Contributed By Creel, García-Cuéllar, Aiza y Enríquez, S.C.
The major laws and regulations in the field are the following:
The key regulators and their respective areas of jurisdictions are the following:
Public prosecutors in Mexico are in charge of investigating and resolving cyber activities; a cyber police service has been created to follow up on crimes or unlawful activities committed through the internet. Complaints directed to the cyber police can be submitted via its website, by phone, or through a Twitter or email account. In addition, the Federal Police have created a scientific division called the National Centre For Cyber-incidents Response, which is focused on providing assistance to the victims or claimants of cyber threats and cyber-attacks.
The INAI is the federal authority in charge of overseeing the due observance of the data protection legislation in Mexico and is empowered to evaluate if the incident that originated a data breach was caused by a failure of compliance or negligence. The INAI is in charge of:
The Federal Institute for Access to Public Information and Data Protection has the following powers of enforcement:
The procedure to resolve data protection disputes will be initiated by request from the data owner or his legal representative, clearly stating the content of his claim and the provisions of the law deemed violated. The data protection request must be submitted to the INAI within 15 days from the date on which the response from the data controller is communicated to the data owner. In the event that the data owner does not receive a response from the data controller, the data protection request may be filed after the deadline for the data controller's response has passed. In this case, it will be sufficient for the data owner to accompany its data protection request with the document that proves the date on which he filed the request for access, rectification, cancellation or objection (ARCO).
The data protection request will also be allowed under the same terms when the data controller does not deliver the requested personal data to the data owner, or delivers it in an incomprehensible form, refuses to make changes or corrections to personal data, or where the data owner is not satisfied with the information delivered since he considers it is incomplete or does not match the information requested. Upon receipt of the data protection request by the INAI, said request will be sent to the data controller for said controller to issue a response, provide any evidence it deems relevant and make its formal arguments in writing within 15 days. The INAI will admit any evidence it deems relevant and introduce it. It may also request any other evidence it deems necessary from the data controller. After submission of evidence, the INAI will notify the data controller of its right to present its arguments within five days of notification, if it so considers necessary. As required under the procedure, the INAI will issue a decision on the data protection request filed, after analysing the evidence and other elements of proof it deems appropriate, as may be those that arise from the hearing(s) held with the parties.
In general terms, Mexico has proper regulations on the protection of personal data and Mexican law does not differ too much from the specific provisions set forth in the EU's General Data Protection Regulation; however, there are differences that should be considered carefully.
The applicable laws detailed in 1.1 Laws are of a federal nature.
In order for the obliged parties to comply with their obligation of accountability, they may use standards, best international practices, corporate policies and any other mechanisms adequate to pursue such purpose, including self-regulation agreements. The Mexican regulator issues the parameters for self-regulation regarding personal data. Also, Mexican law allows that, in terms of protection of personal data, agents from the private and public sectors (such as companies, consumers, organisations, or public administrations) may organise, individually or collectively, the issuance of regulations on the subject through codes of good practices. In this regard, there are two types of models: pure self-regulation, where the regulation is left in the hands of the particular agent, without the slightest intervention by the State; and mixed self-regulation, where the law establishes minimum standards on personal data protection. There is therefore legislation on the matter, but it allows individuals to develop and establish their own regulation based on those standards, as long as those minimums are met, and move within that flexible framework.
The individuals and corporate bodies who are accredited as certifiers shall, as their principal duty, certify that the privacy policies, programmes and procedures voluntarily put into place by data controllers are followed in practice, and ensure proper processing and that the security measures adopted are adequate for their protection. For this purpose, certifiers may adopt mechanisms such as inspections and audits.
The Federal Law on the Protection of Personal Data Held by Private Parties includes a data controller’s obligation to notify immediately (instead of within a specific term, as in the GDPR) a breach to data subjects that may significantly affect their economic or moral rights, but no requirement to notify the federal regulator is set forth in the relevant law. In this regard, it will be up to data controllers to decide whether to notify data subjects; to that end, a data controller would consider the sensitivity of the personal data compromised in the breach and to what extent its misuse could affect data subjects from an economic and moral perspective.
During the last year, there have not been any material amendments or developments to the data protection and access to information laws.
In 2017, the Peña Nieto Administration acquired a surveillance software called Pegasus, which was allegedly used by the PGR to spy on journalists, activists and human rights advocates.
Among other authorities and proceedings, the INAI conducted a software verification process, as a result of which the INAI determined that the PGR did not comply with the security and responsibility duties to process and transfer personal data set forth in the Federal Law on the Protection of Personal Data in Possession of Regulated Entities, since the software was being used to collect personal data and generate databases for storage, without having a proper management system and security logbook for such purposes. In addition, the PGR did not undertake adequate procedures to carry out the safe deletion of the data after such software’s uninstallation. Therefore, as a result of the verification process, the INAI instructed the PGR to prove that the Pegasus software has been de-installed, as well as the measures taken to guarantee that it is not feasible to reinstall it.
The appointment of a data protection officer is mandatory; failure to do so is not specifically sanctioned by applicable law but may be interpreted as improper or illegal data processing.
Data controllers are accountable at every stage of personal data processing required for the conduct of the business and have the following main legal obligations.
Fair processing notice (drafting and delivery of a privacy notice to each data subject) is one of the key obligations imposed on data controllers under the law and must be drafted in three formats, depending on the delivery method:
The terms 'privacy by design' and 'by default' are not specifically set forth in Mexican law.
The need to conduct privacy impact analyses is suggested in the applicable parameters and guidelines issued by the authority.
A data controller is allowed, but not required, to comply with the accountability principle.
A data subject’s rights provided by the Mexican law refer only to the rights to access, rectify, cancel and oppose to the processing of their personal data (ARCO rights). Mexican law does not specifically provide portability.
Mexican laws provide for dissociation, understood as the procedure through which personal data cannot be associated with the data owner nor allow, by way of its structure, content or degree of disaggregation, identification thereof.
Mexican law provides for cloud computing, understood as a model for the external provision of computer services on demand that involves the supply of infrastructure, a platform or software distributed in a flexible manner, using virtual procedures, on resources dynamically shared. Regulatory agencies, within the scope of their authority and assisting the INAI, shall issue guidelines for the proper processing of personal data in cloud computing.
According to Mexican law, 'harm' refers to any damage suffered by data subjects to their property or rights, because of a misuse of their data or breach of law.
The term 'sensitive personal data' is defined as all personal data touching on the most private areas of the data owner's life, or whose misuse might lead to discrimination or involve a serious risk for said data owner. In particular, sensitive data is considered that which may reveal items such as racial or ethnic origin; present and future health status; genetic information; religious, philosophical and moral beliefs; union membership; political views; and sexual preference.
In general terms, financial or asset data will require the express consent of the data owner for processing; however, it is not necessarily considered sensitive data.
Health data is considered sensitive data.
The constitutional right of inviolability protects private communications, in some cases; private communications may contain personal data or sensitive personal data, the processing of which should also abide to the principles of the related privacy law.
Other Categories of Sensitive Data
Mexican law includes as sensitive personal data racial or ethnic origin; present and future health status; genetic information; religious, philosophical and moral beliefs; union membership; political views; and sexual preference.
Please refer to the comments above on the constitutional right of inviolability of private communications, which also apply to text messaging.
Guidelines applicable to the preparation of the privacy notice require data subjects to be informed of any technology that allows the automatic collection of PI simultaneously to the first contact with the individuals and the provision of mechanisms to collect consents through opt-in mechanisms, and how to deactivate said technology. There is no distinction in Mexican law between cookies, beacons and tracking technologies, all of which are included within the term 'cloud computing'.
Privacy policies are required and, according to Mexican consumer protection provisions, they will be legally regulated under the provisions applicable to adhesion contracts.
Mexican law is silent about whether consent is required for behavioural advertising, but, in general, consent will be required for the processing of personal data related to behavioural advertising as long as such data could be linked to an identified or identifiable individual.
Video and television
The same comments provided above regarding consent required for behavioural advertising apply.
Social media, search engines and large online platforms
The previous comments provided in this section regarding the internet apply indistinctly to social media, search engines and large online platforms.
Mexican law provides for the right of erasure as an ARCO right.
In terms of hate speech, disinformation, abusive material and political manipulation, the speech is usually analysed by means of provisions addressing the constitutional right of expression.
Mexican law does not specifically address data portability.
The Mexican Privacy Law does not provide for children’s rights on this topic, but some aspects might be found in the General Law of Children's and Teenager’s Rights. Mexico should also abide to international treaties intended to protect childhood.
Educational or school data is considered sensitive information as long as it can be linked to an identified or identifiable individual.
Data privacy law provides that processing for marketing, advertising or commercial promotion purposes needs to be expressly and specifically included as one of the 'purposes of processing' in the privacy notice. The Federal Consumer Protection Law, on the other hand, provides for an opt-out system. It states the possibility for the consumer to demand directly from specific suppliers and companies that use their information for advertising purposes not to be bothered at their address, workplace, electronic address or through any other means to be offered goods, products or services, as well as to send no advertising. Likewise, the consumer may demand at all times from suppliers and companies that use their information for marketing or advertising purposes not to assign or transfer their information to third parties, except when such assignment or transfer is determined by a judicial authority. Finally, the Federal Law to Protect and Defend Users of Financial Services provides that regulated financial institutions shall not contact their consumers for marketing or advertising purposes when they have expressly asked not to be contacted or if they are registered with the specific registry of the National Commission for the Defence of Financial Consumers. This law also provides for an opt-out system.
See 2.2 Sectoral Issues regarding data processing within the internet environment.
When determining the amount of fines for violations of privacy laws, regulators shall consider the following factors:
Penalties vary from a warning notice to fines ranging from 100 to 320,000 days of the minimum daily wage in Mexico City, to imprisonment ranging from three months to five years. These penalties may be doubled in the case of sensitive personal data.
The adoption of a self-regulatory scheme under the Parameters for Mandatory Self-Regulation can be used as evidence of compliance with the applicable law and the regulation, and may help to reduce any sanctions should a breach occur.
The principal laws containing the standards for access to data for serious crimes are the Federal Law on the Protection of Personal Data Held by Private Parties, the Federal Law on the Protection of Personal Data in Possession of Regulated Entities and the Federal Criminal Code. The principles and rights provided for in law shall be limited in terms of their observance and exercise, the protection of national security, public order, public safety and health, as well as the rights of third parties.
The principal laws containing the standards for access to data for serious crimes are the Federal Law on the Protection of Personal Data Held by Private Parties, the Federal Law on the Protection of Personal Data in Possession of Regulated Entities and the Federal Criminal Code.
There are no specific provisions in this regard in the applicable legislation.
A data controller has to comply with the following requisites before transferring data to a data processor:
Contractual provisions, corporate rules and consent are the key aspects to proceed with international data transfers unless exceptions arise.
There are no government notifications or approvals required to transfer data internationally in accordance with the Mexican Privacy Law, only those required to be obtained from data subjects.
Cross-border data transfer can be performed without obtaining consent from data subjects if the reason to transfer data internationally falls into the following cases:
See 4.4 Data Localisation Requirements.
Permission to use big data and analytics is not provided for in the Mexican Privacy Law.
See 1.1 Laws.
By interpretation of the Mexican Constitution, organisations must co-operate with government agencies regarding data security incidents; however, no law establishes specific requirements to report incidents or potential incidents.
Public prosecutors in Mexico are in charge of investigating and resolving cyber activities and monitoring networks for cyber-security.
Additional provisions are expected that will regulate, in a deeper sense, data privacy issues related to cloud computing. Under Mexican regulations, data controllers should only use services that ensure the proper protection of the personal data they gather. Considering that cloud computing is a model for the external provision of computer services on demand that involves the supply of infrastructure, a platform or software distributed in a flexible manner, using virtual procedures, on resources dynamically shared, a data controller should enter into service agreements with at least the following contractual conditions for the service-provider:
In addition, the service-provider should have mechanisms in place at least for:
Pedregal 24, Piso 24
Col. Molino del Rey
Ciudad de México
+52 55 4748 0600
+52 55 4748 0670www.creel.mx