Data Privacy Compliance for Equity Awards Post-GDPR

Background

As most of you are aware, the collection, processing, use and transfer of personal data is regulated and restricted in most countries outside the US. This is especially true for countries in the EU and EEA, where any such action generally requires a valid basis, or risks being illegal.

Compliance with EU data privacy requirements can be challenging for US-based multinationals which collect, process and transfer personal data of EU/EEA-based employees to administer the employees’ participation in an equity or other incentive plan offered by the US parent company. Additional challenges arise if the parent has engaged a US-based broker or third-party plan administrator to assist with the administration of the plan.

GDPR

On May 28, 2018, the General Data Protection Regulation (GDPR) will take effect in the EU/EEA, replacing the Data Privacy Directive which has been in place since 1995. Under GDPR, increased penalties will apply if the collection, processing and transfer is effected without a valid basis. Enforcement activity from EU regulators may also increase once the GDPR takes effect.

In terms of satisfying local data protection requirements in the context of equity award offerings, the most challenging aspect is to find a justification to transfer an EU/EEA employee’s personal data from the EU/EEA to the US, which is generally necessary to administer the employee’s participation in an equity plan offered by a US-parent company. To further complicate matters, the personal data not only has to be transferred to the parent company but usually also to third-party vendors, which are assisting the company with the administration of the plan (i.e., US brokers/plan administrators).

To justify such transfers, companies can take any one or a combination of approaches, e.g., (A) obtaining employee consent, (B) establishing the use of data is necessary to perform a contract, (C) establishing the issuer has a legitimate interest in transferring the data, (D) registration under the EU-US Privacy Shield Program, or (E) entering into Standard Contractual Clauses or binding corporate rules with the various parties involved in the data handling.

A.   Consent

For purposes of establishing a valid basis under GDPR for collecting, processing and transferring personal data to administer equity awards, it may be possible to rely on the employee’s consent.  The consent language can be included in the award agreement (and has historically been included in most of our clients’ award agreements). However, to comply with the specific requirements under GDPR, updates to the consent language are likely required. Furthermore, although it is permissible to obtain consent within the award agreement, it is highly recommended to have employees separately accept the consent language. This could be achieved by having a separate call-out box for the data privacy consent when the employee accepts the agreements electronically, or by having an entirely separate consent document.

The consent will cover both the transfer of personal data from the EU/EEA employing subsidiary to a US-based issuer and from the US issuer to the broker/plan administrator. This is a significant advantage of the consent approach, as further discussed below.

Notwithstanding the above, companies should be aware that consent may be viewed as an invalid basis under GDPR based on the arguments that (i) it is not obtained before the data is actually collected, processed and transferred, and (ii) some countries may not deem employee consent a valid basis because employees are viewed as coerced to give consent if it is requested in the context of the employment relationship. Furthermore, consent is problematic because it can be withdrawn by the employee at any time.

B.   Necessary to Perform Contract

If the US issuer is able to identify and limit the data being collected, processed and transferred to that which is absolutely necessary to perform its contractual duties under the award agreement and plan, this complies with the GDPR requirements. In this case, the issuer will need to prepare a data privacy notice (rather than consent) for grantees in EU/EEA jurisdictions which sets out the data being collected and the purpose for which the data is being processed and transferred.

C.   Registration with the EU-US Privacy Shield Framework

Registration with the EU-US Privacy Shield certifies the transfer of data between the EU/EEA and the US is operated in compliance with applicable protection regulations, including GDPR. The registration process is fairly straightforward and is done completely online. However, the issuer should ensure it has undertaken appropriate measures in advance of self-certifying during the registration process to confirm compliance with the self-assessment and preparation of the due diligence documentation required by the Privacy Shield.

Additional information on the certification process and compliance with the Privacy Shield is available on the framework’s governmental website. The issuer should also consider that, once self-certified, annual re-certification is required. However, changes in the practical details of data processing do not need to be notified.

D.   Legitimate Interest

Similar to the argument that the transfer of data is necessary to perform a contract, the issuer could take the position that it has a legitimate interest in doing so in situations where the local entity is not equipped from a Human Resources (or other) perspective to handle the data locally. Particularly in the context of equity incentive awards granted exclusively by the US-parent company, this position may be viable. However, this could become challenging to the extent there are larger, well-equipped EU/EEA entities that may have more independent administrative functions.

E.   Standard Contractual Clauses / Binding Corporate Rules (BCRs)

Another basis on which an issuer can rely to validly transfer data under GDPR is by way of Standard Contractual Clauses approved by the European Commission. If the issuer’s EU/EEA entities agree with the US parent company to comply with the Standard Contractual Clauses, then “adequate safeguards” will be presumed. However, the Standard Contractual Clauses cannot be modified in any manner that would contradict the clauses or data protection rights of individual employees. Although there is discretion for companies to draft their own contractual clauses, such clauses would be subject to scrutiny in each EU/EEA member state, increasing any risk of local non-compliance. It also should be noted that the Standard Contractual Clauses require a great level of detail on the data processing practices and purposes, which can result in voluminous data transfer agreements and support for same.

Similarly, the issuer could enter into BCRs (i.e., binding commitments reflecting data protection safeguards implemented to comply with GDPR within a group of companies) with entities within its company group.  The required content of BCRs is provided in the text of GDPR, and may be specifically prescribed by the European Commission.

Challenges Remain

It should be noted that approaches B. and D. arguably cover and approaches C. and E. definitely cover only the transfer of personal data between the EU/EEA employing entities and the US issuer.  Therefore, under these approaches, the issuer may have to devise other methods to legitimize data transfers to the US-based broker/plan administrator. As mentioned, consent would be one approach, but has the issues described above.

One other approach would be to ask the broker/plan administrator to enter into Standard Contractual Clauses with the issuer, pursuant to which the broker/plan administrator would undertake to protect the personal data of the EU/EEA employees. This requires negotiations with the brokers/plan administrators and, possibly, an amendment to the services agreement.

Conclusion

There are a number of methods by which personal data for purposes of equity plan administration may be transferred from the EU/EEA to the US, with no single alternative satisfying all competing interests.

Compliance with GDPR cannot be evaluated solely in the context of the issuer’s equity grants. Rather, all collection, processing, use and transfer of data between the EU/EEA and US (and, of course, other countries) must be analyzed for compliance with applicable law/regulation. Therefore, it is important for equity plan professionals to connect with their internal data privacy experts and ensure that the measures taken to comply with GDPR also take into account personal data used in the context of equity plan administration.

Please make sure to connect with your equity plan counsel to reflect any new approach in the grant documentation provided to employees.