Compliance & regulation

Schrems II

2020 ruling by the Court of Justice of the EU (case C-311/18) that invalidated the EU-US Privacy Shield and imposed strict conditions on transferring EU personal data to US-based platforms, including news comment systems.

  • Updated May 13, 2026
  • Topic Schrems II · Schrems II news comments · EU US data transfer publisher

Schrems II is the shorthand for the Court of Justice of the European Union ruling C-311/18, delivered on 16 July 2020. The ruling invalidated the EU-US Privacy Shield framework that until then governed transatlantic data flows, and imposed a far stricter set of obligations on any EU operator transferring personal data to the United States.

For news publishers running EU-based readers’ comments on US-based platforms, Schrems II is the legal headache that re-opened the comment-vendor conversation in 2020-2022.

What changed

Before Schrems II, an EU publisher using a US-hosted comment system (Disqus, OpenWeb, Coral) could rely on the Privacy Shield as a self-certifying mechanism. The CJEU said : not enough. Specifically :

  • The Privacy Shield was invalidated immediately. Operators relying on it had to find another legal basis.
  • Standard Contractual Clauses (SCCs) remain a possible basis, but require a case-by-case assessment of whether the destination country (the US) actually provides protection equivalent to the EU.
  • The case-by-case assessment is the publisher’s burden, including evaluating US surveillance laws (FISA 702, EO 12333) that may compel the US vendor to disclose EU data.

In practice, this means : if you run comments on a US-hosted system and your DPO does their job, there is a paper trail of risk assessments to maintain, with non-trivial liability if the assessment is wrong.

The 2026 state of play

A new EU-US Data Privacy Framework (replacing the Privacy Shield) was adopted in 2023. It is in force but actively litigated, with a likely “Schrems III” ruling expected to challenge it.

For publishers who want a stable answer that does not depend on the next CJEU case, the simplest path is to host comments inside the EU with an EU-controlled vendor. That removes the entire question of cross-border transfer, SCC assessments, and US surveillance exposure.

Why this matters for the vendor choice

This is one of the most concrete differences between Logora and US comment platforms :

  • Logora, EU only (OVH, France). No cross-Atlantic data transfer. Schrems II does not apply.
  • Disqus / Viafoura / OpenWeb, US-headquartered or US-hosted. Schrems II applies. SCC assessment required.
  • Coral (Vox), open source. The data residency is whatever you choose to host on. If you host in the EU, Schrems II is moot.

See the Logora vs Disqus comparison for how Schrems II shows up in vendor selection.

← Back to the lexicon
User guides
Moderation Best practices Moderation charter
Examples
Use cases Documentation Administration panel
About us
Team Blog Partners Positioning Contact
Legal
Legal Mentions Terms Privacy
No tracking cookies. Sovereign infrastructure on OVH (France).
Created for democracy by Logora
⌘K / Ctrl+K to open