Header graphic for print

Immigration Compliance and Background Screening

California Law and Background Screening

Posted in Background Check

Happy post-Thanksgiving!  News flash for the background screening industry as well as users of background checks in California.  The California Supreme Court has agreed to consider whether the Investigative Consumer Reporting Agencies Act (ICRAA) is unconstitutionally vague when applied to employee background checks because of its overlap with another California law, the Consumer Credit Reporting Agencies Act (CCRAA).

The California Supreme Court will review a decision by the Second Appellate District Court which held that ICRAA is not unconstitutionally vague.

Quick overview of California law.  The ICRAA relates to non-credit related investigative consumer reports.  An “investigative consumer report” under California law is a report which includes information on a consumer’s character, general reputation, personal characteristics, or mode of living.  Contrast that with the CCRAA, which relates to “consumer credit reports,” including reports bearing on a consumer’s credit worthiness, credit standing or credit capacity.  Now think of both of these reports in the employment screening context and consider that the ICRAA includes an additional authorization requirement not found in the CCRAA.  The argument has been that there is overlap and confusion about which law applies when information in the report can potentially relate to both character information as well as creditworthiness information.  The ICRAA covers character information and the CCRAA covers creditworthiness information.

Back to the case that the California Supreme Court will review.  That is Connor v. First Student, case number S229428. The case involves bus drivers and investigative consumer reports under the ICRAA (aka background checks), with the bus drivers alleging that First Student did not obtain their prior written consent as required under the ICRAA, but not the CCRAA.  Plaintiffs are seeking $10,000 statutory penalties per violation. At issue is the constitutionality of the ICRAA, and thanks to Connor there is a split in the California courts on this point.   In a 2007 case, Ortiz v. Lyon Management Group, the court found that the ICRAA is unconstitutionally vague because one couldn’t determine whether unlawful detainer information constitutes “character” information covered by the ICRAA or “creditworthiness” information governed by the CCRAA.  Most recently, the Court of Appeal of the Second Appellate District stated that they disagreed with Ortiz and that “there is nothing in either the ICRAA or the CCRAA that precludes application of both acts to information that relates to both character and creditworthiness. Therefore, we conclude the ICRAA is not unconstitutionally vague….” (Opinion p. 3)

How Do I Lawfully Transfer Personal Information from the EU to the US?

Posted in Personal Information

Please join us for a complimentary webinar on the European Court of Justice’s decision that transfers of personal data from the European Union (EU) to the United States are unlawful under the Safe Harbor program.  This webinar is for any company that transfers personal data from the EU to the United States and is considering alternative options in order to facilitate such transfers.

The webinar is Thursday, November 12th at 1:30 pm EST.  It will be conducted by Arnall Golden Gregory LLP, in partnership with Employment Background Investigations.

Click here to register and I hope you’ll join us.

Employment Background Screening 101

Posted in Background Check, Credit Reports, Criminal History Records, Equal Employment Opportunity Commission, FCRA

Here’s a free webinar that will snap you out of your deep despair over the fact that it is now dark at 5:02 pm.

I will join Hire Image CEO, Christine Cunneen, to present a 1 hour webinar packed with actionable information and best practices to help you:
  • Minimize the risk associated with background screening of applicants and current employees;
  • Be aware of new state laws that are increasing restrictions on employers;
  • Know what you need to do in light of recent EEOC activities that could signal major changes to come in the background screening process.

This activity has been approved for 1 HR (General) recertification credit hour toward California, GPHR, HRBP, HRMP, PHR and SPHR recertification through the HR Certification Institute.

Click here to register. The webinar is November 17th at 3 pm EST.

Complimentary Webinar on U.S. Business Immigration

Posted in Immigration

Arnall Golden Gregory’s (AGG) Employment and Immigration Teams invite you to participate in the following complimentary webinar, featuring AGG partner Teri Simmons.

“Navigating the U.S. Business Immigration Maze: Practical Guidance for Employers “ will be offered Tuesday, November 17, 2015.

Global competition continues to rise, increasing pressure on U.S. employers to attract and retain the world’s best and brightest talent. By 2018, the shortage of qualified STEM (science, technology, engineering, and mathematics) workers for open positions is expected to exceed 200,000. At the same time, U.S. employers fight each year for the chance to enter the lottery for scarce specialty worker visas, which are filled within days of the government’s opening bell. In addition, talented international students graduate each year with few options to use their training for U.S. employers. As the U.S. evolves into a more knowledge-driven economy, employers face diminishing options for using talented foreign workers. Immigration lawyers from across the nation will address the following business immigration hot topics and help demystify the U.S. immigration process to keep you competitive in the hunt for global talent:

  • L-1 Visas: Pitfalls and strategies for intra-company talent transfers
  • H1b cap strategies: To STEM and beyond!
  • Keeping them legal: Managing the compliance patchwork and the I-9
  • Who’s knocking? Handling the H1b Audit
  • Understanding the changes to the Visa Bulletin
  • Best practice take-aways

Please click here for more information on the program and to register.

CFPB Enforcement Action Against Two Background Screeners

Posted in Background Check, FCRA

The Consumer Financial Protection Bureau (CFPB) announced that it has taken action against two large background screening companies.  Yes, you are reading this correctly.  The CFPB…not the Federal Trade Commission, has taken an enforcement action against two background screening companies.  Holy smokes Batman!  This is very big news and screening companies must take note.

Breaking it down.  The Consent Order is about: (i) the accuracy of the reports under section 607(b) of the Fair Credit Reporting Act (FCRA); (ii) public records and section 613 of the FCRA related to notice versus strict procedures; and (iii) the obsolescence rule under section 605(a) of the FCRA.  It is about employment background screening reports to employers.  Action is pursuant to the FCRA. The fines total $13 million.

If you are a background screening company the Consent Order is mandatory reading so you can reflect upon and consider how the allegations/findings are addreseed (or not) by your company.  Here’s what the CFPB alleges about the screening companies:

  • They failed to take basic steps to assure accuracy: The CFPB alleges, among other things, that there was no requirement for employers to provide consumers’ middle names; no written policy for researching consumers with common names or nicknames; and a failure to use an audit process to adequately test the accuracy of the reports provided.
  • They failed to meet certain requirements when reporting public records: this part of the Consent Order blends with the 607(b) allegations about accuracy and failure to maintain appropriate procedures under section 613 of the FCRA.
  • They included impermissible information in consumer reports: The CFPB alleges that both companies failed to take measures to prevent non-reportable civil suit and civil judgment information older than seven years from being impermissibly included in their reports because they did not have sufficient policies and procedures in place.

Important – starting on page 11 of the Consent Order the CFPB spells out what a Compliance Plan should look like. Read it if you are a background screener.  If you need counsel, we can assist.

Mark Your Calendar

Posted in FCRA

The day is almost upon us.  Halloween, you say?  No, oral arguments in the Spokeo case.  Way more exciting.

Spokeo, Inc. v. Robins is important because it goes to the heart of when a claim for non-compliance can be brought under the Fair Credit Reporting Act (“FCRA”) (15 U.S.C. § 1681).  The case comes from the 9th Circuit.  Short version is that the plaintiff alleges that Spokeo posted information about him which was inaccurate and failed to provide certain notices.  But no actual harm.

Issue before the Supreme Court: Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute.

Lots of people have filed amici briefs (friend of the court briefs), including NAPBS, the Chamber of Commerce, CDIA, the credit bureaus and so on.  Even the government got in on brief writing, in favor of Robins.   Click here to read more.

Bottom line — oral arguments are next week and expect the Supreme Court to decide by June of 2016. While the issue may seem one better suited for legal geeks — can an individual bring a claim alleging an injury in law, but not one where he suffered actual harm — the reality is that this case could have significant ramifications for consumer lawsuits. Plaintiff’s bar is going bonkers (not a legal term) filing individual and class action complaints against employers alleging technical violations of the FCRA (e.g., not providing the disclosure or authorization or failure to follow adverse action steps). If the Supreme Court decides that plaintiffs must demonstrate actual harm, not just a mere technical violation of the law, that would be significant and limit such claims.  However, if the Supreme Court goes the other way, employers and others who operate under the FCRA can expect more litigation alleging technical violations of the FCRA, not grounded in any injury or harm.

Spokeo, Inc. v. Robins, 742 F.3d 409 (9th Cir. 2014), cert. granted, 135 S. Ct. 323 (U.S. Apr. 27, 2015) (No. 13-1339).

Background Screening – When is Section 603(y) Applicable?

Posted in Background Check

Post written by guest author Maayan Lattin.

When a company uses commercial background checks to evaluate the suitability of job applicants, they must comply with the Fair Credit Reporting Act (FCRA), which regulates the collection, dissemination, and use of consumer information when communicated through a consumer report. The FCRA stipulates that before an employer obtains a consumer report about an applicant, the applicant must receive notice and certain disclosures of their rights, and must provide their written consent. If the employer anticipates not hiring the candidate based in whole or in part on the information in the report, then the employer must also provide an “adverse-action” notice to the candidate, including a copy of the report and a description of the consumer’s rights.

These FCRA requirements have limited and narrow exceptions, such as Section 603(y), which excludes certain communications for employee investigations. Section 603(y) states that a communication is not considered a consumer report—and therefore exempt from FCRA rules—if it is “made in connection with an investigation of—(i) suspected misconduct relating to employment; or (ii) compliance with Federal, State, or local laws and regulations, the rules of a self-regulatory organization, or any preexisting written policies of the employer.”

Employers, lawyers and the background screening industry have debated when background checks of job applicants fall under this 603(y) exception. Recently, in a Staff Letter, the Federal Trade Commission (FTC) examined whether background screening reports for job applicants are exempt from FCRA requirements under Section 603(y)—and the short answer was, “No.

In the letter, the FTC explains that the Commission:

  • Views “Section 603(y) as covering only investigations of current employees, rather than investigations of both current employees and job applicants.”
  • Believes an “existing employment relationship” is necessary in order to apply 603(y), and supports its limited reading of the exception, by citing to legislative history suggesting 603(y) was added as “a narrow technical correction.”
  • Advises that the FCRA is “a remedial statute that must be read in a liberal manner” and “its exceptions [should] be narrowly applied.”

The FTC’s Staff Letter was clear that job applicants are not “employees” and therefore, do not fall within the narrow 603(y) exceptions for investigations of “suspected misconduct relating to employment” or “preexisting written policies of the employer”. That much seems clear. However, the FTC did not address other situations involving prospective or conditional employees that potentially trigger the second prong of 603(y), namely “compliance with Federal, State, or local laws and regulations, [or] the rules of a self-regulatory organization.” Several industries, such as the financial sector, require background checks of certain employees. The question is how does 603(y) apply when it intersects with other laws, regulations and rules?  Perhaps that is still up for debate.

ECJ Invalidates Safe Harbor: Background Screeners should re-evaluate their basis for EU-US data transfers

Posted in Background Check

Today’s post is written by my colleague Kevin Coy, a Partner in our Privacy and Consumer Regulatory practice group.

Since 2000, the EU-US Safe Harbor program has been one means by which eligible US companies could transfer personal data from the European Union (EU) to the United States in accordance with EU law regulating transfers of personal data. On October 6th, the European Court of Justice (ECJ) ruled, in Schrems v. Data Protection Commissioner (C-362/14), that the European Commission’s 2000 finding that EU/US Safe Harbor framework (Safe Harbor) provided an adequate level of protection was invalid.

The 1995 EU data protection directive (the “Directive”) restricts the transfer of personal information from the EU to countries outside the EU that lack what the EU considers to be “adequate” privacy protection. Europeans do not deem US law to be adequate and Safe Harbor was created to facilitate transfers from the EU to the US. Safe Harbor has been used by over 4500 companies, including many background screeners, as a legal basis for transferring personal information from the EU to the United States since the program was implemented in 2000.

The ECJ Opinion. The ECJ found that the 2000 European Commission Safe Harbor adequacy finding was deficient in a number of respects and is, therefore, invalid. In particular, the ECJ noted that the European Commission’s adequacy finding did not find that US law provides a level of protection for personal data “essentially equivalent” of that guaranteed under EU law. The ECJ noted that US government agencies are not subject to Safe Harbor’s requirements and hence not bound by the rules of the program. The Court also found a Safe Harbor provision deferring to US national security and law enforcement needs–in the event of a conflict between those interests and the requirements of the Safe Harbor principles–to “enable interference” with the fundamental rights of EU citizens by US officials, without limitation. The Court also faulted the program for not providing an opportunity for EU citizens to seek redress in the case of such governmental interference.

In another aspect of the opinion likely to have long term implications, the ECJ also stated that adequacy findings are subject to challenge through Data Protection Authorities (DPAs) and the courts in each of the EU’s 28 member states, but held that only the ECJ itself has the authority to invalidate an adequacy finding. This part of the ruling appears to empower consumers and advocates in the EU to bring complaints and require that the DPAs address them, unlike the situation that prompted the Schrems case where the Irish DPA refused to address Mr. Schrems’ complaint against Facebook because of the European Commission’s Safe Harbor adequacy finding.

What does the opinion mean? In the short term, there is likely to be a period of uncertainty around data transfers from the EU to the United States, particularly those involving Safe Harbor participants. It appears unlikely that the European DPAs will seek to bring retroactive actions for data previously transferred from the EU to the US through Safe Harbor in good faith in compliance with the program’s requirements. However, moving forward, background screeners and other companies that use Safe Harbor themselves or rely on service providers that use Safe Harbor in the course of providing services should review their options and strategies for transferring personal data from the EU to the United States to mitigate potential risks of complaints or enforcement inquiries in the EU. While the ECJ opinion struck down the Safe Harbor adequacy finding—and potentially lays the groundwork for challenging other adequacy findings—other means of transferring personal information, such as European Commission approved standard (aka “model”) contract clauses currently remain a valid option for facilitating data transfers.

With the invalidation of the Safe Harbor adequacy finding, DPAs in each of the EU Member states may take different positions with respect to transfers by companies that had been relying on Safe Harbor. The UK Information Commission’s office, for example, issued a statement that said in part, “The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognize that it will take them some time for them to do this.” DPAs in other EU Member states may take different approaches, potentially driven by consumer complaints about transfer practices, which the ECJ said could be appealed to national courts in the event that the DPA rules against the complaint. A number of data protection authority officials issued statements stressing the need for the DPAs to consult on their approach to the issue. Meetings among the EU DPAs are underway and are expected to provide further guidance about the approach that the DPAs will take in the aftermath of the Schrems ruling.

What about a new or reformed Safe Harbor program? The EU and the US have been in ongoing discussion about reforming Safe Harbor and recent reports indicate that those talks had been nearing completion. However, any reform of Safe Harbor will now need to be reviewed to take the ECJ’s opinion into account, which could take some time. The ECJ had a number of objections about the original Safe Harbor program which could raise the bar for the new agreement, because it too could be challenged and subject to a future ECJ case. Statements from the Department of Commerce as well as European Commission officials following the ECJ ruling both referenced the ongoing negotiations over a reformed Safe Harbor program and the importance of the continued flow of personal information across the Atlantic. No timetable has been offered as to when such an agreement might be finalized or implemented.

What other options are available to transfer personal data from the EU to the US? Even with the invalidation of the Safe Harbor adequacy finding, there are still strategies for lawfully transferring personal data from the EU to the United States. Which of these strategies—or some combination of them—would work for a particular background screener will depend on its situation and the needs of its clients, some of whom may quickly want to implement alternate measures while others may be more inclined to wait to see what additional guidance the DPAs provide or how quickly a new Safe Harbor can be developed. Potential options include:

  • Standard contractual clauses. Screeners with clients in the EU may be able to use standard or contractual clauses that have been approved by the European Commission under a separate adequacy determination which was not before the ECJ in the Schrems case as a basis for transferring data from the EU to the US. These clauses, which have been approved for data transfers from the EU to third countries around the world, not just for transfers to the United States, must be adopted by the parties without modification (except for a few particular clauses where customization is permitted) to obtain the benefits of the European Commission’s adequacy finding.  Standard contractual clauses may be useful, for example, for background screeners that have clients in the EU and need to transfer personal information about the client’s applicants or employees to the US for processing. These clauses impose a number of obligations, including requirements to flow commitments downstream to subcontractors, which should be carefully considered with counsel.
  • Consent and other “derogations.” The EU Directive’s restriction on the transfer of personal data to third countries that lack an “adequate” level of data protection includes a number of limited exceptions or “derogations,” which, depending on the circumstances, also could serve as a basis for transferring personal information:
    • The data subject has given consent unambiguously to the proposed transfer.
    • The transfer is necessary for the performance of a contract between the data subject and the controller (essentially the party that controls what happens to the personal data) or the implementation of pre-contractual measures taken in response to the data subject’s request.
    • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party.
    • The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims.
    • The transfer is necessary in order to protect the vital interests of the data subject.
    • The transfer is made from a public register to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.

While some of these derogations may seem broad at first, their potential applicability should be carefully reviewed because EU authorities tend to interpret the derogations narrowly. In the case of consent, for example, the European view is that consent must be freely given, which can present challenges in areas such as employment screening, where EU data protection officials may question whether consent has been freely given because of perceived imbalances in the relationship between employer and employee.     Similarly, when “necessary” is used in a derogation, this is often narrowly construed; EU data protection officials do not interpret “necessary” as being merely convenient to the company that would be transferring the personal data.     Screeners may be able to use the public register derrogation in some cases to facilitate transfers on behalf of their customers, although the laws governing particular public registries in each of the EU member states will have an impact on whether, and to what extent this derogation will provide a basis for transfer of data from that registry. The DPAs have cautioned that this derrogation should not be interpreted as permitting bulk transfers of data found on EU public registries, but the derogation could prove useful in the context of some individual screening initiatives.

  • Binding Corporate Rules. Binding corporate rules (BCRs) are binding privacy commitments that a multi-national family of companies makes to EU DPAs to govern transfers of personal information within that family of companies. BCRs are not likely to be an option for most screeners.

The ECJ opinion is significant in a number of respects and likely will have long term implications. In the near term, background screeners that rely on Safe Harbor directly or indirectly to facilitate transfers of personal information from the EU to the US should re-evaluate what personal information they transfer from the EU to the US and consider alternate measures to mitigate their potential risk.

AGG’s Annual Employment Law Seminar

Posted in Uncategorized

If you are near the Cobb Energy Centre outside of Atlanta please join me for my firm’s annual employment law seminar.

Date: Thursday, October 8, 2015 from 8:00 am – 3:00 pm

Location: Cobb Energy Performing Arts Centre

Cost: FREE, plus complimentary breakfast and lunch will be provided

Our attorneys—who have been recognized by Chambers USA: America’s Leading Lawyers for Business and Super Lawyers—will provide the coaching you need to tackle today’s employment challenges.

Topics Include:

  • New Rules: The DOL’s Efforts to Expand the Coverage for Overtime Pay.
  • Labels Really do not Matter: The Dual Efforts of the DOL and NLRB to make Everyone an “Employee”.
  • The Expanding Definition of “Sex”: From Pregnancy to Same Sex to Transgender Rights in the Workplace.
  • Screen at Your Own Peril: How to Effectively Consider Criminal Records Given the EEOC’s Guidance and Enforcement Efforts and Expanding “Ban the Box” Legislation.
  • Living in a Global Workplace: Minimizing the Risk of Migrating Key Personnel Across Borders.
  • The Implementation of the Employer Mandate Under the Affordable Care Act: Regulatory Traps for the Unwary Employer.

Click here to register.

E-Verify Program Status

Posted in E-Verify

Hours before the government was due to shut down, the President signed into law a stopgap measure which will fund the federal government through December 11, 2015.   The possibility of a government shutdown would have affected, among other programs, the E-Verify program administered by U.S. Citizenship and Immigration Services (USCIS).     Similar to the 2013 federal government shutdown, which forced USCIS to pull the plug on employers’ use of the E-Verify system due to a lack of government funding, there would have been a repeat situation. 

Passage of H.R. 719 removes the immediate threat of a government shutdown.  For purposes of the E-Verify program, passage of H.R. 719 is noteworthy as not only is the program funded through December 11, 2015, its authorization to exist as a program was also extended until December 11, 2015.  For those keeping close tabs on E-Verify, you will know that congressional authorization for E-Verify expired September 30, 2015.  Negotiations are on-going in Congress to reauthorize the program for a period of 3 to 5 years.