Data Privacy


Background As most of you are aware, the collection, processing, use and transfer of personal data is regulated and restricted in most countries outside the US. This is especially true for countries in the EU and EEA, where any such action generally requires a valid basis, or risks being illegal. Compliance with EU data privacy requirements can be challenging for US-based multinationals which collect, process and transfer personal data of EU/EEA-based employees to administer the employees’…

As has been widely reported (see Baker & McKenzie client alert), the European Court of Justice (ECJ) invalidated the EU/US Safe Harbor Program which allowed transfers of personal data of EU/EEA residents to U.S. companies that registered under the program.  Generally, such transfers are allowed only if a permissible ground exists, and the Safe Harbor Program was a convenient ground for many U.S. companies doing business in the EU/EEA.  By invalidating the program, these companies are now forced to rely on other grounds, such as the data subject’s express consent or Model Agreements between the transferring and receiving entity.

What Does This Mean for Equity Award Administration?

In the context of equity awards, U.S. companies granting awards to employees in the EU/EEA have to collect, process and transfer the employees’ personal data (i.e., information by which an employee can be identified) to administer their participation in the plan.  Usually, the equity award database is maintained in the U.S., so the data has to be transferred to the U.S.  In addition, the data is often shared with third-party providers (e.g., stock plan brokers) which also maintain databases in the U.S. 

For several years, it has been challenging to grant equity awards to employees in Russia. The tax treatment of options and ESPP is uncertain and it is possible that tax is due at grant and at exercise/purchase. The securities requirements are similarly unclear and there is a risk that equity awards are subject to an onerous securities registration requirement, unless all transactions related to the awards take place outside of Russia. And, since 2013, due to changes to the currency control laws, it has been questionable whether shares and cash payments related to equity awards could be issued into non-Russian accounts.

Notwithstanding, with appropriate structuring of grant terms and award administration, many companies have continued to grant equity awards in Russia.

Data Privacy Laws Add Another Level of Difficulty to Equity Awards in Russia

Now comes the latest threat from a somewhat unexpected corner: data privacy laws.  On July 21, 2014, Russia enacted a new data privacy law which requires that companies process all personal data related to Russian nationals in Russia.  This means that companies which collect and/or process the personal data of Russian nationals would have to ensure that the databases used for such purposes are located in Russia.  The effective date of the law was September 1, 2016, but has since been accelerated to September 1, 2015.

An issue that is often neglected when implementing an equity plan on a global basis is the compliance with global privacy regulations.   Legislation intended to protect an individual’s right to privacy has existed for many years in the European Union (introduced by an EU Directive in 1995), but data privacy has not been a hot topic in most other countries (including in the U.S.).  In the last several years, there has been a flurry of new data privacy laws around the world, especially in Asia Pacific, no doubt brought on by the proliferation of global internet use and the concern about data privacy on the internet.

These laws also affect companies offering global equity incentive plans, as well as their service providers. Typically, data privacy laws restrict the collection, processing and transfer of personal data, which is defined as information which can be used to identify a person. In addition, many data privacy laws require that databases in which personal information is stored be registered with local data privacy authorities.