Contributed By Nader Hayaux & Goebel
Brief Overview of Data Protection Legislation
In Mexico, personal data protection is regulated by the highest hierarchy in its legal system. The Federal Mexican Constitution (Constitución Política de los Estados Unidos Mexicanos) grants and recognises the protection of personal data as a human right.
In order to regulate this human right, Mexico’s legal framework divides the regulation into the private and public sector.
The Federal Law for the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), its Regulation (Reglamento) and other secondary provisions (jointly, the Private Data Protection Regulations (DPRs)), serve as the tools to protect this right and feature as the core of Mexican personal data protection in the private sector.
On the other hand, data privacy for public entities is regulated by the General Law for the Protection of Personal Data Held by Obligated Parties (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados) (the Public DPRs and jointly with the Private DPRs, the Mexican DPRs), and several other provisions.
Key Aspects of the Mexican DPRs
Data controllers (responsables), data subjects (titulares), personal data (datos personales), and data processing (tratamiento) are key concepts under the Mexican DPRs. However, adequate compliance requires understanding several other concepts.
Furthermore, Mexican DPRs have a heavy emphasis on regulating data controllers and their actions. Accordingly, data controllers are bound by the principles of lawfulness, loyalty, information, consent, quality, purpose, proportionality and responsibility. Compliance with these principles ensures that data controllers collect and process personal data properly and implement the necessary measures to protect such personal data.
Regarding sensitive personal data, the Mexican DPRs impose a stricter regime and higher standards to collect, process and store it. For example, the data controller must obtain express and written consent from data subjects. Under the Private DPRs, failure to comply with these standards or committing any other infraction of the Federal Law while involving sensitive personal data will result in a sanction of double proportions.
The most important principles are (i) information, which refers to the obligation to provide the data subject with the privacy notice before they collect and process personal data, and (ii) consent, which refers to the obligation to obtain the data subject’s prior consent to process their personal data. The privacy notice must be in Spanish, with clear information, and must be easy to understand. The data controller may deliver the privacy notice in writing, in digital form, via recording or through any other technological means available.
Special Considerations of Enforcement
During enforcement procedures, data controllers have the burden of proof. Individuals and entities subject to the Mexican DPRs are responsible for providing evidence that supports all their claims, arguments and defences regarding their compliance. Therefore, data controllers must maintain appropriate security and record-keeping practices.
Mexico has a total of 33 authorities dedicated in part to data protection. The National Institute for Transparency, Access to Information and Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (INAI) is the sole authority responsible for enforcing the Mexican DPRs throughout the country. As part of its surveillance responsibility, it has the authority to conduct audits and investigations by its own initiative or at the request of an interested third party.
Under the Private DPRs, the INAI may initiate the following procedures.
If the INAI determines that the Private DPRs have been breached, it will commence the procedure for imposing sanctions.
For Public DPRs, there is only one procedure, which is the verification procedure. This procedure may be initiated by the INAI ex officio or at the request of a third party to verify any violation of the Public DPRs. Furthermore, each state has its own legislation on the subject. Considering the corresponding authorities closely resemble the INAI, procedures should be similar to those listed above. Nevertheless, it is essential to review the applicable provisions in each case.
The Mexican DPRs were prepared based on and include the principles of data protection set forth in the EU Data Protection Directive (the “EU Directive”). Mexico has not adopted the new regulation set forth in the General Data Protection Regulation (GDPR). As of this date, there is no public information on any proposed bill to amend the Mexican DPRs regarding enforcing the GDPR or any other multi-national systems.
Currently, there are no non-governmental organisations (NGOs) or self-regulatory organisations (SROs) in Mexico that are highly involved, have the sole purpose, or have an important role in the protection of personal data rights. However, private entities subject to the Private DPRs when processing personal data must actively comply with Private DPRs and implement the principles established to protect personal data.
The Mexican DPRs were drafted based on the principles set forth in the EU Directive and share many basic concepts with prominent legislation of other jurisdictions, such as the GDPR; however, they are not entirely standardised. The Mexican DPRs do not have strict risk assessment obligations and risk mitigation measures compared to other national systems. The legislation lacks specific and updated cases, such as personal data obtained from new technologies already regulated in other countries.
As Mexico’s data privacy regulation is based on the guidelines of the EU Directive and has not been standardised in line with the GDPR, the development of data privacy regulation in Mexico has occurred primarily in terms of enforcement.
The INAI implemented more recommendations and campaigns. The INAI has published an award-winning electronic tool to perform privacy impact assessments for the public sector. However, no significant advances have been seen in rule-making, and only certain relevant criteria have been published and established in terms of litigation.
Broader protection for users’ personal data in Mexico is needed, especially for sensitive information like biometric data. There is currently little regulation around this data type, even though it is critical for safety. Additionally, personal data protection at a regional and federal level is not standardised.
Some of the new topics incorporated in other jurisdictions, such as the GDPR, which are not yet included in the Private DPRs, are:
One of the issues that came to light in 2023 is that for five months the Plenary of the INAI, which is its highest decision-making and governing body responsible of making strategic decisions and establish policies to ensure the fulfilment of its objectives (which include promoting and protecting the right to access information, as well as defending rights related to the protection of personal data), was unable to meet due to a lack of quorum, as the missing members were not appointed for political reasons.
In 2023, there was a surge in cyber-attacks affecting both public and private sectors in Mexico. In response to this escalating threat and recognising the absence of a cybersecurity law in Mexico, key authorities such as Banxico (Bank of Mexico), CNBV (National Banking and Securities Commission) and the INAI have found it imperative to assess the situation and have proactively engaged in studying the cyber-risks faced by entities in a bid to fortify cybersecurity measures. Such authorities are now working towards the formulation and publication of specific regulations and guidelines. This initiative aims to enhance the resilience of organisations against cyber threats and establish a more robust cybersecurity framework in the absence of a comprehensive cybersecurity legislation.
Data Protection Officer
Pursuant to the Private DPRs, data controllers must appoint a data protection officer or department (DPO) that has the responsibility of processing the requests of the data subjects in relation to the exercise of their data protection rights, the promotion of personal data protection and compliance with applicable obligations.
The INAI recommends appointing a DPO that has:
Under the Public DPRs, data controllers must appoint a Transparency Unit (Unidad de Transparencia). This unit will be responsible for aiding individuals in exercising their ARCO Rights. Furthermore, the data controller may appoint a DPO that will be part of the Transparency Unit.
Processing and Collection
Prior to the processing of personal data, the data controller must obtain consent from the data subject to collect and process their personal data. The type of consent (tacit, express and written) will depend on the type of personal data that is being collected and processed (patrimonial/financial, sensitive personal data or other).
In exceptional cases, the Mexican DPRs permit the data controller to collect and process the personal data of the data subject without their consent when, among others:
Privacy by Design
Mexico has not implemented criteria such as “privacy by design” or “privacy by default” in the Mexican DPRs; however, data controllers may apply these principles in their operations.
Privacy Impact Assessment
Pursuant to the Private DPRs, the data controller has no express obligation to perform an impact assessment; however, the data subject must establish and maintain security measures to process personal data.
The Public DPRs require data controllers to conduct a privacy impact assessment before implementing or modifying any public policies, computer systems or platforms, or technology that involves processing personal data extensively or significantly. To determine if intensive or significant processing of personal data is taking place, data controllers must assess if:
The data controller must then submit the privacy impact assessment to the INAI before processing personal data.
Privacy Policies
In Mexico, data controllers are obligated to establish and adopt internal privacy policies in order to implement a data privacy protection regime and ensure compliance with the principles established in such regulation. The internal policies must contain the tools for transparency and continuous monitoring of risk assessments, and proper processing of personal data.
ARCO Rights
The Mexican DPRs acknowledge and incorporate the ARCO Rights. Pursuant to the Mexican DPRs, the data subject has, at all times, the right to access, rectify, cancel or oppose to the processing of their personal data, as well as to revoke their consent for the processing of their personal data. Additionally, the data subject may accept or deny the transfer of their personal data.
The data subject will need to follow the process established by the data controller in its privacy notice to exercise their ARCO Rights and their right to revoke their personal data. In any case, the data controller cannot charge a fee for this purpose.
Portability
The Private DPRs do not regulate the right to data portability.
On the other hand, the Public DPRs provide regulation on data portability. Such regulation establishes that when personal data is processed electronically in a structured and commonly used format, the data subject has the right to obtain a copy of their data in an electronic format. This allows the continuance of use and transmission of such data to any other system in an electronic format without encountering any obstacles from the data controller.
Dissociation
The Mexican DPRs acknowledge the process of dissociation, which refers to the procedure by which personal data cannot be associated with the data subject. If the personal data has been subject to a dissociation process, the data controller does not have to obtain the previous consent of the data subject for the processing of their personal data, as such information will not be subject to the Mexican DPRs.
The Mexican DPRs classify the information into three categories:
Sensitive data refers to the most intimate areas of the individual (racial or ethnic origin, health status, genetic information). Pursuant to the definition established in the DPRs, sensitive data refers, in particular, to data that may relate to religious, philosophical and moral beliefs, union membership, political views and sexual preference.
Data controllers must obtain prior consent from the data subject prior to any processing; however, the type of consent will depend on the category of personal data. In the case of sensitive data, the Mexican DPRs establish the highest degree of protection and requirements to process it, as the data controller is required to obtain the express and written consent of the data subject.
For the creation of a database containing sensitive data, the data controller must legally justify that the data collection is legitimate, concrete and in accordance with the purposes described in its privacy notice.
It is important for the data controller to limit the period for the processing of sensitive personal data to the necessary minimum compared to other categories of personal data.
Geolocation is a controversial issue in Mexico. The Mexican DPRs do not specifically consider it to be sensitive personal data, and the INAI has not issued formal criteria on the matter. As of March 2021, it is mandatory for Mexican banks to obtain their user’s geolocation and for users to allow access to it in order to perform banking transactions through mobile devices. This will probably trigger the INAI and other correspondent authorities to amend the Private DPRs or publish criteria that specify how to process geolocation data.
Regarding biometric data, the INAI published a guideline to evaluate if biometric data should be considered as sensitive personal data. In order to determine if this is the case, it is necessary to evaluate:
For example, the INAI has determined that a fingerprint is always considered sensitive personal data.
Notwithstanding, the INAI establishes that the privacy notice must expressly mention whether biometric data are being processed and, if so, whether they will be considered sensitive personal data.
Pursuant to the DPR, if the data controller processes personal data for purposes that are not necessary or give rise to the legal relationship between the data controller and the data subject, these will be considered secondary purposes (marketing communications, spam email, advertising, call, texts, commercial prospecting, among others).
The data subject has the right to deny or revoke their consent, as well as to oppose to the processing of their personal data when the processing is for secondary purposes. These secondary purposes will have to be included in the privacy notice as well as the means by which the data subject may exercise the right to deny, revoke and oppose the processing for such purposes.
Mexican DPRs apply to the data that is processed by the employer the same as any other data controller. This implies that the employer must comply with all the corresponding requirements and obligations of the Mexican DPRs when processing the personal data of their employees.
Communications Monitoring
In general, surveillance and supervision in work environments must always be proportional and adequate to the situation at hand. Although communication tools, such as corporate e-mails or mobile phones, are considered work instruments, privacy remains a crucial issue. Therefore, clear and precise procedures must be established, which must be communicated to employees in advance in compliance with Mexican DPRs.
Whistle-Blower and Anonymous Reporting
Internal complaint systems must always comply with the Mexican DPRs and their principles. However, given the nature of the relationship between employer and employee, the fulfilment of obligations as data controllers acquires new elements, eg, proportionality will require that data processing and complaints should focus exclusively on the employment relationship to maintain the principle of proportionality. Additionally, acting in a manner that protects the reporter’s interests is essential to protect the principle of loyalty.
Labour Unions
Labour unions must follow the same principles provided in the Private DPRs and must ensure the protection of their members’ information.
Supervision
As mentioned at 1.3 Administration and Enforcement Process, the regulators have certain tools at their disposal to supervise compliance with the Mexican DPRs. The INAI may initiate inspection visits or verification proceedings at any moment in response to any alleged violations of the Private DPRs, which may arise from a complaint by a data subject or from its own investigation. Other authorities can initiate the verification proceedings detailed in the Public DPRs and any other DPRs regulated in their corresponding state law.
Potential Penalties
The Private DPRs identify the following penalties:
The Private DPRs also include the following criminal offences:
If the infraction or conduct involves sensitive personal data, the fines are doubled.
The Public DPRs provide no specific penalty for their violation. As such, the focus is directed towards the relevant authorities and their respective legislation. Therefore, each case must be analysed on an individual basis.
Noteworthy Cases in the Last 12 Months
A noteworthy case is the initiation of an investigation of the International Airport of Mexico City (Aeropuerto Internacional de la Ciudad de México) in relation to an alleged violation of the Public DPRs. Details of the case are scarce; however, the INAI mentioned in a publication that the scope includes using security cameras.
In recent years, Mexico has experienced a consistent rise in cyber-attacks. These cyber-incidents have led to a surge in security and data breaches, compelling data controllers to address heightened obligations under the Mexican DPRs. As cyber threats evolve and become more sophisticated, organisations in Mexico are increasingly facing challenges in safeguarding sensitive information. The escalating frequency and complexity of these attacks underscore the critical need for robust cybersecurity measures and prompt response strategies to mitigate the impact on data controllers and uphold the integrity of private data.
Private Litigation
Since privacy and data protection violations are reviewed and penalised specifically through administrative procedures, there is no civil recourse to enforce privacy or data protection under the Mexican DPRs. However, Mexican legislation allows data subjects to pursue compensation through civil courts by claiming damages and lost profits.
The Mexican DPRs permit the processing or transfer of personal data, even without the consent of the data subject, in the event of national security, public order, public safety and health, or the protection of the rights of third parties, subject to the request of a competent authority, among others.
The Public Prosecutor’s Office may request reports or documentation from other authorities and individuals, and authorisation to perform certain acts of investigation, such as access to private communications and correspondence of individuals, which may include personal data.
Also, the Public Prosecutor may intercept private communications and correspondence with prior authorisation of the competent judge. For that purpose, the Public Prosecutor should communicate and justify the purpose and need to carry out such measures. The request to the supervisory judge must specify the person, the place where the intervention will be carried out, the type of communication to be intervened, its duration, the lines, numbers or devices to be intervened, and the name of the telecommunications service concessionaire through which the communication is carried out.
The National Security Law (Ley de Seguridad Nacional) establishes that judicial authorisation is required to conduct interventions of private communications in cases relevant to national security. This Law contains a list of national security threats for which the Mexican state may request the intervention of private communications. This list includes terrorism, espionage, sabotage and genocide.
In addition, the Centre for Investigation and National Security is authorised to assist in the prosecution of justice; however, such assistance will be regulated by the National Code of Criminal Procedures (Código Nacional de Procedimientos Penales) and not by the National Security Law.
The data controller may transfer personal data to foreign governments without the consent of the data subject if a request is made by the competent authority in compliance with a Mexican notification request.
Mexico does not participate in a Cloud Act or similar agreements with the USA.
Discussion has been sparked around the compliance of federal governmental authorities. As stated at 1.1 Laws and 1.3 Administration and Enforcement Process, the Public DPRs oversee how the government guarantees the privacy of individuals. There have been several instances where federal authorities failed to comply with the Public DPRs. This has ignited some discussion since the regulator responsible for surveying and enforcing the corresponding penalties is subordinate to the data controller, which brings into question the efficiency of privacy procedures and their sanctions. Public debates further increased since, in such cases, data subjects were not notified of the violations of their rights.
Another key issue in Mexico is the absence of significant cybersecurity regulations, leaving data controllers uncertain about how to respond in the event of a security breach. The lack of a comprehensive framework compounds the challenges posed by escalating cyber threats, as organisations may struggle to establish clear protocols and guidelines for addressing and mitigating security incidents.
The Mexican DPRs permit data transfers abroad, subject to compliance with the information and the consent requirements in the DPR. However, it is stated that general requirements apply, even in international data transfers. Mexican DPRs also require international data transfer receivers to assume the same obligations and responsibilities as the original controller.
Mexican DPRs allow data controllers to use and dispose of any legal instruments to fulfil their obligations. Contract clauses are the first and only tools named explicitly in the Mexican DPRs that data controllers may rely on to meet their international obligations when performing data transfers. As a general rule, these clauses must provide at least that:
The data controller can also request the INAI’s opinion regarding international data transfers. If deemed necessary, the data controller may submit a request to determine whether the data transfer complies with the Mexican DPRs.
There are no government notifications or approvals required to transfer data internationally. The data controller will have to include in the privacy notice the transfers of personal data in order to inform the data subject.
There are no specific data localisation requirements, nor do the Mexican DPRs contemplate the need to store personal data in-country. Therefore, it is possible to transfer data internationally; however, data controllers are still required to implement measures to safeguard the data and comply with the requirements for the transfer of personal data established in the DPR, such as the provision of the privacy notice to the data receiver.
Data controllers are not required to share any software code, algorithms or similar technical details with the government in advance. However, it is essential to note that, though it is not explicitly mentioned, an interpretation of Mexican legislation suggests the INAI’s General Directorate of Investigation and Verification and other relevant authorities may request technical details and data controllers would be required to provide such information.
According to the Public DPRs, governmental authorities must conduct a privacy impact assessment in certain cases and submit it to the INAI, as described at 2.1 Omnibus Laws and General Requirements.
There are no specific requirements for foreign government data requests. Therefore, it is possible to transfer data internationally; however, data controllers are still required to comply with the requirements for the transfer of personal data established in the DPRs.
In Mexico, other than the sovereignty of the nation and the provisions set forth in the constitution, there are no specific statutes regarding “blocking”.
The Private DPRs have not been subject to any major modifications. Therefore, they do not address or reflect current issues in the processing of personal data, such as those regarding the use of digital and technological resources.
Notwithstanding the foregoing, the Private DPRs address the following issues.
Automated Decision-Making
When decisions without human intervention are part of the data processing, there must be transparency. Controllers must inform data subjects of such situations before the data processing begins. It is considered good practice to notify the foregoing to the data subject in the privacy notice.
Profiling or Microtargeting
One of the most common occurrences of this issue is cookies. Using this type of mechanism in electronic media requires controllers to inform the data subject accordingly. Specifically, it is required to notify data subjects (through privacy notice) about the presence and use of these technologies, as well as the collection of personal data through cookies and the way they may be disabled, if possible.
The widespread use of data to generate a profile of employees or candidates is still debatable. Therefore, though it is not specially regulated in Mexican provisions, it is highly recommended to exercise caution when executing psychometric tests and to review compliance with the principles defined in the DPR.
Biometric Data, Facial Recognition and Geolocation
Biometric data, facial recognition and geolocation are not explicitly mentioned in Mexican provisions. In the case of biometric data, the INAI՚s interpretation was published in a guideline in which it establishes that biometric data may not be considered as sensitive personal data. In order to determine whether biometric data should be considered sensitive personal data by the data controller, it is necessary to evaluate the purpose and the use that will be given to the biometric data.
Other Current Issues
Mexican regulators and legislators must work on amendments to the Mexican DPRs to regulate technological developments, such as:
Nevertheless, through the application of the general principles of the Mexican DPRs, it is possible to evaluate how cases involving these concepts may be analysed and resolved by the corresponding authorities. Consequently, acting based on the principles of the Mexican DPRs is recommended whenever these concepts present themselves in practice.
The INAI and the private sector have brought attention to the need for an ethics board in workplaces where technology is being innovated, primarily when referring to AI. In Mexico, the United Nations Educational, Scientific and Cultural Organization has proposed the establishment of an Artificial Intelligence Committee, which would be responsible for strategy development focused on humans to govern ethics in that subject. Nonetheless, no special progress has been made on this subject.
The responsible authorities usually publicise relevant data regarding their investigations and penalties. According to the INAI’s report, the imposed fines in 2023 exceeded MXN46 million (approximately USD2.7 million, at an exchange rate of MXN17 per USD1). This represents around a 23% reduction in total fines compared to 2022. When reviewed by sector, the following stand out as the most relevant figures:
The INAI has identified the following conducts as the most frequent reasons for sanctions:
Moreover, it is important to consider that collective actions are not allowed under the Mexican DPRs. Upon receiving multiple related complaints from data subjects, the INAI will process and resolve each claim individually. Furthermore, private litigations regarding personal data protection and privacy are based on claims of damages and lost profits, which are not common in Mexico.
Depending on the nature of the transaction, the process for conducting due diligence varies greatly. For instance, a merger between companies may require a deep analysis of data processing within the merged company. On a general basis, it is recommended that the steps listed below are followed.
There are no obligations in Mexican law that specifically require companies to disclose cybersecurity risks. Mexican legislation does not focus on cybersecurity risks in its requirements; instead, it addresses risks in a broad scope.
The Mexican DPRs struggle to keep up with trends and innovations in technology. Though the principle-based model helps to deal with unforeseen situations and issues, data protection and privacy stand to gain from the implementation of new ideas into legislation. Recent technological developments are frequent, and the generalised approach needs to be revised to manage them properly. Gaps in the Mexican DPRs have led to numerous interpretations. This, in turn, fosters uncertainty for everyone involved.
There is an increasing tendency for international companies with a presence in Mexico to adopt GDPR principles and obligations in the processing of personal data collected in Mexico. This trend, which is permitted by Mexican law, helps to strengthen personal data protection.
The commissioners of the INAI have been working to raise awareness of identity theft. As a result, it has been suggested that an amendment to the Federal Law is necessary. Additionally, since identity theft is a crime, the corresponding codes must be updated to effectively address this issue.
Torre Arcos
Paseo de los Tamarindos
400 B, 7th Floor
Col Bosques de las Lomas
05120
Mexico
+52 55 4170 3000
+52 55 4170 3099
info@nhg.com.mx www.nhg.com.mx