View as Web Page

Compliance News Flash – August 17, 2018

Arnall Golden Gregory LLP is pleased to provide you with the Compliance News Flash. This weekly update is your source for timely background screening and immigration-related news that is important to your organization.

  1. The Justice Department (DOJ) is underlining the importance of complying with anti-discrimination laws. Last week, DOJ reached a settlement with Indiana-based Rose Acre Farms Inc. (“Rose Acre”) one of the biggest egg producers in the country. Rose Acre allegedly violated the Immigration and Nationality Act (INA) by discriminating against work-authorized non-U.S. citizens by requiring them to present a Permanent Resident Card or an Employment Authorization Document but not requiring U.S. citizens to present specific documents when verifying their work authorization. Employees have the right to choose which form(s) of documentation they use to prove their work authorization for purposes of completing the employment eligibility verification form, the Form I-9. The INA prohibits employers from discriminating against employees based on their citizenship or national origin. To read the news release and the settlement agreement from the DOJ, click here.

  2. Background screeners, please take notice of the fact that the Economic Growth, Regulatory Relief, and Consumer Protection Act (S. 2155) amends the Fair Credit Reporting Act (FCRA) related to security freezes. Relevant to background screeners is the fact that it also includes a new notice requirement (see § 301 of S. 2155) which must be provided to consumers when responding to a file disclosure requests pursuant to section 609 of the FCRA. The new notice will be required as of next month, September. The Bureau of Consumer Financial Protection (BCFP) is considering whether to include the language consumers must receive in the Summary of Your Rights Under the Fair Credit Reporting Act 

  3. California provides specific protections for employees who choose to change their personal information that they provided to their employer upon hire, with special protections for immigrant employees. Since 2014, employers are not allowed to fire or take any adverse action against an employee for updating their personal information such as their Social Security Number, unless it relates to the ability to perform on the job (e.g., skill set, qualifications, and job knowledge). This is to protect employees who present false identification for the employment eligibility form, the Form I-9, and later seek to amend their status/documentation. To read the law, click here. This law and the current environment are good reminders to have a company employment policy and/or practice that specifically addresses this type of situation.

  4. Those operating as processors under the Privacy Shield Program should be aware of recently released guidance related to, among other things, processors’ access obligations. The guidance poses this question, “How can a participant acting as a processor adhere to the Frameworks’ Access Principle?” The response provided is to provide “access” by putting an individual in contact with the controller, or by working together with the controller to provide access, but as prescribed by the controller. For the full explanation of processors’ responsibility under Privacy Shield, click here.

  5. Brazil’s General Data Protection Law (LGPD) was approved this week, which will implement sweeping reforms to Brazil’s existing data protection regulatory framework. Brazil is now one of 120 countries that have an adequate level of data privacy protection laws. For a summary and analysis of the LGPD, click here. Some key points of the law include:

  • Extraterritorial application – similar to the European Union’s (EU) GDPR, any foreign   company that is doing business or collecting data in Brazil is subject to the law;
  • Broad definition of personal data – any data that may allow for the identification of a person is subject to the LGPD, and sensitive data such as race, religious beliefs, or health information is subject to additional security requirements;
  • International data transfers – again, similar to the EU’s GDPR, transfers of personal data outside of Brazil will be possible but only with a valid mechanism (e.g., the data subject’s consent or standard clauses); and
  • Mandatory data breach notification – data breaches must be reported to the Data Protection Authority and, depending on the severity, also reported to the data subjects impacted by the breach.

If you have any questions or need assistance on any point raised in this Compliance News Flash please contact:

Montserrat Miller  

Montserrat C. Miller
Partner, DC Office



The information presented provides a general summary and/or recent legal and regulatory developments. It is not intended to be, and should not be relied upon as legal advice.
 ©2018. Arnall Golden Gregory LLP. All Rights Reserved. Atlanta | Washington DC

Manage your Subscription  | Forward to a Friend  | Unsubscribe