The NASPP Blog

Category Archives: Data Privacy

June 30, 2016

Brexit and Your Stock Plans

Everyone else is talking about Brexit (the vote in the UK to leave the EU), why should the NASPP Blog be left out of the conversation? For today’s entry, I discuss what Brexit might mean for your stock plans.

Don’t Panic—Yet

The good news is that the vote is advisory, so it isn’t as if the UK has immediately exited the EU. They are still part of the EU for the short-term. The UK government and the EU have to come to an agreement about how the exit plan will work and various experts have indicated that this could take two years or more.

How Will Stock Plans Be Impacted?

By now, we are all too familiar with the EU Directives that impact stock compensation.  While the Directives are complicated enough, in and of themselves, if the UK leaves the EU, things could get a lot more complicated. The UK will have it’s own rules that may or may not be the same as the rules in the Directives. A recent alert by Baker & McKenzie summaries a number of areas in which stock compensation offered to employees in the UK could be affected.

  • Securities Laws: The EU Prospectus Directive (including both the filing requirement and exemptions) will no longer apply in the UK.  This could turn out to be better or worse than the way things are now: the UK could require companies offering stock compensation to file a prospectus (probably worse), could provide an exemption for stock plans (probably the same as now for many companies, depending on the requirements for exemption), or could recognize prospectuses filed in the EU (or even in countries outside of the EU, such as the United States) (the same or better).
  • Data Privacy: The EU Data Privacy Directive would also no longer apply in the UK. The EU has proposed new rules for this directive, so right now, we don’t know what the final rules will be for any countries in the EU, much less the UK.  But once the UK has left the EU, they can determine their own rules; maybe these rules would be similar to the rules that the EU adopts, maybe not.  One bit of good news is that Baker & McKenzie notes that “It would be surprising … if the UK would not consider consent to be a valid ground to collect, process and transfer personal data.” Since that is how most companies comply with the EU Data Privacy Directive for their stock plans, little may change here.
  • Discrimination:  There are a number of EU Directives that prohibit discrimination against specified groups of employees. Those Directives would also no longer apply in the UK, but the UK would be free to adopt its own rules on discrimination.  Baker & McKenzie notes that they do not expect to see substantial changes here.

Social Insurance, Too

An alert by EY notes that Brexit may also impact the social insurance obligations of mobile employees, their employers’ compliance obligations, and the benefits mobile employees are entitled to. Currently, the EU governs how social insurance applies when employees move between countries in the EU. Unless the UK comes to an agreement with the EU that the EU rules still apply to employees moving between the UK and other EU countries, individual agreements would have to be put in place between the EU and all the EU countries. Some of these agreements exist, but they haven’t been updated since the EU established its rules. Many have expired or don’t address how mobility works in today’s world. This could get ugly.

What About Companies that Don’t Have Stock Plan Participants in the UK?

For those companies, there shouldn’t be any direct impact to their stock plans (other than the impact of stock price volatility resulting from the economic uncertainty caused by Brexit). But, if you are a US-based company with a multi-national stock plan, chances are that you have stock plan participants in the UK. In the NASPP/PwC Global Equity Incentives Survey, the UK is second only to the US in terms of countries where respondents have employees and offer stock compensation.

More to Come

I’m sure there will be more implications to think about as the UK’s exit looms closer.  At this year’s NASPP Conference, our perennially popular session, “Around the World in 60 Minutes: Key International Updates” will most certainly have a lot to say about Brexit, as will the session “Making Sense of Europe.” Be sure to attend one or both of these sessions so you are up-to-date on how your stock plan participants in the UK will be affected.

– Barbara

Tags: , , , , , , , , , ,

December 3, 2015

Data Privacy Upheaval

If you are a company with employees in the European Union (EU) or European Economic Area (EEA), you’ve likely long been aware of the stringent data privacy requirements surrounding the transmission and protection of data for those residing in that region of the world. To facilitate compliance with certain aspects of data privacy requirements, some companies relied (in all or part) upon the EU-US Safe Harbor Privacy Program (“Safe Harbor program”), which allowed for transfers of personal data for EU/EEA residents to US companies registered under the program.  On October 6, 2015, the European Court of Justice ruled the Safe Harbor program invalid. What is the impact of this ruling on data transfers relative to stock plans? I’ll explore this question today’s blog.

Much of the information I have on this topic comes from two Baker & McKenzie sources (“New Data Privacy Turmoil?” and “Impact of CJEU US/EU Safe Harbor Program Judgment on Equity Plans“) – both available in the NASPP’s Global Stock Plans portal. Let’s now get to the heart of the matter.

How Would This Potentially Affect Stock Plans?

If your company is a US based company, it’s likely that most or all of your stock plan data is housed in the US. This means that if your plan includes participants in the EU/EEA, their data needs to be sent to the US to be recorded and maintained in the stock plan recordkeeping system. That recordkeeping system could be maintained in-house, or externally via a third party, who also likely maintains data within the US. Additionally, there may be a need to transfer participant data to other third parties who support the company’s stock plans beyond recordkeeping services.

According to the Baker & McKenzie client alert,

“The impact of the ruling on the personal data collection /processing / transfer activities of US multinationals in the context of offering of equity compensation programs to European employees depends upon whether the company had relied on Safe Harbor in this context – or, instead, relied on  an alternative method for managing data privacy considerations (e.g., relying on express consent obtained from participants, either through acceptance  of its equity award agreements or provided as part of the local new hire on-boarding process). If alternative methods have been relied upon, the ruling is unlikely to have any impact on the equity program. If the company relied on Safe Harbor, it will likely need to start relying on an  alternative method.”

The transfer of data provided to brokers is unaffected by this ruling, because financial institutions were never eligible to register under the Safe Harbor program, and as a result, it was never possible to rely on that program to transfer employee data to a broker. Companies had to find an alternate, permissible means of transferring data to brokers. Considering the now-invalidated Safe Harbor program, that is good news for data transfers to brokers or financial institutions, because they were never covered under the program and should remain unaffected by the ruling.

Is Our Stock Plan Affected?

If you have no stock plan participants in the EU/EEA, then this ruling does not affect your stock plans. This only applies to the data of those residing in that region of the world.

For companies that do have stock plan participants in the EU/EEA, the answer to that question is “it depends.” It depends on how the company was complying with data transfer requirements prior to the ruling, as described above. If your company relied on the Safe Harbor program in any capacity, then an alternate method for transferring that data will need to be used.

If your company has no participants in the EU/EEA, but decides to offer equity in that region in the future, it’s important to know that the Safe Harbor program will not be available as a means of compliance with data transfer requirements.

What’s Next?

This ruling has created a wave of turmoil, and not just for equity plans. It’s likely other company functions such as Human Resources are impacted, too. Baker & McKenzie’s suggestion is that “Companies should review their practices with regard to data privacy, including in the context of operating their equity compensation programs. Even if the ruling does not have any direct impact on the equity program, data privacy requirements around the  globe are tightening and a regular review of your company’s approach to data privacy is highly recommended.”

There is also talk of a Safe Harbor 2.0, with no telling on a timeline or potential for success of such an initiative. It’s important that companies recognize the implication of this ruling beyond the immediate affect on employee data transfers. The action of invalidating the entire EU/US Safe Harbor program seems to suggest that the EU has broader concerns about the US’s ability to protect the data of their residents, and it’s possible that other methods of complying with data transfers may follow in being evaluated for efficacy of protecting privacy. Expect the topic of data privacy to be a hot one for 2016.

Speaking of global hot topics, you can find out “5 Things I Learned About Global Compliance and Communication,” in the latest episode of our popular Equity Expert podcast series.



Tags: , , , ,