Multinational companies doing business in the United States, the European Union and beyond are all too familiar with how vastly laws can differ across jurisdictions.

A good example is the gulf between the privacy laws of the United States and the European Union. Under the EU’s Data Protection Directive (95/46/EC), EU employers are required to inform employees of the types of personal data they expect to process and to follow a set of principles during that processing to ensure that it is lawful and fair, which may include seeking specif ic consent from the employee in certain circumstances. In the United States, by contrast, there are comparatively few statutory privacy protections in place when it comes to processing an employee’s personal data. With limited exceptions, US employers are free to process all kinds of sensitive information about their employees—from racial and ethnic origin to sexual orientation and political opinions—without the employee ever being notified, let alone asked for consent.

These two worlds seem to be moving closer as a recent Massachusetts law now requires employers in that state to give an employee notice whenever negative information is placed in an employee’s personnel file. This resembles EU employee privacy principles more closely than anything enacted previously in the United States. Are European privacy concepts making their way across the Atlantic? Is this a good thing?

The Massachusetts Law

The new amendment to the existing Massachusetts Personnel Record Law, M.G.L. c. 149, Section 52C, now requires Massachusetts employers to, among other things,

… notify an employee within 10 days of the employer placing in the employee’s personnel record any information to the extent that the information is, has been used, or may be used, to negatively affect the employee’s qualification for employment, promotion, transfer, additional compensation or the possibility that the employee will be subject to disciplinary action.

Apparently, two legislators pushed for the amendment after a local police officer lost a promotion based on information he never knew was in his personnel file.

Interestingly, the existing Personnel Record Law already gave the officer the statutory right to respond to information in his file. The amendment now purports to ensure that employees will know when negative information has been placed in their file, so they may assert this statutory right to respond. The law also gives the employee the right to review, inspect and be given a copy of his or her personnel record within five days of submitting a written request.

The newly amended law does not, however, create a private right of action for aggrieved employees. Only the Massachusetts At torney Genera l can enforce the Personnel Record Law and each violation is punishable by a fine of between US$500 and US$2,500. Thus, if an employee is dismissed based on information not shared previously, the employee must take his or her complaint to the Attorney General who then can elect whether to investigate and assess a penalty. In other words, the employee has no independent right to sue for reinstatement or back pay in such circumstances.

The European Approach

The EU Data Protection Directive sets baseline principles governing the rights of “data subjects”: people who are identified or identifiable from information (“personal data”) processed by “data controllers” who determine the purpose and means of that processing.

EU Member States are free to increase the protections for their residents when they write their own laws implementing the Directive’s principles, but at a minimum the principles give European employees the right to be informed by their employer— who is the “controller” in this case—of the purposes for which the information about them is processed and of their right to access the information and rectify it if incorrect or inaccurate.

The access right is, at a minimum, access “without constraint at reasonable intervals and without excessive delay and expense” to the data in an intelligible form. Different EU Member States approach this in different ways. In the United Kingdom, for example, the employee/data subject has to ask in writing with some specificity as to what is sought, pay £10 and wait up to 40 days, but can then access not only a hard copy personnel file, but also e-mails about them (usually redacted for any contents identifying other data subjects).

Most EU employer s dea l with the “information” requirement by having a broad statement in their handbooks about what sort of data they expect to process about employees, including data relevant to appraisal, promotion, discipline, etc. There is no general content-based requirement to inform the employee about a specific, routine, but possibly negative piece of information generated by the employer.

When information comes to the employer from a third party (i.e., not from the employee), information about the purposes of its processing should, according to the Directive, be provided “at the time of undertaking the recording”. Again, most employers deal with this in a general data protection policy. Certain EU Member States do, however, take a strict approach to “non-standard” data. France, for example, takes a very strong legal stand against allowing whistle-blowing claims to be registered against employees by third parties unless they relate to serious risks to the company in the fields of accounting, financial audit, bribery and banking, or other serious risks to the vital interests of the company or its employees’ physical or mental integrity. If a claim outside these areas is made, the French Data Protection Authority, CNIL, advises that the reported person should be informed unless the report is deleted rapidly, so that the employee can exercise his or her rights of access and rectification. This is a position that many US multinationals will recognise as having complicated the establishment of group-wide Sarbanes- Oxley compliance helplines in France.

A Cultural Shift in the United States?

While the amendments to the Massachusetts law may appear to be an isolated, statebased example with limited application, if the approach begins to take hold in other US states, it could signal the start of a broader cultural change in the US workplace from a privacy rights perspective. Texas was the first state to enact a law giving employees the right to be notified when an employer “processes” negative information about them by placing it in a personnel file, although it applies only to public sector employees in the Sheriff ’s Department. The Massachusetts law has now expanded the requirement beyond the public sector and into all Massachusetts workplaces. In addition, from a data protection and employment r ight s perspect ive, the Massachusetts law seems actually to go beyond existing European protections both in terms of process—placing far more onerous and frequent obligations upon employers—and by focusing on content (European data protection laws are generally content neutral).

Conclusion

It may be too early to tell whether the Massachusetts law signals a broader trend. In the meantime, there is no question that in-house privacy officers and persons responsible for data management at companies with employees in Massachusetts need to be aware of this new requirement and evaluate how it will affect their existing policies and procedures. In particular, companies with multi-jurisdictional reach will be wise to consider the broader implications of this new Massachusetts law and consider whether and how to accomplish its requirements while, at the same time, staying consistent with the culture of the existing workplace.

An expanded version of this article appeared in BNA's Privacy & Security Law Report, 9PVLR38, 09/27/2010. Portions of the article were reprinted here with permission from BNA. Please contact the authors for a copy of the full article as it appeared in the BNA's Privacy & Security Law Report, including an expanded analysis of how multinational companies can adapt their existing privacy policy frameworks to account for these legal developments.