Data Protection & Cybersecurity 2019 Comparisons

Last Updated May 08, 2019

Law and Practice

Author



Creel, García-Cuéllar, Aiza y Enríquez, S.C. is a leading full-service corporate law firm, specialising in all practice areas, with an unwavering commitment to excellence. We have an established reputation for delivering creative, specialised and responsive legal advice on the most complex and innovative matters in Mexico for the most sophisticated and demanding clients. Our practice is based on the philosophy that a client is best served by legal advice designed to anticipate and avoid problems, rather than respond to them. Our goal is to be the law firm of choice for clients with the most demanding transactions and projects and, in this endeavour, become a strategic service-provider to them, by offering the type of legal advice that gives clients certainty and peace of mind. As such, we strive to become their strategic service-provider.

The major laws and regulations in the field are the following:

  • the Mexican Constitution;
  • the Federal Law against Organised Crime;
  • the Federal Telecommunications and Broadcasting Law;
  • the Federal Law on the Protection of Personal Data Held by Private Parties and regulations, recommendations, guidelines and similar regulations on data protection;
  • the Federal Law on the Protection of Personal Data in Possession of Regulated Entities;
  • the Federal Law on Transparency and Access to Public Information;
  • the General Law on Transparency and Access to Public Information;
  • general standards such as the Mexican official standard regarding the requirements that shall be observed when keeping data messages;
  • the Law on Negotiable Instruments and Credit Operations;
  • the Mexican Federal Tax Code;
  • the Credit Institutions Law;
  • the Sole Circular for Banks;
  • the Industrial Property Law;
  • the Mexican Copyright Law;
  • the Federal Criminal Code; and
  • the General Law on the National System of Federal Public Security.

The key regulators and their respective areas of jurisdictions are the following:

  • the Attorney General's Office (PGR);
  • public prosecutors;
  • the National Institute for Access to Public Information and Data Protection (INAI); and
  • the Federal Telecommunications Institute (IFT).

Public prosecutors in Mexico are in charge of investigating and resolving cyber activities; a cyber police service has been created to follow up on crimes or unlawful activities committed through the internet. Complaints directed to the cyber police can be submitted via its website, by phone, or through a Twitter or email account. In addition, the Federal Police have created a scientific division called the National Centre For Cyber-incidents Response, which is focused on providing assistance to the victims or claimants of cyber threats and cyber-attacks.

The INAI is the federal authority in charge of overseeing the due observance of the data protection legislation in Mexico and is empowered to evaluate if the incident that originated a data breach was caused by a failure of compliance or negligence. The INAI is in charge of:

  • guaranteeing people right of access to public government information;
  • protecting personal data in possession of the federal government and individuals; and
  • resolving denials of access to information that the dependencies or entities of the federal government have formulated.

The Federal Institute for Access to Public Information and Data Protection has the following powers of enforcement:

  • the power to resolve data protection disputes;
  • the power to conduct verification procedures; and
  • the power to enforce penalty application proceedings and impose sanctions for infringements of the Federal Personal Data Law.

The procedure to resolve data protection disputes will be initiated by request from the data owner or his legal representative, clearly stating the content of his claim and the provisions of the law deemed violated. The data protection request must be submitted to the INAI within 15 days from the date on which the response from the data controller is communicated to the data owner. In the event that the data owner does not receive a response from the data controller, the data protection request may be filed after the deadline for the data controller's response has passed. In this case, it will be sufficient for the data owner to accompany its data protection request with the document that proves the date on which he filed the request for access, rectification, cancellation or objection (ARCO).

The data protection request will also be allowed under the same terms when the data controller does not deliver the requested personal data to the data owner, or delivers it in an incomprehensible form, refuses to make changes or corrections to personal data, or where the data owner is not satisfied with the information delivered since he considers it is incomplete or does not match the information requested. Upon receipt of the data protection request by the INAI, said request will be sent to the data controller for said controller to issue a response, provide any evidence it deems relevant and make its formal arguments in writing within 15 days. The INAI will admit any evidence it deems relevant and introduce it. It may also request any other evidence it deems necessary from the data controller. After submission of evidence, the INAI will notify the data controller of its right to present its arguments within five days of notification, if it so considers necessary. As required under the procedure, the INAI will issue a decision on the data protection request filed, after analysing the evidence and other elements of proof it deems appropriate, as may be those that arise from the hearing(s) held with the parties.

In general terms, Mexico has proper regulations on the protection of personal data and Mexican law does not differ too much from the specific provisions set forth in the EU's General Data Protection Regulation; however, there are differences that should be considered carefully.

The applicable laws detailed in 1.1 Laws are of a federal nature.

In order for the obliged parties to comply with their obligation of accountability, they may use standards, best international practices, corporate policies and any other mechanisms adequate to pursue such purpose, including self-regulation agreements. The Mexican regulator issues the parameters for self-regulation regarding personal data. Also, Mexican law allows that, in terms of protection of personal data, agents from the private and public sectors (such as companies, consumers, organisations, or public administrations) may organise, individually or collectively, the issuance of regulations on the subject through codes of good practices. In this regard, there are two types of models: pure self-regulation, where the regulation is left in the hands of the particular agent, without the slightest intervention by the State; and mixed self-regulation, where the law establishes minimum standards on personal data protection. There is therefore legislation on the matter, but it allows individuals to develop and establish their own regulation based on those standards, as long as those minimums are met, and move within that flexible framework.

The individuals and corporate bodies who are accredited as certifiers shall, as their principal duty, certify that the privacy policies, programmes and procedures voluntarily put into place by data controllers are followed in practice, and ensure proper processing and that the security measures adopted are adequate for their protection. For this purpose, certifiers may adopt mechanisms such as inspections and audits.

The Federal Law on the Protection of Personal Data Held by Private Parties includes a data controller’s obligation to notify immediately (instead of within a specific term, as in the GDPR) a breach to data subjects that may significantly affect their economic or moral rights, but no requirement to notify the federal regulator is set forth in the relevant law. In this regard, it will be up to data controllers to decide whether to notify data subjects; to that end, a data controller would consider the sensitivity of the personal data compromised in the breach and to what extent its misuse could affect data subjects from an economic and moral perspective.

During the last year, there have not been any material amendments or developments to the data protection and access to information laws.

In 2017, the Peña Nieto Administration acquired a surveillance software called Pegasus, which was allegedly used by the PGR to spy on journalists, activists and human rights advocates.

Among other authorities and proceedings, the INAI conducted a software verification process, as a result of which the INAI determined that the PGR did not comply with the security and responsibility duties to process and transfer personal data set forth in the Federal Law on the Protection of Personal Data in Possession of Regulated Entities, since the software was being used to collect personal data and generate databases for storage, without having a proper management system and security logbook for such purposes. In addition, the PGR did not undertake adequate procedures to carry out the safe deletion of the data after such software’s uninstallation. Therefore, as a result of the verification process, the INAI instructed the PGR to prove that the Pegasus software has been de-installed, as well as the measures taken to guarantee that it is not feasible to reinstall it.

The appointment of a data protection officer is mandatory; failure to do so is not specifically sanctioned by applicable law but may be interpreted as improper or illegal data processing.

Data controllers are accountable at every stage of personal data processing required for the conduct of the business and have the following main legal obligations.

  • Delivery of privacy notice – data controllers must deliver a privacy notice to all data subjects from which they process personal data, including customers, employees, suppliers, independent contractors and visitors. Such privacy notice must include all requirements set forth in the law and may be delivered in written, verbal or electronic form. Moreover, in the event that the data controller (i) will transfer personal data to third parties and (ii) uses sensitive personal data, the privacy notice must expressly indicate so.
  • Consent from individuals – as a general rule, businesses must obtain the consent of data subjects to process their personal data. Depending on the type of data, the consent required may be express (opt-in) or implied (opt-out); simple personal data requires implied consent, while sensitive personal data and financial or wealth-related data require express consent. Even when express consent is not required, however, businesses are required to deliver the privacy notice and to comply with the other provisions of the law. Under the law, consent is deemed implied when a data subject does not object to the processing of his personal data once a privacy notice has been furnished.
  • Use of personal data – businesses should only use personal data for the purposes outlined in the privacy notice. If they intend to use the data for a different purpose, renewed consent from the relevant data subject will be required.
  • Sensitive personal data – businesses should not create databases containing sensitive personal data, unless it is necessary for purposes that are legitimate and in line with their activities.
  • Quality of information – businesses should maintain personal data that is accurate and up to date. Also, they are required to eliminate data when it is no longer necessary for the purposes specified in the privacy notices delivered to the data subjects.
  • Security measures – as specified above, data controllers must implement administrative, physical and technical security measures to protect personal data against loss, theft or unauthorised use and must inform data subjects of any security breach. Such measures shall not be fewer than those used by data controllers to process their own information.
  • Rights of data subjects – data subjects shall have ARCO rights, which must be clearly stated in the privacy notice. 
  • Appointment of privacy officer or department – businesses must appoint a person or department who will address the petitions submitted by data subjects to defend their ARCO rights and promote the protection of personal data within the organisation.

Fair processing notice (drafting and delivery of a privacy notice to each data subject) is one of the key obligations imposed on data controllers under the law and must be drafted in three formats, depending on the delivery method:

  • full privacy notice (delivered personally to the data subject);
  • simplified privacy notice (delivered directly to data subjects, using remote mechanisms); and
  • abbreviated privacy notice (delivered to data subjects through written mechanisms).

The terms 'privacy by design' and 'by default' are not specifically set forth in Mexican law.

The need to conduct privacy impact analyses is suggested in the applicable parameters and guidelines issued by the authority.

A data controller is allowed, but not required, to comply with the accountability principle.

A data subject’s rights provided by the Mexican law refer only to the rights to access, rectify, cancel and oppose to the processing of their personal data (ARCO rights). Mexican law does not specifically provide portability.

Mexican laws provide for dissociation, understood as the procedure through which personal data cannot be associated with the data owner nor allow, by way of its structure, content or degree of disaggregation, identification thereof.

Mexican law provides for cloud computing, understood as a model for the external provision of computer services on demand that involves the supply of infrastructure, a platform or software distributed in a flexible manner, using virtual procedures, on resources dynamically shared. Regulatory agencies, within the scope of their authority and assisting the INAI, shall issue guidelines for the proper processing of personal data in cloud computing.

According to Mexican law, 'harm' refers to any damage suffered by data subjects to their property or rights, because of a misuse of their data or breach of law.

The term 'sensitive personal data' is defined as all personal data touching on the most private areas of the data owner's life, or whose misuse might lead to discrimination or involve a serious risk for said data owner. In particular, sensitive data is considered that which may reveal items such as racial or ethnic origin; present and future health status; genetic information; religious, philosophical and moral beliefs; union membership; political views; and sexual preference.

Financial Data

In general terms, financial or asset data will require the express consent of the data owner for processing; however, it is not necessarily considered sensitive data.

Health Data

Health data is considered sensitive data.

Communications Data

The constitutional right of inviolability protects private communications, in some cases; private communications may contain personal data or sensitive personal data, the processing of which should also abide to the principles of the related privacy law.

Other Categories of Sensitive Data

Mexican law includes as sensitive personal data racial or ethnic origin; present and future health status; genetic information; religious, philosophical and moral beliefs; union membership; political views; and sexual preference.

Voice telephony

Please refer to the comments above on the constitutional right of inviolability of private communications, which also apply to text messaging.

Guidelines applicable to the preparation of the privacy notice require data subjects to be informed of any technology that allows the automatic collection of PI simultaneously to the first contact with the individuals and the provision of mechanisms to collect consents through opt-in mechanisms, and how to deactivate said technology. There is no distinction in Mexican law between cookies, beacons and tracking technologies, all of which are included within the term 'cloud computing'.

Internet

Privacy policies are required and, according to Mexican consumer protection provisions, they will be legally regulated under the provisions applicable to adhesion contracts.

Mexican law is silent about whether consent is required for behavioural advertising, but, in general, consent will be required for the processing of personal data related to behavioural advertising as long as such data could be linked to an identified or identifiable individual.

Video and television

The same comments provided above regarding consent required for behavioural advertising apply.

Social media, search engines and large online platforms

The previous comments provided in this section regarding the internet apply indistinctly to social media, search engines and large online platforms.

Mexican law provides for the right of erasure as an ARCO right.

In terms of hate speech, disinformation, abusive material and political manipulation, the speech is usually analysed by means of provisions addressing the constitutional right of expression.

Mexican law does not specifically address data portability.

Children’s privacy

The Mexican Privacy Law does not provide for children’s rights on this topic, but some aspects might be found in the General Law of Children's and Teenager’s Rights. Mexico should also abide to international treaties intended to protect childhood.

Educational or school data is considered sensitive information as long as it can be linked to an identified or identifiable individual.

Data privacy law provides that processing for marketing, advertising or commercial promotion purposes needs to be expressly and specifically included as one of the 'purposes of processing' in the privacy notice. The Federal Consumer Protection Law, on the other hand, provides for an opt-out system. It states the possibility for the consumer to demand directly from specific suppliers and companies that use their information for advertising purposes not to be bothered at their address, workplace, electronic address or through any other means to be offered goods, products or services, as well as to send no advertising. Likewise, the consumer may demand at all times from suppliers and companies that use their information for marketing or advertising purposes not to assign or transfer their information to third parties, except when such assignment or transfer is determined by a judicial authority. Finally, the Federal Law to Protect and Defend Users of Financial Services provides that regulated financial institutions shall not contact their consumers for marketing or advertising purposes when they have expressly asked not to be contacted or if they are registered with the specific registry of the National Commission for the Defence of Financial Consumers. This law also provides for an opt-out system.

See 2.2 Sectoral Issues regarding data processing within the internet environment.

When determining the amount of fines for violations of privacy laws, regulators shall consider the following factors:

  • the nature of the personal data (that is, whether the data is sensitive personal data);
  • whether the infringer had ignored the data subject's initial rejection for collection and processing of the data;
  • whether the infringement was intentional or caused by omission;
  • the economic capacity of the infringer;
  • whether the infringer has previously been found guilty of the same offence; and
  • potential enforcement penalties.

Penalties vary from a warning notice to fines ranging from 100 to 320,000 days of the minimum daily wage in Mexico City, to imprisonment ranging from three months to five years. These penalties may be doubled in the case of sensitive personal data.

The adoption of a self-regulatory scheme under the Parameters for Mandatory Self-Regulation can be used as evidence of compliance with the applicable law and the regulation, and may help to reduce any sanctions should a breach occur.

The principal laws containing the standards for access to data for serious crimes are the Federal Law on the Protection of Personal Data Held by Private Parties, the Federal Law on the Protection of Personal Data in Possession of Regulated Entities and the Federal Criminal Code. The principles and rights provided for in law shall be limited in terms of their observance and exercise, the protection of national security, public order, public safety and health, as well as the rights of third parties.

The principal laws containing the standards for access to data for serious crimes are the Federal Law on the Protection of Personal Data Held by Private Parties, the Federal Law on the Protection of Personal Data in Possession of Regulated Entities and the Federal Criminal Code.

There are no specific provisions in this regard in the applicable legislation. 

A data controller has to comply with the following requisites before transferring data to a data processor:

  • data controllers must obtain the consent of the data subjects to transfer their personal data;
  • the data controller must communicate the privacy notice to the data processor; and
  • the data processor must assume the same obligations that correspond to the data controller.

Contractual provisions, corporate rules and consent are the key aspects to proceed with international data transfers unless exceptions arise.

There are no government notifications or approvals required to transfer data internationally in accordance with the Mexican Privacy Law, only those required to be obtained from data subjects.

Cross-border data transfer can be performed without obtaining consent from data subjects if the reason to transfer data internationally falls into the following cases:

  • when the data relates to the parties of a private or administrative contract or partnership agreement and is necessary for its performance and enforcement;
  • the law requires that the data shall be processed;
  • such action hinders judicial or administrative proceedings relating to tax obligations, investigation and prosecution of crimes, or updating of administrative sanctions;
  • it is necessary to protect legally the interests of the data owner;
  • it is necessary to carry out an action in the public interest;
  • it is necessary to fulfil an obligation legally undertaken by the data owner; and
  • the data is subject to processing for medical diagnosis or prevention, or health services management, provided that such processing is done by a health professional subject to a duty of secrecy.

See 4.4 Data Localisation Requirements.

Permission to use big data and analytics is not provided for in the Mexican Privacy Law.

See 1.1 Laws.

By interpretation of the Mexican Constitution, organisations must co-operate with government agencies regarding data security incidents; however, no law establishes specific requirements to report incidents or potential incidents.

Public prosecutors in Mexico are in charge of investigating and resolving cyber activities and monitoring networks for cyber-security.

Additional provisions are expected that will regulate, in a deeper sense, data privacy issues related to cloud computing. Under Mexican regulations, data controllers should only use services that ensure the proper protection of the personal data they gather. Considering that cloud computing is a model for the external provision of computer services on demand that involves the supply of infrastructure, a platform or software distributed in a flexible manner, using virtual procedures, on resources dynamically shared, a data controller should enter into service agreements with at least the following contractual conditions for the service-provider:

  • it shall use similar policies to protect personal data as those reflected in Mexican law;
  • if the service provided involves subcontracting, such provisions should be transparent;
  • it should not assume any ownership on the information about which the service is provided; and
  • it should maintain confidentiality with respect to the personal data about which it provides the service.

In addition, the service-provider should have mechanisms in place at least for:

  • disclosing changes in its privacy policies and the services provided;
  • permitting the data controller to limit the type of processing of personal data included in the service provided;
  • establishing and maintaining adequate security measures to protect data included in the service provided;
  • ensuring the suppression of data after the service has been provided;
  • impeding access by those who do not have authorised access and informing data controller if there is an official request for data from a competent authority; and
  • informing the data controller about events of breach, immediately after their occurrence, and providing the data controller with all necessary information to assess the extent of the harm caused by the breach, in accordance with Mexican legal provisions.
Creel, García-Cuéllar, Aiza y Enríquez, S.C

Torre Virreyes
Pedregal 24, Piso 24
Col. Molino del Rey
Ciudad de México
Mexico 11040

+52 55 4748 0600

+52 55 4748 0670

www.creel.mx
Author Business Card

Law and Practice

Author



Creel, García-Cuéllar, Aiza y Enríquez, S.C. is a leading full-service corporate law firm, specialising in all practice areas, with an unwavering commitment to excellence. We have an established reputation for delivering creative, specialised and responsive legal advice on the most complex and innovative matters in Mexico for the most sophisticated and demanding clients. Our practice is based on the philosophy that a client is best served by legal advice designed to anticipate and avoid problems, rather than respond to them. Our goal is to be the law firm of choice for clients with the most demanding transactions and projects and, in this endeavour, become a strategic service-provider to them, by offering the type of legal advice that gives clients certainty and peace of mind. As such, we strive to become their strategic service-provider.

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.