City of San Francisco Cityscape. Downtown San Francisco, California, United States.

In brief

On 16 July 2020, the European Court of Justice (“ECJ”) ruled that the EU Commission’s 2016 decision regarding the adequacy of data protection in the United States and the EU-US Privacy Shield (“Privacy Shield”)* are invalid. As a result, companies in the EU and United States relying on the Privacy Shield program are scrambling to determine the impact on their operations.  For a general alert issued by our data privacy colleagues on this topic, please click here Cristina Messerschmidt.


How will this impact share-based incentive programs?

Many US companies grant share-based awards to employees of their subsidiaries in the EU as a discretionary incentive separate from the employees’ local compensation and employment relationship with the respective EU subsidiary.

To administer such awards, companies have to collect, process, and transfer employees’ personal data, including transferring such data to the United States.  The transfer of personal data from the EU to the United States is permissible only if a valid justification exists, and one of such justifications was Privacy Shield.

If US companies rely on voluntary consent from employees of their EU subsidiaries or one of the other justifications regarding the cross-border transfer of their personal data to administer participation in the program, the decision of the ECJ has only limited impact.

Some US companies, however, have relied on Privacy Shield for the legality of cross-border transfers of employee personal data, including in the context of their share-based programs. These companies have to find a new compliance mechanism since 15 July 2020 – without any grace period.

Companies that have relied on alternative justifications are nevertheless reminded by the ECJ that they also need to assess their compliance with contractual and statutory commitments under data protection laws. This applies, for example, to companies that rely on the EU Standard Contractual Clauses.  Finally, it is noted that these obligations do not apply solely to companies in the United States, but also with respect to other countries outside the EU.

Next steps

Companies should review their practices with regard to data privacy, including in the context of operating their share-based incentive programs. Even if the ruling does not have any direct impact on your program, data privacy requirements around the globe are tightening and a regular review of your company’s approach to data privacy compliance is highly recommended. Please contact your Compensation attorney with questions or for assistance.


Thank you to our data privacy colleagues Cristina Messerschmidt and Lothar Determann for their assistance with this alert.

* Privacy Shield is one approach adopted by US companies to address the cross-border data transfer restrictions under the EU General Data Protection Regulation (Regulation (EU) 2016/679).  Prior to the ECJ’s ruling, Privacy Shield served as an “adequacy” mechanism to protect cross-border transfers of personal data from the EU to the United States.

Previous articleSingapore: Landmark decision on Breach of Confidentiality
Next articlePhilippines: COVID-19 – The National Labor Relations Commission Issues Interim Amendments to the 2011 NLRC Rules of Procedure, As Amended