is inherent in the business model), robust compliance processes must be implemented to ensure compliance with the data protection obligations of the hosting provider as the controller and thus minimise liability risks.