The court uses the phrase “an online marketplace, as controller” in key places. This suggest to me that there can be online marketplaces that are not data controllers.

The court cites several contributing factors to treat the platform as data controller: they reserved additional rights to upload content, they selected the ads to display. Github only claims limited rights in uploaded content, and I'm not sure if they have any editorialized (“algorithmic”) feeds where Github selects repository content for display. That may make it less likely that they would be considered data controllers. On the other hand, licensing their repository database for LLM training could make them liable if personal data ends up in models. I don't think that's necessarily a bad thing.

I doubt that is enough to trigger this ruling, but algorithmic content is absolutely pervasive these days.

That does not appear to be what the court actually said, however.

And I 100% believe that all advertisements should require review by a documented human before posting, so that someone can be held accountable. In the absence of this it is perfectly acceptable to hold the entire organization liable.

> There’s nothing inherently in the law or the ruling that limits its conclusions to “advertisements.” The same underlying factors would apply to any third party content on any website that is subject to the GDPR.

So site operators probably need to assume it doesn’t just apply to ads if they have legal exposure in the EU.

Personally, I'm not buying the slippery slope argument. I could be wrong of course but that's the great thing about opinions: you're allowed to be wrong :)

They are but you can keep PII if it is relevant to the purpose of your activity. In this case the author needs you to share his PII, in order to exercise his moral and copyright rights.