The NASPP Blog

If you are a company with employees in the European Union (EU) or European Economic Area (EEA), you’ve likely long been aware of the stringent data privacy requirements surrounding the transmission and protection of data for those residing in that region of the world. To facilitate compliance with certain aspects of data privacy requirements, some companies relied (in all or part) upon the EU-US Safe Harbor Privacy Program (“Safe Harbor program”), which allowed for transfers of personal data for EU/EEA residents to US companies registered under the program.  On October 6, 2015, the European Court of Justice ruled the Safe Harbor program invalid. What is the impact of this ruling on data transfers relative to stock plans? I’ll explore this question today’s blog.

Much of the information I have on this topic comes from two Baker & McKenzie sources (“New Data Privacy Turmoil?” and “Impact of CJEU US/EU Safe Harbor Program Judgment on Equity Plans“) – both available in the NASPP’s Global Stock Plans portal. Let’s now get to the heart of the matter.

How Would This Potentially Affect Stock Plans?

If your company is a US based company, it’s likely that most or all of your stock plan data is housed in the US. This means that if your plan includes participants in the EU/EEA, their data needs to be sent to the US to be recorded and maintained in the stock plan recordkeeping system. That recordkeeping system could be maintained in-house, or externally via a third party, who also likely maintains data within the US. Additionally, there may be a need to transfer participant data to other third parties who support the company’s stock plans beyond recordkeeping services.

According to the Baker & McKenzie client alert,

“The impact of the ruling on the personal data collection /processing / transfer activities of US multinationals in the context of offering of equity compensation programs to European employees depends upon whether the company had relied on Safe Harbor in this context – or, instead, relied on  an alternative method for managing data privacy considerations (e.g., relying on express consent obtained from participants, either through acceptance  of its equity award agreements or provided as part of the local new hire on-boarding process). If alternative methods have been relied upon, the ruling is unlikely to have any impact on the equity program. If the company relied on Safe Harbor, it will likely need to start relying on an  alternative method.”

The transfer of data provided to brokers is unaffected by this ruling, because financial institutions were never eligible to register under the Safe Harbor program, and as a result, it was never possible to rely on that program to transfer employee data to a broker. Companies had to find an alternate, permissible means of transferring data to brokers. Considering the now-invalidated Safe Harbor program, that is good news for data transfers to brokers or financial institutions, because they were never covered under the program and should remain unaffected by the ruling.

Is Our Stock Plan Affected?

If you have no stock plan participants in the EU/EEA, then this ruling does not affect your stock plans. This only applies to the data of those residing in that region of the world.

For companies that do have stock plan participants in the EU/EEA, the answer to that question is “it depends.” It depends on how the company was complying with data transfer requirements prior to the ruling, as described above. If your company relied on the Safe Harbor program in any capacity, then an alternate method for transferring that data will need to be used.

If your company has no participants in the EU/EEA, but decides to offer equity in that region in the future, it’s important to know that the Safe Harbor program will not be available as a means of compliance with data transfer requirements.

What’s Next?

This ruling has created a wave of turmoil, and not just for equity plans. It’s likely other company functions such as Human Resources are impacted, too. Baker & McKenzie’s suggestion is that “Companies should review their practices with regard to data privacy, including in the context of operating their equity compensation programs. Even if the ruling does not have any direct impact on the equity program, data privacy requirements around the  globe are tightening and a regular review of your company’s approach to data privacy is highly recommended.”

There is also talk of a Safe Harbor 2.0, with no telling on a timeline or potential for success of such an initiative. It’s important that companies recognize the implication of this ruling beyond the immediate affect on employee data transfers. The action of invalidating the entire EU/US Safe Harbor program seems to suggest that the EU has broader concerns about the US’s ability to protect the data of their residents, and it’s possible that other methods of complying with data transfers may follow in being evaluated for efficacy of protecting privacy. Expect the topic of data privacy to be a hot one for 2016.

Speaking of global hot topics, you can find out “5 Things I Learned About Global Compliance and Communication,” in the latest episode of our popular Equity Expert podcast series.

-Jenn