Companies preparing CEO pay ratio disclosure for the 2018 proxy season should not assume they will be able to rely on the Privacy Exemption with regard to gathering information about non-US employees.
This client alert briefly summarizes the key provisions of the SEC’s final CEO pay ratio disclosure rule and focuses on the limited exemptions provided for non-US employees. As described in more detail below, invoking these exceptions will likely be difficult in practice. Companies should, however, generally be able to take steps to gather the necessary information in accordance with applicable law.
Uncertain Status of the Final Rule
In August 2015, the Securities and Exchange Commission (the SEC) adopted its final pay ratio disclosure rule requiring public companies to compare the compensation of their chief executive officer to the median compensation of their other employees. The SEC’s pay ratio rulemaking was mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act ( the Dodd-Frank Act). The final rule applies to issuers for their first fiscal year beginning on or after January 1, 2017. Therefore, calendar year issuers will need to begin including pay ratio disclosure in their proxy statement for the 2018 proxy season.
On February 6, 2017, newly-appointed SEC Chairman Michael S. Piwowar issued a public statement questioning the rule. The statement indicated that "some issuers have begun to encounter unanticipated compliance difficulties that may hinder them in meeting the reporting deadline" and encouraged the submission of detailed comments by affected companies. The statement also directed the SEC staff to "reconsider the implementation of the rule based on any comments submitted and to determine as promptly as possible whether additional guidance or relief may be appropriate."
According to published reports, the SEC’s request for additional comments did not give rise to a groundswell of opposition from companies subject to the pay ratio disclosure rule. The SEC received 13,000 form letters in favor of the final rule and approximately 180 individual comment letters, of which only about 15% opposed implementation of the final rule.
In Congress, the House Financial Services Committee is currently considering the "Financial Choice Act of 2017," which would, among other significant changes, repeal the CEO pay ratio disclosure provisions of the Dodd-Frank Act in their entirety. The prospects for Dodd-Frank Act repeal legislation ultimately being adopted by Congress and signed by the President are highly uncertain, although it appears that the elimination of the CEO pay ratio disclosure provisions of the Dodd-Frank Act is likely if repeal legislation is enacted.
In view of the continuing uncertainty regarding the possible repeal or delay of the SEC’s CEO pay ratio disclosure rule, many issuers are continuing their preparation for providing the required disclosure in their 2018 proxy statements.
Overview of the Final Rule
The new CEO pay ratio disclosure rule, which is contained in Item 402(u) of SEC Regulation S-K, requires public companies to disclose:
- the median of the annual total compensation of all US and non-US employees, other than the chief executive officer;
- the annual total compensation of the chief executive officer; and
- the ratio of these amounts.
According to the SEC, the pay ratio disclosure rule is intended to provide companies with flexibility in selecting an appropriate method for identifying their median employee based on the size and structure of their business and details of their compensation programs. Companies will be permitted to identify their median employee based on the compensation paid to their full employee population. Alternatively, companies may determine their median employee through statistical sampling or another reasonable method.
Companies may identify the median employee based on any consistently used compensation measure, such as compensation amounts reported in their tax or payroll records. The median employee is required to be an actual, individual employee. Companies are not, however, required to identify the median employee by name or other identifiable information. The pay ratio disclosure rule permits companies to identify the median employee only once every three years, provided that there has not been a change in employee population or employee compensation arrangements that would significantly change the pay ratio disclosure.
Once the median employee has been identified, the total compensation for the median employee is required to be calculated for the last completed fiscal year, consistent with the requirements for calculating the chief executive officer’s total compensation for purposes of the summary compensation table in accordance with Item 402 of Regulation S-K.
Limited Exemptions for Non-US Employees
The SEC’s final CEO pay ratio disclosure rule generally requires companies to include all US and non-US employees in their pay ratio calculations. The rule, however, provides certain limited exemptions for non-US employees. These include an exemption for employees located in non-US jurisdictions in which a company is unable, despite its reasonable efforts, to obtain and process the information necessary to comply with the pay ratio disclosure rule without violating applicable data privacy laws or regulations (the Privacy Exemption). The final rule also includes an exemption permitting companies to exclude certain non-US employees representing up to 5% of the company’s total employee population (the De Minimis Exemption).
The Privacy Exemption
The Privacy Exemption provides an exemption to the pay ratio disclosure rule for employees located in non-US jurisdictions in which a company is unable, despite its reasonable efforts, to obtain and process the information necessary to comply with the pay ratio disclosure rule without violating applicable data privacy laws or regulations.
In order to satisfy this reasonable efforts requirement, a company must at a minimum use or seek an exemption or other relief available under the applicable non-US law or regulation. In addition, the proxy statement or other disclosure document in which the pay ratio disclosure is included must identify the excluded jurisdictions, provide the approximate number of employees in each jurisdiction, explain how compliance with the pay ratio disclosure rule would violate the applicable non-US data privacy laws or regulations, and describe the company’s reasonable efforts to obtain an exemption or other relief. A company wishing to rely on the Privacy Exemption would also need to obtain a written opinion of local counsel confirming that the company cannot obtain or process the necessary information without violating the applicable privacy laws or regulations and file that opinion as an exhibit to the filing containing the pay ratio disclosure. If a company relies on the Privacy Exemption for any non-US jurisdiction, it must exclude all employees located in that jurisdiction from its pay ratio calculation.
In practice, the Privacy Exemption will be difficult for many companies to invoke. Most non-US jurisdictions would only require that certain implementation steps be taken prior to gathering and transferring employee census data or other personally identifiable information to the United States, meaning that companies will in most cases not be able to argue that complying with the disclosure rule would result in an outright violation of privacy rules that cannot be avoided. These steps would include providing employees notice about the types of information gathered, its purposes of use and potential transfers of disclosures. Moreover, to the extent information needs to be transferred in identifiable form to the United States for analysis, many countries, particularly those in the European Union, require the implementation of a cross-border transfer solution, such as self-certification with EU-US Privacy Shield Framework, execution of model agreements or consent (although the enforceability of consent in these circumstances may be questionable as providing the information is likely not truly voluntary for the employees involved).
Companies with more mature privacy programs may actually have taken the steps necessary to permit the transfer of the necessary information the United States as part of a broader program. To the extent this is not the case, companies could take steps to implement a more narrow solution or include this collection of census data as part of an on-going privacy initiative.
To the extent companies have not already addressed these requirements in the context of a broader compliance effort or do not wish to take the steps to permit the transfer of personally identifiable information to the United States, another option would be to gather the information in the relevant country and remove/redact personally identifiable information prior to transferring it to the United States. Personally identifiable information would include name, email address, employee ID or other information that could be used to link the relevant compensation information to a particular individual. Removing personally identifiable information would arguably take the information outside the scope of applicable data privacy laws, which apply only to information that is identifiable in nature, such that it could be transferred and used without further implementation steps. The risk associated with this option could be higher to the extent that the employee population in a particular non-US jurisdiction is so small that it would be difficult to fully anonymize the information about the employees, but companies may be able in such instances to remediate this risk by invoking the De Minimis Exception discussed below.
De Minimis Exemption
In addition to the Privacy Exemption, the SEC adopted a De Minimis Exemption that provides that if non-US employees account for 5% or less of a company’s total employee population, the company may choose to exclude all, but not less than all, of its non-US employees when identifying its median employee. Where a company’s non-US employees exceed 5% of the company’s total employee population, the company may exclude up to 5% of its total employees who are non-US employees from this determination. If, however, a company excludes any employees in a particular non-US jurisdiction, it must exclude all employees in that jurisdiction. Further, employees excluded pursuant to the Privacy Exemption will count toward the 5% limit for the De Minimis Exemption. Use of the De Minimis Exemption also requires an accompanying disclosure of the details of how the company applied the exemption.
In conclusion, companies preparing for the upcoming 2018 proxy season should not assume that they will be able to rely on the Privacy Exemption with regard to gathering information about non-US employees. Therefore, to the extent the De Minimis Exemption also would not apply, companies should evaluate the privacy issues as part of the disclosure preparation process to make sure that they have or will take steps to address privacy requirements and related compliance risks. The particular approach will vary by company, but in most instances, companies should be able to address these issues with proper planning and coordination among the US and non-US operations.