View as Web Page

Compliance News Flash – September 27, 2019

Arnall Golden Gregory LLP is pleased to provide you with the Compliance News Flash, which includes current news briefs relevant to background screening, immigration and data privacy, for the benefit and interest of our clients as well as employers and consumer reporting agencies generally.

  • Yahoo expects to pay $117.5 million to settle a data breach class action lawsuit over four separate data breach events that occurred between 2012 and 2016. The breaches exposed the sensitive personal information of over a billion user accounts including user names, passwords, email addresses, birthdays, phone numbers, and security questions and answers. User credit card and bank account data were not exposed. Claims brought against Yahoo included negligence, breach of contract, invasion of privacy, and violation of various consumer protection laws including California’s Unfair Competition Law and Customer Records Act. Click here to read more.

  • An administrative law judge (ALJ) ordered a cleaning service to pay almost $1.2 million in civil penalties for employment eligibility verification form violations. The company was missing the Forms I-9 of 224 employees. Additionally, it had not completed the Forms I-9 of 102 employees within three days of hiring, as required by law. In fact, it had completed some of the forms after being served with Notice of Inspection from the Immigration and Customs Enforcement (ICE). Finally, the Forms I-9 of 329 of the company’s employees were found to be incomplete due to blank pages, missing pages, missing signatures, lack of indication that work authorization was checked, and missing alien registration numbers. The ALJ found the company’s bad faith in hastily completing and backdating some of its Forms I-9 to be an aggravating factor that impacted the size of the fine. Click here to read the Final Decision and Order.  

  • Worksite ICE inspections of STEM OPT employment. Based on the few inspections conducted so far, the length of the site visits appears to be between 1 and 2 hours. Also, ICE has typically been providing two days’ notice via email to the STEM OPT student’s manager, however, we do not expect ICE to give notice if the site visit is based on a complaint. According to the Department of Homeland Security (DHS), the purpose of these visits is to ensure that students are engaged in work-based learning experiences that are consistent with the information supplied on the student’s Form I-983 which outlines the student’s training program. Click here to read more.

  • The Fairness for High-Skilled Immigrants Act (H.R. 1044), which passed in the House in July, has been referred to the Senate Judiciary Committee. The bipartisan bill will eliminate the per-country limitation on green cards for employment-based immigrants. Opponents of the bill argue that the per-country cap should not be eliminated because it ensures that employment-based visas are available to a global talent pool, rather than monopolized by a few countries. Ira Kurzban believes that the bill’s supporters have mistakenly assumed that the backlog of Indian nationals working in the tech sector waiting for green cards is due to the per-country cap, when, in reality, the overall number of employment-based green cards available is simply not high enough. Kurzban, as well as stakeholders such as the American Hospital Association, have expressed their concern that the bill will eliminate the availability of visas for highly skilled workers outside the tech industry in areas like healthcare and medical research.  In an attempt to help alleviate this objection, an amendment to the bill which provides a carve-out for foreign nurses has been proposed. Click here for the text of the bill. Click here to read more of Kurzban’s commentary.

  • The ECJ issued a judgment holding that GDPR’s “right to be forgotten” is limited in scope to the European Union (EU). The European Court of Justice (ECJ) held that, when responding to EU subjects’ requests that Google remove certain search results containing their sensitive personal information (referred to as “de-referencing requests”), Google need only remove the search results from its country-specific sites located within the EU, not globally. In the decision, the ECJ reasons that under GDPR Article 3, Google is “established” in the EU and therefore falls within the territorial scope of the GDPR. However, the Court then goes on to consider the fact that different countries have struck their own balance between an individual’s right to privacy and the public’s right to information, resulting in different laws. Therefore, the court decides, there is “currently no obligation under EU law, for a search engine operator to carry out de-referencing on…versions of the search engine [outside the EU].” However, the court adds the caveat that “a supervisory or judicial authority of a Member State remains competent to…order, where appropriate, the operator of [a] search engine to carry out a de-referencing concerning all versions of [a] search engine.” It now remains to be seen whether this decision is a one-off or whether it means the court will continue to limit the extraterritorial scope of GDPR. Click here to read the ECJ’s decision.


If you have any questions or need assistance on any point raised in this Compliance News Flash please contact:


Montserrat Miller

Montserrat C. Miller
Partner, Atlanta Office


Erin E. Doyle
Law Clerk, Atlanta Office



The information presented provides a general summary and/or recent legal and regulatory developments. It is not intended to be, and should not be relied upon as legal advice.
 ©2019. Arnall Golden Gregory LLP. All Rights Reserved. Atlanta | Washington DC

Manage your Subscription  | Forward to a Friend  | ##UNSUBSCRIBE_TEXT##