Did the CJEU just junk the EU's intermediary liability AND general monitoring rules? X v Russmedia

Did the CJEU just use the GDPR to junk the intermediary liability exemption and impose a general monitoring obligation? Here's a look at yesterday's Russmedia judgment.

The facts are pretty grim: "X" saw an ad on an Russmedia's online marketplace falsely promoting her as a sex worker. She reported it, Russmedia took it down, but the ad had already been scraped and copied on other sites.

X sued Russmedia, which predictably said it was just an intermediary service and not liable for the contents of users' posts.

But the court said that Russmedia was a controller, and required a legal basis to post the content.

Because the ad included special category data, Russmedia was required to obtain the data subject's consent.

--

EU laws, like the eCommerce Directive and the Digital Services Act, say that platforms do not have a "general monitoring obligation". 

Platforms have some moderation obligations (including some limited monitoring obligations in some cases), and they have to respond to takedown requests, but there is no blanket requirement to check every post for illegal content. 

As such, the CJEU says that Russmedia doesn't HAVE TO "generally monitor" content; it has a specific obligation to avoid posting *this specific type of content* without consent.

But how can a platform know whether an ad contains special category data without checking every post? 

You know... *generally monitoring* them all?