Europe tightens data rules, GDPR training spikes

Europe’s top court has widened the way privacy law can reach online platforms, and companies are rushing back into General Data Protection Regulation training. (eur-lex.europa.eu) (researchandmarkets.com) On December 2, 2025, the Court of Justice of the European Union ruled in *X v. Russmedia Digital and Inform Media Press* that an online marketplace can be treated as a data controller, or even a joint controller with the user who posted the ad. The judgment said platforms may have duties to identify sensitive-data ads, identify the advertiser, refuse unlawful posts, and use security measures to stop copying onto other sites. (eur-lex.europa.eu) (twobirds.com) The case came out of Romania and involved personal data in user advertisements on an online marketplace. Lawyers tracking the ruling say it weakens the usual shield platforms have relied on under Europe’s older e-commerce liability rules when a dispute is framed as a data-protection case. (eur-lex.europa.eu) (techpolicy.press) The practical issue is simple: the General Data Protection Regulation governs personal data, while the Digital Services Act governs many platform duties around illegal content and moderation. In September 2025, the European Data Protection Board adopted Guidelines 3/2025 on how the two laws interact, months before the court pushed that overlap into a live platform-liability dispute. (edpb.europa.eu) (techpolicy.press) That overlap reaches beyond Europe-based companies because the General Data Protection Regulation has extraterritorial effect when organizations handle data tied to people in the European Union. Training providers are now pitching courses on data breaches, international reach, and data subject access requests, the formal process people use to ask for copies of their data. (researchandmarkets.com) (finance.yahoo.com) One example landed on April 14, 2026, when ResearchAndMarkets.com added a one-day online course scheduled for May 13, 2026. The course description says it will cover “hot topics,” the United Kingdom’s new Data (Use and Access) Act, and data subject access rights, with Mark Weston listed as the speaker. (finance.yahoo.com) (ipi.academy) The pressure is not just theoretical. On March 19, 2026, the same court ruled in *Brillen Rottler* that even a first access request under Article 15 can be refused if it is abusive or excessive, adding another fresh court signal on how far data-access rights do and do not go. (privacymatters.dlapiper.com) Critics of the Russmedia ruling say the logic could push platforms to remove lawful speech rather than risk privacy liability. Other legal analysts say the decision mainly tells platforms to build better screening, identity checks, and security controls where ads contain sensitive personal data. (techpolicy.press) (gtlaw.com) For companies selling into Europe, the message from the first months of 2026 is procedural, not abstract: know when you are a controller, know how to answer access requests, and know when a user post can trigger privacy duties before it goes live. (eur-lex.europa.eu) (researchandmarkets.com)