As has been widely reported (see Baker & McKenzie client alert), the European Court of Justice (ECJ) invalidated the EU/US Safe Harbor Program which allowed transfers of personal data of EU/EEA residents to U.S. companies that registered under the program. Generally, such transfers are allowed only if a permissible ground exists, and the Safe Harbor Program was a convenient ground for many U.S. companies doing business in the EU/EEA. By invalidating the program, these companies are now forced to rely on other grounds, such as the data subject's express consent or Model Agreements between the transferring and receiving entity.
What Does This Mean for Equity Award Administration?
In the context of equity awards, U.S. companies granting awards to employees in the EU/EEA have to collect, process and transfer the employees' personal data (i.e., information by which an employee can be identified) to administer their participation in the plan. Usually, the equity award database is maintained in the U.S., so the data has to be transferred to the U.S. In addition, the data is often shared with third-party providers (e.g., stock plan brokers) which also maintain databases in the U.S.
Many U.S. companies have registered under the Safe Harbor Program (click here to see if your company is registered), but not all of these companies actually relied on the program to transfer personal data for purposes of their equity award administration, or at least not exclusively. In some cases, the registration covered only customer/client data and not employee data and could, therefore, not be relied on to transfer the personal data of employees (for any reason). In any event, the registration could cover only the transfer of personal data to U.S. companies registered under the program. Because financial institutions were not eligible to register under the program, it was never possible to rely on Safe Harbor to transfer the employees' personal data to a third-party broker. To effect this transfer, companies had to rely on another permissible ground.
As a consequence, the vast majority of companies rely, at least partially, on the employee's consent to collect, process and transfer personal data for purposes of the equity award administration. Usually, the consent is obtained by the employee's acceptance of an award agreement which includes the appropriate consent language. In some cases, companies may have asked the employee to provide consent as part of the onboarding process or through an award offer letter.
Relying on employee consent can pose its own challenges, as further discussed below. However, if your company relied and continues to rely on consent, the good news is that the invalidation of the Safe Harbor Program should not have any direct impact on your equity award administration. By contrast, if your company relied on the program to transfer employee data between the EU and the U.S., it will need to switch gears and either start relying on the employee's consent or another permissible ground (e.g., Model Agreements).
What Comes Next?
It is clear that the invalidation of the Safe Harbor Program has major implications for U.S. companies doing business in Europe (aside from equity award administration). There are already efforts underway to negotiate a Safe Harbor 2.0 Program, although it remains to be seen how quickly such a program can be implemented and to what kind of requirements it will be subject. On the flip side, the invalidation of the Safe Harbor Program shows that European courts and data protection authorities are increasingly questioning whether the U.S. has adequate data protection measures in place and, thus, whether the personal data of EU/EEA residents is sufficiently protected, once transferred to the U.S. This could lead to scrutiny of other permissible grounds, such as consent and the Model Agreements used by U.S. companies. It should also be noted that the EU Commission is working on a new EU Data Protection Regulation that will supersede the EU Data Protection Directive which has been in effect since 1995.
What Should You Do?
Even if the ECJ ruling did not directly impact your company's equity award administration, it should prompt companies to review their data privacy practices with regard to equity awards.
If relying on consent, the consent language should be reviewed, as well as the timing of obtaining the consent. In particular, companies should strive to obtain the consent before an award is granted, because personal data typically is transferred before grant. This means that obtaining the consent through the acceptance of the award agreement (which occurs after grant) is too late. Similarly, if the consent language is "buried" in an award agreement, it may not be viewed as sufficient because the employee may argue that he or she was not aware of the language and the consent was, therefore, not express.
Finally, and more troubling, some data protection authorities have questioned if employees can provide valid consent under any circumstances. The thinking is that an employee cannot freely consent to the transfer of his/her personal data because, as an employee, he/she will feel pressured to provide the consent to avoid negative consequences for the employment relationship. Such a coerced consent is not valid. In the equity award context, it may be possible to argue that the consent is not provided in the context of the employee-employer relationship, but between the employee and the (non-employing) parent company. In addition, it should be possible to assert that refusing the consent could not impact the employment relationship in an adverse manner because the only consequence of refusing consent is that the employee may not be able to participate in the equity plan. These arguments are not tested, but we have to date not seen any employees attack the validity of their consent on these grounds.
Data protection rules and the enforcement of such rules are undoubtedly on the rise and need to be taken seriously. However, data privacy rules should not be reviewed in isolation in the context of equity award administration. Instead, companies should address data protection of employee data on a holistic basis and determine the best approach for all different areas of employee HR data administration. To date, we have not seen any enforcement action related to data protection of personal data of equity plan participants. Given that equity plans are intended to provide employees with a benefit, few employees have an incentive to question the transfer of their personal data to the U.S., but this should not lead companies to be complacent and not pay attention to this aspect of their plan administration.