Please join me and my colleague, Teri Simmons, for a free webinar on January 24th at noon EST during which time we’ll discuss immigration compliance issues relevant to employers.  We’ll also cover what organizations can expect in 2017 under the new Administration.

Teri and I will cover topics related to the Employment Eligibility Verification form (the “Form I-9”), E-Verify, government investigations and penalties related to the Form I-9, and on-site audits when petitioning for H and L nonimmigrant status.  Click here to register and learn more about the topics we’ll address.

The webinar is pending CLE credit approval by the State Bar of Georgia.


The U.S. and Swiss governments have finalized a Privacy Shield agreement to allow the cross-border transfer of personal data from Switzerland to the United States.

First, let’s jump in our proverbial time machine and go back in time.  Prior to the EU – U.S. Privacy Shield framework hammered out post-implosion of the EU – U.S. Safe Harbor framework due to the European Court of Justice’s decision in Schrems in 2015 (read about that here), we had both a Safe Harbor framework for the cross-border transfer of personal data for the European Union at large to the United States, and separately for transfers from Switzerland to the United States.  Enter the EU – U.S. Privacy Shield agreement finalized last year, which addressed transfers of personal data from the European Union to the United States, but not Switzerland.  In fact, it wasn’t entirely clear what the Schrems decision meant for the Swiss – U.S. Safe Harbor agreement since the Swiss seemed to be saying that it too was no longer relevant post-Schrems but yet the U.S. Department of Commerce said they would continue to administer the program.  And now, let’s return to the present.

There is a new Swiss – U.S. Privacy Shield framework which can serve as a mechanism to lawfully transfer personal data from Switzerland to the United States. Companies can begin self-certification under this program on April 12, 2017. This new framework will replace the Swiss – U.S. Safe Harbor framework.  Here is what the Swiss are saying, “At its meeting today, the Federal Council took note that a new framework, Privacy Shield, has been established for the transfer of personal data from Switzerland to the USA. Privacy Shield replaces the Safe Harbor Agreement between Switzerland and the USA, which the FDPIC had declared inadequate and which the Federal Council has now formally terminated. The FDPIC welcomes the introduction of the new framework.”  Read more of this press release from the Swiss Federal Data Protection and Information Commissioner (FDPIC) by clicking here. To read the press release issued by the U.S. International Trade Administration, click here.

Happy New Year!

The (some would say unexpected) results of the presidential campaign have led us down a path where president-elect Trump will be sworn in January 20, 2017.  While the dust is still settling, and will continue to settle over the coming weeks and months, employers should prepare for the potential impact this Administration could have on immigration compliance.  What do I mean by immigration compliance?  I’m talking the new Employment Eligibility Verification form (the “Form I-9”), mandatory E-Verify, and increased government investigations. While today’s hype may be about border security, vetting of refugees, and deporting criminal aliens, I believe immigration compliance is an area that will take on greater importance under this Administration.  I’m doing two (because it’s that important) free webinars with colleagues on this topic and I hope you will join us.

The first one–Understanding the New Form I-9 and the Election’s Potential Impact on Immigration Reform–is sponsored by Equifax Workforce Solutions on January 19, 2017 at noon EST.

Click here to register.

I’ll post information on the second webinar, which will be hosted by my firm on January 24, 2017, at a later date.

Los Angeles is the latest major city to pass a Ban the Box measure (Ordinance 184652) applicable to private employers. It will become effective January 22, 2017 and will be enforced beginning in July 2017. Other major cities with Ban the Box laws include:

And don’t forget that eight states have Ban the Box measures on their books which are applicable to private employers — HI, IL, MA, MN, NJ, OR, RI, VT.

What is Ban the Box?  In its most basic form it means that an employer cannot ask on the job application about criminal history (i.e., arrests or convictions).  Generally, an employer must wait until a conditional offer of employment has been extended to inquire about criminal history and conduct a background check.  Ban the Box moves the criminal history inquiry until later in the process to afford ex-offenders the opportunity to be judged on their merit and not their past. At least in theory that’s what is supposed to happen as a result of Ban the Box measures, which are often referred to as fair hiring policies.

But, nothing in life is simple. Often, Ban the Box measures go beyond simply requiring employers remove the criminal history question from the job application and they include additional requirements, such as requiring:

  • Employers conduct an individualized assessment if criminal history is discovered during an background check (e.g., Austin, San Francisco, Los Angeles).
  • Employers advise the applicant the reason for their decision to not hire if it includes criminal history information (e.g., Chicago, Portland, San Francisco, Seattle, Washington, DC).
  • Employers provide a specific amount of time to allow the applicant to review and respond to criminal history information discovered as a result of a background check (e.g., Philadelphia, San Francisco).
  • Employers provide disclosures about the law (e.g., Philadelphia, San Francisco, Washington, DC).
  • Employers cannot have restrictive language in their advertisements (e.g., Seattle).
  • Important Although above bullet points cover some of the key requirements, they are not exhaustive as Ban the Box measures are similar but not identical.
  • And, and, and (yes, I meant three and’s), don’t forget that as a private employer you must also comply with the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) if you receiving background check reports from a third-party background screening company.

For employers in a jurisdiction that has a Ban the Box law it’s important to understand what your obligations are. A comprehensive background screening policy will assist any employer seeking  compliance with federal and state law.  If that is on your “to do” list for 2017, we can assist in developing policies and procedures.

Companies that transfer personal data from the European Union (“EU”) to the United States should be working toward their compliance with the EU’s General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679) which will go into effect May 2018.  Oh, but how silly, that’s, like, over a year away!  Why should you care?  If you transfer personal data from the EU to the US there’s a lot to know about the GDPR and it takes time.  I’m going to focus on the Data Protection Officer (“DPO”) requirement today.

Organizations that process personal data related to EU nationals may be either a “controller” or “processor,” or both.  Let’s say you are a background screening company and you’ve been hired to conduct a background investigation or check on an individual who lives, or previously lived and worked, in the EU. You’ll very likely need to transfer data to the United States from the EU and the bottom line is that whenever an organization transfers personal data related to EU nationals to the United States, you need to consider the GDPR in order to ensure compliance.  You also need to consider whether you have a legitimate cross-border onward mechanism, but that’s for another blog posting.

Let’s talk about the DPO.  Article 37(1) of the GDPR requires the designation of a DPO by a controller or processor (i) where the processing is carried out by a public authority or body; (ii) where the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or (iii) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data (as defined in Article 9) and (or) personal data relating to criminal convictions and offenses (as described in Article 10).

Special categories of data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data and information related to a person’s sex life or sexual orientation.

The DPO can be an internal employee or can be hired as an outside consultant, if you will.  The role and tasks of the DPO are described in Articles 38 and 39 of the GDPR.

And, in case you are wondering the cost of non-compliance?  It’s steep.  A violation of the obligation of a controller or processor related to the designation of a DPO can subject a company to administrative fines of up to 10 million Euros or up to 2% of the “total worldwide annual turnover of the preceding financial year.” (Article 83(4)(a)).

For recent guidelines from the Article 29 Data Protection Working Party on the role of the DPO, click here.

So, if you find your company in this situation and are doing a Google search of GDPR at this time, the privacy team here at AGG can help.  Just shoot me an email at


If your organization has been using E-Verify for more than 10 years, this posting is for you.  If you are an E-Verify Employer Agent and your cases go back over 10 years, this posting is for you.

U.S. Citizenship and Immigration Services (“USCIS”) must dispose of transaction records that are over 10 years old annually.  The next time they will do so is April of next year. Which means that employers and E-Verify Employer Agents with transaction records in E-Verify dated on or before December 31, 2006 must download these records from now through March 31, 2017 in order to have a record of such.

Historic Records Report Fact Sheet.

Instructions to download the Historic Records Report.

My firm recently hosted an event where colleagues on our retail industry team spoke about hot topics in commercial real estate.  Those of you who provide reports for tenant screening purposes may want to pass below article written by my colleague Knox Withers along to your landlord and property manager clients.

What Landlords and Property Managers Need to Know About the Americans with Disabilities Act

In recent years, there has been a proliferation of “drive-by lawsuits” involving the Americans with Disabilities Act (“ADA”). Such actions typically involve a plaintiff’s lawyer cruising around town with a disabled individual in search of retail properties whose premises are in violation of the ADA. Indeed, these lawsuits are so prevalent that 60 Minutes recently dedicated a portion of its Sunday night program to the topic. Read more.

The Federal Trade Commission (“FTC”) recently issued guidance applicable to background screening companies (aka consumer reporting agencies) who engage in tenant screening.  The FTC highlights four key responsibilities of background screening companies covered by the Fair Credit Reporting Act (“FCRA”), specifically:

  • “Follow reasonable procedures to ensure accuracy.
  • Get certifications from your clients.
  • Provide your clients with information about the FCRA.
  • Honor the rights of applicants and tenants.”

For background screening companies I encourage you to look at those responsibilities as described in the guidance carefully because the FTC opines on what “reasonable procedures to ensure accuracy” are and those should be read to apply to employment screening as well.  The FTC states, “[c]ertain practices may be indicators that a background screening company isn’t following reasonable procedures. For example, if a report lists criminal convictions for people other than the applicant or tenant – for instance, a person with a middle name or date of birth different from the applicant’s – that raises FCRA compliance concerns. Other examples that raise FCRA compliance concerns include screening reports with multiple entries for the same offense or that list criminal records that have been expunged or otherwise sealed.  Another indication that a company’s procedures might not be reasonable are reports that list housing court actions, but do not include the outcome of the action – for instance, that a case was resolved in the tenant’s favor.”

Background screeners–notice that the FTC calls out reports with multiple entries for the same offense, the reporting of expunged or sealed records, reports with no dispositions, and finally, the failure to use a middle name to ensure accuracy.

All wrapped up in a pretty little bow, just in time for the holidays and holiday hiring!  U.S. Citizenship and Immigration Services (“USCIS”) has finally issued the revised Employment Eligibility Verification form (“Form I-9”).  Remember, all employers must complete a new Form I-9 for each new hire within three business days of hire.

Here’s what you need to know about the revised form:

  • Employers must begin using the revised form exclusively by January 22, 2017.  Until then, employers may use the current version Form I-9 dated 03/08/2013 N. or begin using the new Form I-9 dated 11/14/2016 N.  You will note in the top right hand corner that the revised Form I-9 has an expiration date of 08/31/2019.
  • USCIS recently indicated on a stakeholder teleconference that they will be updating the M-274, Employer Handbook.  Look for that in the new year.
  • Substantively the Form I-9 remains the same as the prior version, although there are some exceptions.  Namely, there is a new Preparer and/or Translator Certification box in section 1.  There is also an “Additional Information” box in section 2 to add information such as employment authorization extensions for individuals eligible for Temporary Protected Status, information related to F-1 OPT STEM students, and CAP-GAP employees (for more on this box see page 11 of the Form I-9 Instructions).  To learn more about the new Form I-9, check out USCIS’s news release by clicking here

Final comment — it should be noted that stakeholders are having difficulty downloading the revised Form I-9 from the website, and for more on that click here.

Human Resources professionals have one more item to add to their compliance checklist – ensuring the lawful transfer of employee, consumer or customer personal data from the European Union (“EU”) to the United States. 

To unravel this compliance requirement let’s start with a hypothetical transfer of personal data from location A to location B for employment purposes.  Company based in Providence, Rhode Island has offices worldwide, including several in the EU.  Hiring is centralized in the United States and therefore all onboarding is conducted by Human Resources professionals in Providence.  As per company policy, the company sends all new hires an employee packet and several of the forms in the packet require the collection of personal data or information.  Personal data such as name, date of birth, address, email address, etc. For its new hires in the EU, they are asked to send the employee packet back to Providence electronically so that the information can be processed for employee benefits, payroll, and a background investigation.  Therefore, personal data is being transferred to the United States for processing.   The question is, is this legal?  Does the company in Providence, Rhode Island need to do anything from a compliance perspective?  The response to the first question is, maybe if the company has a permissible cross-border transfer mechanism in place.  The second response is, yes.  Bottom line is that any U.S. based company which operates globally has to factor in international privacy and data protection laws before transferring employee personal data from outside the United States to the United States.  

Here’s why.  In the EU it is generally prohibited to collect, use, transfer, disclose or otherwise process an individual’s personal data without justification.  In case you are wondering, what’s the European Union?  The EU is made up of 28 member countries in Europe.  It includes countries such as Austria, Belgium, France, Germany, Greece, Ireland, Italy, Spain and the United Kingdom (until they depart due to Brexit).  For a full list of member countries, click here.  

What do American companies need to do?  First, if you have offices, operations or otherwise transfer someone’s personal data from the EU to the United States you need to know that. We privacy professionals call that, mapping the data flows.  In other words, are your employees, customers, consumers sending you personal data from the EU to the United States, what data and for what purpose. 

Why should American companies care?  Because in the EU they are serious about privacy and data protection.  The Europeans would argue that they are far more serious and protective of their citizen’s privacy than the Americans.  They can and will bring enforcement actions against companies that transfer personal data outside the EU without having a permissible onward transfer mechanism.  See the most recent action by German data protection authorities by clicking here.

What’s a permissible onward transfer mechanism?  In the EU, there is a general legal framework under which companies operate which is the EU Directive 95/46/EC (“EU Directive”) and it describes how organizations can lawfully “process” personal data, meaning how they can collect, use, transfer, share, store, etc. personal data.   Generally speaking—and please note that I’m focusing only on cross-border transfers of personal data in this article—an organization cannot transfer an individual’s personal data from the EU to the United States without a lawful mechanism.   That’s right, you can’t just transfer personal data without having a plan in place.  Also, not to throw in a monkey wrench, but the EU Directive will be replaced by the General Data Protection Regulation (“GDPR”)  effective 2018, which will have stricter requirements on U.S. companies with operations in the EU, including requirements related to data breaches.

What options do American companies have to lawfully transfer personal data to the United States?  A few, actually.  One is by self-certifying with the Department of Commerce’s EU-U.S. Privacy Shield program,  instituting model contract clauses or binding corporate rules, or meeting one of the other derogations described in Article 26 of the EU Directive, such as consent of the data subject to the cross-border transfer.   There are pros and cons to each of these options and that is the subject of another discussion and greater legal analysis.  This article is intended as a primer to flag the issue of cross-border transfers of personal data from the EU to the United States and compliance considerations around such.   

If your organization transfers personal data from the EU to the United States and you would like to discuss what your legal requirements or obligations may be I am happy to have that conversation with you.  The privacy team at my firm, Arnall Golden Gregory LLP, advises companies on cross-border transfers of personal data and we would be happy to assist.