Contributed By Ruiz Moreno & Asociados
Laws and Regulations in Relation to the Cloud
In general, Mexico has no laws or regulations that impose limitations on the entrusting of certain processes or data to the cloud.
Article 52 of Mexico’s Data Protection Regulations (the “Regulations”) requires that, when using cloud services, private individuals or organisations who decide the treatment of personal data (a “Responsible Party”) must ensure that their cloud service provider meets at least the following requirements:
The cited article of the Regulations defines “cloud computing” as the external supply of on-demand computer services that implicate the provision of infrastructure, platforms or software that are distributed through a flexible mode and virtualisation processes with dynamically shared resources.
Article 52 of the Regulations further states that Mexican regulatory agencies, within the scope of their jurisdiction and with the collaboration of Mexico’s National Institute for Information Access (INAI), shall issue governing criteria for the processing of personal data through cloud computing.
In July 2019, INAI issued its Minimum Standards for the Contracting of Cloud Computing Services that Involve the Processing of Personal Data (the “Standards”).
The Standards are not mandatory on cloud computing service providers, and only offer general recommendations to users who seek the safeguarding of their personal data.
The Standards’ main recommendations to cloud service users include the following:
Specific Industries with Greater Regulation
Some regulated industries, like fintech and telecommunications, may be subject to additional data regulations but such additional regulations do not extend to cloud services, specifically.
The Processing of Personal Data in the Context of the Cloud
According to the Software Business Alliance’s latest Global Cloud Computing Scorecard (2018), Mexico advanced two places in its readiness to adopt cloud computing and is now in the 13th place out of 134 countries.
Nonetheless, certain specific issues undermine the adoption of cloud computing in Mexico, including:
The main legal challenges to launching or using blockchain technology in Mexico concern the following:
On 9 May 2018, the Mexican Government enacted Mexico’s Fintech Law (the “Fintech Law” / Ley para Regular las Instituciones de Tecnología Financiera), which promotes the use of new technologies for the provision of financial services. Mexico’s Fintech Law recognises Technology Financial Institutions (ITFs), which are subject to licensing from Mexico’s Securities and Banking Commission (CNBV).
Under Mexico’s Fintech Law, ITFs can mainly exercise three types of activities: electronic payments, crowd funding, and operations with virtual assets (which applies to cryptocurrencies).
The Fintech Law also includes a category named “innovative models”, which applies to new financial applications that must be tested in a “sandbox” before they are finally approved by the CNBV; innovative models are also subject to licensing, with licensing being granted for a maximum of two years.
Mexico’s Fintech Law gives fintech companies that are already operating a term of 12 months to file for an ITF licence, provided that they had been operating during the last 18 months.
This 12-month period came into effect as of 25 September 2018, after the CNBV published its General Provisions applicable to the operation of ITFs under the Fintech Law.
In addition, on 8 March 2019, Mexico’s Central Bank issued its resolution number 4/2019, which referred to the risks associated with operations with virtual assets (cryptocurrencies) and imposed additional requirements on their operation.
All of the above could be responsible for the fact that only a few ITF licence applications have been filed; according to the CNBV, only 85 ITF licence applications were presented, 60 of which referred to crowd funding licences and 25 to electronic payments.
Notwithstanding the above, in 2019 Mexico’s Central Bank launched a technological platform called Digital Collection (or CoDi), which uses QR Codes and NFC technology to carry out electronic payments and digital collections in real time for face-to-face and online sales, thus evidencing Mexico’s Central Bank interest in promoting the adoption of new technologies and the digitalisation of payments.
Also, Mexico’s Ministry of Finance and Tax Administration Service and Mexico’s Banks Association announced that, from 2020, payments made with credit or debit cards will allow the automatic issuance of a tax invoice using the card holder’s tax number, which will be recorded in the card’s chip, whereas payment terminals will have real-time communication with Mexico’s Tax Administration Service for the validation of tax information and records prior to the issuance of such invoice.
Risk and Liability
Risk and liability challenges relate mainly to possible sanctions from Mexican regulators for the provision of unlicensed financial services that make use of blockchain, or for violations of Mexico’s Fintech Law and liability before users in case of shut down, or financial impossibility to operate due to hefty sanctions.
Intellectual property challenges relating to trade marks, copyrights and patents would be the same as for other electronic and physical business activities.
Data privacy obligations would be the same as for other electronic and physical business activities, except Article 52 of the Regulations and Article 73 of Mexico’s Fintech Law further protect information and documentation used by ITFs in the provision of their services.
In addition, chapter VI of the General Provisions for Mexico’s Fintech Law requires crowd funds to designate a Chief Information Security Officer and to adopt security information procedures.
There are no specific service levels applicable to blockchain.
In the case of regulated industries, most services would have to be provided by a local and duly licensed company, and judgments or resolutions by competent authorities would be enforced locally.
Regarding foreign-based providers, Mexican courts and authorities would – in most cases – have no jurisdiction to enforce their decisions.
The biggest legal challenge relating to big data, machine learning and artificial intelligence is that there is no specific regulatory framework that easily allows the implementation of these technologies.
Mexico’s Telecommunication Regulator (Instituto Federal de Telecomunicaciones – IFT) has promoted the discussion of these topics during the last three years but no regulation exists at this time.
Therefore, except for article 52 of the Regulations and certain industry-specific regulations, any projects relating to big data, machine learning and artificial intelligence would be subject to the same liability and insurance, data protection, intellectual property, jurisdiction, and even fundamental rights as any regular project.
When contemplating a project with connected devices, there are no particular restrictions that can affect the project’s scope, as there is no regulation that currently applies to connected devices technology in particular.
In this case, the IFT would seek compliance with the homologation, interconnection, no spamming, no phishing, consumer protection, collaboration with justice, numbering, net neutrality, spectrum use and signalling regulations applicable to all electronic communications, but would not make a distinction as to whether such communications take place between users and/or connected devices (P2P, M2P, P2M, M2M).
In addition, the IFT recently published its draft Network and Traffic Management Guidelines (the “Guidelines”) for public consultation, which shall apply to Internet Service Providers (ISPs) once approved.
The Guidelines are intended to ensure net neutrality and that ISPs establish general network traffic policies that comply with the following requirements:
On the other hand, the Guidelines will allow ISPs to supply Differentiated or Specialised Services.
The Guidelines define Differentiated Services as those in which ISPs give special treatment to content, apps or services accessed by end-users.
In this case, the cost of data for access to a specific content, application or service is sponsored by a third interested party, provided that the end-user has an active data balance in either its prepaid or post-paid services.
The IFT’s draft Guidelines also allow for the provision of Differentiated Services when the end-user does not have an active data balance, provided that such Differentiated Services have the purpose of reducing the digital divide by way of public services or services that promote education, finance or work inclusion, or promote digital skills.
This last restriction would limit the business activities of transport, content, social network, communication and commerce app service providers who could be willing to sponsor data consumption for end-users who do not have a data balance and can still have access to a “soft version” of such apps, as is the case in certain Asian countries.
The IFT’s Guidelines are still not final, and Mexico’s TMT sector will likely push for the IFT to remove these restrictions for the benefit of both users and the TMT sector.
The Guidelines define Specialised Services as those that ISPs offer to app, content or service providers through payment of a consideration, in order to provide specific or superior network resources to transmit and improve upload and download speeds or the users’ experience.
Specialised Services shall in no way affect the quality or speed of other traffic transmitted through a public telecommunications network, and ISPs shall in no case bill content, app or service providers for the transmission of their traffic under standard conditions.
Pursuant to the Guidelines, the ISPs that offer Specialised Services shall provide them on a non-discriminatory basis, and shall make them available to all providers of applications, content or services, under the same conditions of diversity, price and quality, including equivalent service levels and time for the resolution of failures. Furthermore, ISPs shall refrain from denying the provision of such services for unjustified reasons, entering into exclusivity agreements or performing conducts that have similar effects.
It is important to highlight that ISPs that distribute content, applications or services of their own through the use of specific resources of their networks shall make such resources available to providers of applications, content or any other internet-based service, and in no circumstance shall such Specialised Services translate into a requirement for the providers of applications, content or any internet-based service to pay for the transmission of the traffic generated by their content, applications or services, under standard conditions.
Machine to machine communications will likely be the ones to make the most use of Specialised Services once the IFT publishes its final Guidelines. This will especially be the case for financial, gaming, security, healthcare, transportation or emergency apps and services. It is therefore reasonable to assume that banks, gaming platforms, child or elderly care companies or institutions will seek to contract these Specialised Services from ISPs.
The Guidelines further require ISPs to:
The Policy Code shall also include:
The IFT’s public consultation for its draft Network and Traffic Management Guidelines will end on 6 March 2020, and there is no specific date for the IFT to publish its final Network and Traffic Management Guidelines.
With a total of 12 signed free trade agreements, including the North American Free Trade Agreement (NAFTA) entered into with the USA and Canada in 1994 and its succeeding agreement, the United States-Mexico-Canada Agreement (USMCA) recently approved by the Senates of the United States and Mexico, the Mexico-Japan Free Trade Agreement of 2004 and the Mexico-EU Free Trade Agreement of 2000, as well as 32 agreements for the reciprocal protection of investments and nine economic complementation agreements, Mexico remains one of the most open economies in the world, and its legal framework is quite open to IT entry.
Thus, Mexico has no provisions on IT price revisions, restrictions on the importation of equipment (other than compliance with general technical norms and homologation), international data transfers or storage location, nor does it require a licence for the provision of IT or value-added services.
By way of example, the USMCA includes specific provisions for financial services and digital trade that prohibit the signing parties from requiring the use or location of computing facilities in such party’s territory as a condition for conducting business in that territory.
Regarding financial services, Chapter 17 of the USMCA establishes that no party to the USMCA shall require another to use or locate computing facilities in the party’s territory as a condition for conducting business in that territory, so long as the party’s financial regulatory authorities – for regulatory and supervisory purposes – have immediate, direct, complete and ongoing access to information processed or stored on computing facilities located outside the party’s territory.
Chapter 17 further defines “computing facilities” as a computer server or storage device for the processing or storage of information for the conduct of business within the scope of the licence, authorisation or registration of a covered person, and “covered person” as:
Regarding digital trade, Chapter 19 of the USMCA states that no party shall require a covered person to use or locate computing facilities in that party’s territory as a condition for conducting business in that territory.
Chapter 19 defines “computing facility” as a computer server or storage device for processing or storing information for commercial use, and “covered person” as:
In addition, Article 19.11 of the USMCA requires the USA, Mexico and Canada not to prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person.
However, Article 19.11 does not prevent a party from adopting or maintaining a measure inconsistent with the above, as long as such measure is necessary to achieve a legitimate public policy objective, and such measure:
At the time of writing, the USMCA was pending approval from Canada’s parliament, and is expected to become effective during the course of 2020.
Core Rules Regarding Data Protection
Mexico has an “opt in” regime regarding the treatment of personal data, under which owners of personal data must consent to the treatment of their data through different available means, which may include a signature or a “click”.
Distinction Between Companies/Individuals
Unlike individuals, the law does not recognise companies as entities that can have title to personal data. Therefore, company data is protected by other laws, such as Industrial Property Law, Tax Law, etc.
General Processing of Data
General processing of data is not subject to specific regulation.
Processing of Personal Data
Responsible Parties that process (treat) personal data are obliged to safeguard and protect a person’s information, such as their name, address, e-mail, telephone number and any other data that serves to identify an individual.
Responsible Parties must publish a data privacy notice, which must be made available to those persons whose information is collected, along with any changes to such data privacy notice.
Individuals whose personal data is collected shall exercise their ARCO Rights.
Unless expressly authorised, a Responsible Party or a third party cannot use personal data to contact the user to offer or promote products or services.
There are no restrictions on monitoring and limiting use by employees of company computer resources, except for the content of private communications.
Technologies Falling Within the Scope of Local Rules
Mexico’s Telecommunications and Broadcast Law (the “Telecom Law”) is technology neutral, so there is no regulation that applies to a specific type of technology. The Telecom Law and its subsidiary regulations govern services, use of spectrum and licensing, but not technologies.
RFID tags are not specifically regulated, and tag readers normally operate in free spectrum frequency bands.
Voice-over-IP has to be provided as a regular telephone service that is subject to numbering, interconnection and signalling regulations.
There is no regulation for instant messaging like WhatsApp, WeChat, Snapchat, etc.
Requirements Prior to Bringing a Product/Service to the Market
Mexico’s Telecom Law has a pro-convergence approach and therefore allows licensees to provide all telecommunications services that technology allows without limiting the scope of such licence to a specific technology.
Both services and spectrum licences are granted by the IFT.
Service licences are issued through an administrative proceeding that may be filed at any time, whereas spectrum licences are granted through public auctions.
In the case of service licences or concessions, the IFT has 120 business days to rule over an application, and the processing cost for the study and issuance of such licence is approximately USD1,500.
All equipment that transmits signals through the airwaves and/or connects to a public telecommunications network has to be homologated, must not cause harmful interferences to other telecommunications systems and, when applicable, must comply with the applicable National Norm Certification.
Homologation is carried out before the IFT, which has 60 business days to rule over a homologation application. Homologation certificates can be either provisional (with a one-year validity) or permanent.
Homologation costs are approximately USD350 for a provisional certificate and USD130 for a permanent homologation certificate.
As mentioned earlier, the Telecom Law foresees the granting of universal service licences or single concessions for all kinds of services.
Thus, the licence to provide an audiovisual service such as pay TV would be the same as for a fixed broadband or telephony service.
That said, in the case of over-the-air TV and radio broadcast services, the Telecom Law foresees the granting of a spectrum licence that – in the case of commercial services – must be awarded through a public auction.
The proceeding and cost applicable to obtain a single or spectrum concession is the same as mentioned in 8 Scope of Telecommunications Regime.
Online audiovisual services are currently not regulated, and no licence is required.
Mexico does not have a specific regulation or law on encryption requirements.
Nonetheless, article eight of Mexico’s Advanced Electronic Signature Law recognises that the use of such signature in a document or message guarantees that it can only be encrypted and decrypted by the signer and the receiver.
Also, the IFT’s Collaboration with Justice Guidelines state that concessionaires shall guarantee that their electronic platforms use encryption tools or digital signatures to maintain the confidentiality of metadata or real-time location information requested by competent authorities.
It is important to mention that, in recent years, most financial entities in Mexico, such as banks, have adopted encryption technologies as a security mechanism for financial operations and communications with their users.
On the other hand, Article 12.C.2 of Annex 12-C to the USMCA establishes that no party to the treaty shall require a manufacturer or supplier of ICT goods of another party, as a condition of the manufacture, sale, distribution, import or use of the good (in their territory), to:
Annex 12-C defines:
The provisions of Article 12.C.2 apply to ICT goods that use cryptography but do not apply to: