Contributed By Ruiz Moreno & Asociados
Article 52 of Mexico’s Data Protection Regulations (the 'Regulations') requires that when using cloud services, private individuals or organisations who decide over the treatment of personal data (a 'Responsible Party') must ensure that its cloud service provider at least complies with the following requirements:
The referred Article of the Regulations defines cloud computing as the external supply of on-demand computer services which implicate the provision of infrastructure, platforms or software that are distributed through a flexible mode through virtualisation processes and with dynamically shared resources.
Article 52 of the Regulations further states that Mexican regulatory agencies, within the scope of their jurisdiction and with the collaboration of Mexico’s National Institute for Information Access (or INAI), shall issue governing criteria for the processing of personal data through cloud computing.
Some regulated industries, such as telecommunications, may be subject to additional data regulations but such additional regulations do not extend to cloud services.
According to the Software Business Alliance’s Global Cloud Computing Scorecard 2018, Mexico advanced two places in its readiness to adopt cloud computing and it is now in thirteenth place out of 134 countries.
Nonetheless, certain specific issues undermine the adoption of cloud computing in Mexico, which include:
See 1.1 Laws and Regulations.
See 1.1 Laws and Regulations.
Risk and liability challenges mainly relate to possible sanctions from Mexican regulators for the provision of unlicensed services or violations to Mexico’s Fintech Law and liability before the users in case of shut down or, or financial impossibility to operate due to hefty sanctions.fines. .
The main legal challenge to launch or use blockchain technology in Mexico has to do with the lack of a regulatory environment that provides legal certainty to both suppliers and users and allows blockchain-based services and other technologies to prosper.
Nevertheless, the Mexican Government is starting to provide legal certainty in new technology areas like Fintech, where Mexico’s Congress enacted a Fintech Law (Ley para Regular las Instituciones de Tecnología Financiera) on May 9, 2018.
Mexico’s Fintech Law recognizes Technology Financial Institutions or ITFs, which are subject to licensing from Mexico’s Securities and Banking Commission or CNBV and which Technology Financial Institutions can mainly exercise three types of activities, which are: (i) Electronic Payments, (ii) Crowd funding, and (iii) Operations with Virtual Assets (which applies to crypto currencies).
This law also includes a category named “innovative models” which applies to new financial applications that must be tested in a “sandbox” before they are finally approved by the Mexican regulator; innovative models are also subject to licensing with licensing being granted for a maximum of two years.
On the other hand, Mexico’s Central Bank or BANXICO is currently working in the deployment of a technological platform called Digital Collection or “CoDi” which will use Near Field Communications Technology or QR Codes to carry out electronic payments and digital collections in real time for face-to-face and online sales.
At the time of writing, BANXICO was seeking to launch a QR sales program with Amazon using BANXICO’s CoDi platform.
Intellectual property challenges such as trademarks, copyrights and patents would be the same as for other electronic and physical business activities.
Data privacy obligations would be the same as for other electronic and physical business activities, except for Article 52 of the Regulations and Article 73 of Mexico’s Fintech Law, which further protects information and documentation used by ITFs in the provision of their services.
In addition, chapter VI of the General Provisions for Mexico’s Fintech Law requires crowd funds to designate a Chief Information Security Officer and the adoption of security information procedures.
There would be no specific service levels applicable, unless the service provided belongs to a regulated industry such as Fintech.
No later than March 29, 2019 Mexico’s Commission for the Defense of Users of Financial Services (CONDUSEF) shall issue its guidelines for transparency and sane practices of ITFs.
In the case of regulated industries, most services would have to be provided by a local and duly licensed company and judgments or resolutions by competent authorities would be enforced locally.
As it refers to foreign-based providers, Mexican courts and authorities would in most cases have no jurisdiction to enforce their decisions.
With regards to Mexican regulation on big data, machine learning and artificial intelligence, the greatest legal challenge that exists is that there is no specific regulatory framework that easily allows the implementation of these technologies.
Mexico’s Telecommunication Regulator (Instituto Federal de Telecomunicaciones or IFT) has promoted the discussion of these topics during the last two years but no regulation exists at this time.
Thus, except for Article 52 of the Regulations and certain industry-specific regulation, any projects relating to big data, machine learning and artificial intelligence would be subject to the same liability and insurance, data protection, intellectual property, jurisdiction and fundamental rights of any regular project.
See 3.1 Big Data.
See 3.1 Big Data.
When contemplating a project with connected devices, there are no particular restrictions that can affect the project’s scope, as there is no regulation that applies to connected devices or near field communications technology in particular, although laws and regulation for spectrum use would apply.
In this case, the IFT would seek compliance of homologation, technical norms (NOMs), interconnection, no spamming, no phishing, consumer protection, collaboration with justice, numbering, net neutrality, spectrum use and signalling regulations applicable to all electronic communications but would not make a distinction as to whether such communications take place between users and/or connected devices (P2P, M2P, P2M, M2M).
Unlike other countries in Latin America, Mexico has no local data storage location requirements nor does it have any price restrictions, so it can be said that IT services remain mostly unregulated.
No response provided.
Mexico has an 'opt in' regime with regards to the treatment of personal data in which owners of personal data must consent to the treatment of their data through different available means, which may include a signature or a 'click'.
Unlike individuals, the Law does not recognise companies as entities that can have title to their personal data.
Thus, company data is protected by other laws such as the Industrial Property Law, the Tax Law, etc.
General processing of data is not subject to a specific regulation.
Responsible Parties that process (treat) personal data are obliged to safeguard and protect a person’s information, such as: name, address, e-mail, telephone number and any other data that serves to identify an individual.
Responsible Parties must publish a data privacy notice which must be made available to those persons whose information is collected, along with any changes to such data privacy notice.
Individuals whose personal data is collected have the right to access, rectify or cancel their information or to oppose to the use of it (commonly known as 'ARCO Rights').
Unless expressly authorised, a Responsible Party or a third party cannot use personal data to contact the user and offer or promote products or services.
There are no restrictions on monitoring and limiting use by employees of company computer resources except for the content of private communications.
Mexico’s Telecommunications and Broadcast Law (the “Telecom Law”) is technology-neutral and, therefore, there is no regulation applicable to a specific type of technology.
Thus, the Telecom Law and its subsidiary regulations govern services, use of spectrum and licensing but not technologies.
RFID tags are not specifically regulated and tag readers normally operate in free spectrum frequency bands.
Voice-over-IP has to be provided as a regular telephone service that is subject to numbering, interconnection and signalling regulations.
There is no regulation for instant messaging, such as WhatsApp, Wechat, Snapchat, etc.
Mexico’s Telecom Law has a pro-convergence approach and, therefore, it allows licensees to provide all telecommunications services that technology allows without limiting the scope of such licence to a specific technology.
Both services and spectrum licences are granted by the IFT.
Service licences are issued through an administrative proceeding that may be filed at any time, whereas spectrum licences are granted through public auctions.
In the case of service licences or concessions, the IFT has 120 business days to rule over an application, and the processing cost for the study and issuance of such licence is approximately USD1,500.
Regarding equipment, all equipment that transmits signals through the airwaves and/or that connects to a public telecommunications network has to be homologated, and when applicable, a National Norm Certification.
Homologation is carried out before the IFT, which has 60 business days to rule over an homologation application. Homologation certificates can be either provisional (with a one-year validity) or permanent.
Homologation costs are approximately USD250 for a provisional certificate and USD125 for a permanent homologation certificate.
As mentioned earlier, the Telecom Law foresees the granting of universal service licences or single concessions for all kind of services.
Thus, the licence to provide an audiovisual service such as Pay TV would be the same one as for a fixed broadband or telephony service.
That said, in the case of over-the-air TV and radio broadcast services, the Telecom Law foresees the granting of a spectrum licence that, in the case of commercial services, must be awarded through a public auction.
The proceeding and cost applicable to obtain a single or spectrum concession is the same one as the one mentioned in the preceding section.
With regards to online audiovisual services, currently these are not regulated and no licence is required; although like in other jurisdictions, it is possible that online content and services be regulated and taxed at some point in the future.
No requirements exist for online video channels.
Regarding encryption requirements, Mexico does not have a regulation or law on this matter.
Nonetheless, Article 8 of Mexico’s Advanced Electronic Signature Law recognises that the use of such signature in a document or message guarantees that it can only be encrypted and decrypted by the signer and the receiver.
Also, the IFT’s Collaboration with Justice Guidelines state that concessionaires shall guarantee that their electronic platforms use encryption tools or digital signatures to keep the confidentiality of metadata or real-time location information requested by competent authorities.
On the other hand, it is important to mention that most financial entities in Mexico, such as banks, have adopted encryption technologies in recent years as a security mechanism for financial operations and communications with their users.
Additionally, there is a Mexican Official Norm (NOM-151-SCFI-2016) which states the requirements to be observed for the preservation of data messages and document scanning. This NOM includes a provision whereby the Mexican Minister of Economy shall maintain in the Ministry’s web portal a list of cryptographic algorithms to be used for NOM compliance.
See 10.1 Legal Requirements Governing the Use of Encryption.