Personal data protection is regulated in Mexico by the Federal Law for the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), its Regulation (Reglamento) and the Privacy Notice Guidelines (Lineamientos del Aviso de Privacidad) (jointly, the DPR). The DPR is applicable to any individual or entity of the private sector that processes personal data in Mexico. 

The DPR set forth the principles, requirements and obligations for any individual or entity to process, use and transfer personal data of any individual, as data subject (titular). 

Pursuant to the DPR, the data controllers (responsables) must comply with the following principles: lawfulness, loyalty, information, consent, quality, purpose, proportionality and responsibility. Compliance with these principles will ensure data controllers collect and process personal data adequately and implement the necessary measures to protect personal data. 

The most important principles are (i) information, which refers to the obligation to provide the data subject the privacy notice before they collect and process personal data, and (ii) consent, which refers to the obligation to obtain the data subject’s prior consent to process their personal data. The privacy notice must be in Spanish, with clear information, and must be easy to understand. The data controller may deliver the privacy notice in writing, in digital form, via recording or through any other technological means available.

The DPR establishes a stricter regime for data controllers in relation to sensitive personal data. In order to process sensitive personal data, the data controller must obtain an express and written consent from data subjects. In case of non-compliance, the regulator can impose an economic sanction that may be increased to twice the amount of the sanction that would be imposed if it were another type of personal data.

The authority responsible for the surveillance and enforcement of the DPR in Mexico is the National Institute for Access to Information and Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (INAI). 

The INAI has the authority to initiate audits and investigations as part of its faculty of surveillance, which can be initiated ex officio or upon request by an interested third party. If the INAI detects non-compliance with the DPR, it may issue a warning or impose a financial fine. In 2022, the INAI imposed fines for a total amount of up to MXN60 million (approximately USD3 million, at an exchange rate of MXN20 per USD1).

The DPR set forth the following procedures. 

• A procedure that can be initiated by the data subjects before the INAI (rights protection procedure), in which the data subjects can claim that the data controller has violated their rights of access, rectification, cancellation or opposition (the “ARCO Rights”). 
• A procedure that can be initiated by the INAI ex officio or at the request of a third party, with the purpose of obtaining the appropriate information to verify any violation of the DPR.

If, derived from the procedures above, the INAI determines that there has been a breach of the DPR, the INAI will begin with the procedure for the imposition of sanctions, which will begin with a notification to the infringer. The infringer will have 15 days to offer evidence and state in writing any pertinent information. After the INAI has reviewed the evidence, it will notify the infringer so that they can prepare their arguments and present them within the following five days. In total, the INAI will have 50 days from the start of the procedure to issue a resolution and notify the infringer. If the infringer does not agree with the INAI’s resolution, they may appeal the resolution to the Federal Court of Fiscal and Administrative Justice (Tribunal Federal de Justicia Administrativa).

The DPR was prepared based on and includes the principles of data protection set forth in the EU Data Protection Directive (the "EU Directive"). Mexico has not adopted the new regulation set forth in the General Data Protection Regulation (GDPR). As of this date, there is no public information on any proposed bill to amend the DPR or regarding the manner in which the INAI will co-operate in the enforcement of the GDPR in Mexico.

Currently, there are no NGOs or SROs in Mexico that are highly involved, have the sole purpose or have an important role in the protection of personal data rights. However, as private entities subject to the DPR when processing personal data, they must actively comply with the protection of personal data and the implementation of the principles established in the DPR. 

The DPR is based on the guidelines of the EU Directive, and although it has not been standardised in line with the GDPR, it has several shared principles. Compared with other national systems, it lacks stricter risk assessment obligations and risk mitigation measures, and requires legislation that foresees more specific and updated cases, already regulated in other countries.

Mexico must implement and amend the DPR in order to include the requirements to process personal data obtained from innovative and new technologies. 

Some of the new obligations incorporated in the GDPR, which are not yet included in the DPR, are:

• the portability right;
• privacy by design;
• express obligations regarding the consent of minors under 16 years of age; and
• new obligations and requirements if the data controller implements new technologies in the processing of the personal data.

Since the DPR is based on the guidelines of the EU Directive, and has not been standardised in line with the GDPR, the development of data privacy regulation in Mexico has occurred primarily in terms of enforcement.

Regarding the INAI’s enforcement, in 2022 the number of fines imposed for non-compliance decreased from the number imposed in 2021; however, there was an increase in the recommendations and campaigns implemented by the INAI. Notwithstanding the above, no significant advances have been seen in rule-making, and only certain relevant criteria have been published and established in terms of litigation.

The provision of a broader protection for users’ personal data that includes sensitive information, such as biometric data which is scarcely regulated in Mexico and represents a crucial safety requirement, and the standardisation of the protection of personal data at a regional and federal level are still pending.

Additionally, the DPR lacks the inclusion of certain obligations already included in other jurisdictions around the world, such as:

• the portability right;
• impact assessment;
• the implementation of new technologies in the processing of personal data; and
• privacy by design. 

Data Protection Officer

Pursuant to the DPR, data controllers must appoint a data protection officer or department (DPO) that has the responsibility of processing the requests of the data subjects in relation to the exercise of their data protection rights, the promotion of personal data protection and compliance with applicable obligations. 

The INAI recommends appointing a DPO that has:

• expertise in data protection matters;
• a position within the company that permits the implementation of policies;
• the necessary material, technical and human recourses; and
• leadership, organisational and communication skills. 

Processing and Collection

Prior to the processing of personal data, the data controller must obtain consent from the data subject to collect and process their personal data. The type of consent (tacit, express, written and/or express) will depend on the type of personal data that is being collected and processed (patrimonial/financial, sensitive personal data or other). 

In exceptional cases, the DPR permits that the data controller collects and processes personal data of the data subject without their consent when, among others:

• the personal data is public;
• the personal data is disassociated;
• the personal data to be collected is processed to comply with obligations derived from the legal relationship between the data subject and the data controller;
• there is an emergency situation that may cause harm to the data subject; and/or
• if there is a judicial ruling or is essential for medical matters of the data subject. 

Privacy by Design

Mexico has not implemented criteria such as “privacy by design” or “privacy by default” in the DPR. 

Privacy Impact Assessment

Pursuant to the DPR, there is no express obligation for the data controller to perform an impact assessment; however, the data subject must establish and maintain security measures for the processing of personal data. 

Privacy Policies

In Mexico, data controllers are obligated to establish and adopt internal privacy policies in order to implement a data privacy protection regime and guarantee compliance with the principles established in such regulation. The internal policies must contain the tools for transparency and continuous monitoring of risk assessments, and proper processing of personal data. 

ARCO Rights

The DPR recognises and incorporates the ARCO Rights. Pursuant to the DPR, the data subject has, at all times, the right to access, rectify, cancel or oppose to the processing of their personal data, as well as to revoke their given consent for the processing of their personal data. Additionally, the data subject may accept or deny the transfer of their personal data. 

The data subject will need to follow the process established by the data controller in its privacy notice to exercise their ARCO Rights and their right to revoke their personal data. In any case, the data controller cannot charge any fee for such purpose.

Portability

The DPR does not regulate the right to data portability. 

Dissociation

The DPR recognises the process of dissociation, which refers to the procedure by which personal data cannot be associated with the data subject. If the personal data has been subject to a dissociation process, the data controller does not have to obtain the previous consent of the data subject for the processing of their personal data, as such information will not be subject to the DPR. 

The DPR classifies the information into three categories: (i) sensitive personal data, (ii) financial/patrimonial data, and (iii) other general data. 

Sensitive data refers to the most intimate areas of the individual (racial or ethnic origin, health status, genetic information). Pursuant to the definition established in the DPR, sensitive data refers, in particular, to data that may relate to religious, philosophical and moral beliefs, union membership, political views and sexual preference. 

Data controllers must obtain prior consent from the data subject prior to any processing; however, the type of consent will depend on the category of personal data. In the case of sensitive data, the DPR establishes the highest degree of protection and requirements to process it, as the data controller is required to obtain the express and written consent of the data subject. 

For the creation of a database containing sensitive data, the data controller must legally justify that the data collection is legitimate, concrete and in accordance with the purposes described in its privacy notice.

It is important for the data controller to limit the period of processing of sensitive personal data to the minimum necessary compared to other categories of personal data. 

In relation to location data, there has been an effort in different jurisdictions around the world to regulate location or geolocation as sensitive personal data in order to have specific restrictions on its processing. In Mexico, geolocation is a controversial issue, since the DPR does not mention that it is sensitive personal data and the INAI has not issued an opinion on the matter. However, as of March 2021, it is mandatory for Mexican banks to obtain their user’s geolocation and for users to allow access to it in order to perform banking transactions through mobile devices. This will probably trigger the INAI and other correspondent authorities to amend the DPR or publish criteria that specify how to process localisation or geolocalisation data. 

Regarding biometric data, the INAI published a guideline in which it establishes that biometric data may not be considered as sensitive personal data. In order to determine whether biometric data should be considered as sensitive personal data by the data controller, it is necessary to evaluate whether such biometric data refers to the most intimate sphere of the data subject, its improper use may generate discrimination and/or its unlawful use may entail a serious risk for the data subject. For example, the INAI has determined that a fingerprint is always considered sensitive personal data. 

Notwithstanding, the INAI establishes that the privacy notice must expressly mention whether biometric data are being processed and, if so, whether they will be considered sensitive personal data. 

Pursuant to the DPR, if the data controller processes personal data for purposes that are not necessary or give rise to the legal relationship between the data controller and the data subject, these will be considered secondary purposes (marketing communications, spam email, advertising, call, texts, commercial prospecting, among others).

The data subject has the right to deny or revoke their consent, as well as to oppose to the processing of their personal data when the processing is for secondary purposes. These secondary purposes will have to be included in the privacy notice as well as the means by which the data subject may exercise the right to deny, revoke and oppose the processing for such purposes. 

There are no special rules on the processing of personal data of employees. The terms of the DPR apply to the data processed by the employer of its employees. 

Communications Monitoring

In general, surveillance and supervision in work environments must always be proportional and adequate to the situation at hand. Although communication tools, such as corporate e-mails or mobile phones, are considered work instruments, privacy remains a crucial issue. Therefore, clear and precise procedures must be established, which must be communicated to employees in advance in compliance with the DPR.

Whistle-Blower and Anonymous Reporting

Internal complaint systems must always comply with the DPR and its principles. However, given the nature of the relationship between employer and employee, the fulfilment of obligations as data controllers acquires new elements, eg, proportionality will require that data processing and overall complaints focus exclusively on the employment relationship, and loyalty will mean acting in a manner that protects the reporter՚s interests.

Labour Unions 

Labour unions must follow the same principles provided in the DPR for the protection of its members' information. 

Supervision

The INAI may initiate inspection visits or verification proceedings at any moment of any alleged violations of the DPR if it has any suspicions, whether as a result of a claim of the data subject or its own investigation. 

Potential Penalties

The DPR identifies the following penalties: 

• a warning notice, exclusively applied when the data controller fails to comply with a request to exercise a data subject right; or
• a fine, which varies depending on the infraction of the DPR.

The DPR also includes the following criminal offenses:

• security violations committed by authorised personnel for profit are punished with three months to three years in prison; and
• data processing offenses based on deceit, taking advantage of the data subject’s or authorised personnel’s error to profit inappropriately, are penalised with six months to five years in prison. 

If the infraction or conduct involves sensitive personal data, the fines are doubled.

Noteworthy Cases in the Last 12 Months

Currently, the most recent rulings and cases are limited to information from 2020. However, an ongoing procedure involving the Mexican Football Federation is underway. No specific details have been published, but it is reportedly related to assisting the Mexican national team՚s stadium. 

Private Litigation

Since privacy and data protection violations are reviewed and penalised specifically through administrative procedures, there is no civil recourse to enforce privacy or data protection under the DPR. However, Mexican legislation allows data subjects to pursue compensation through civil courts by claiming damages and lost profits.

The DPR permits the processing or transfer of personal data, even without consent of the data subject, in the event of national security, public order, public safety and health, or the protection of the rights of third parties, subject to the request of a competent authority.

The Public Prosecutor's Office may request reports or documentation from other authorities and individuals, and authorisation to perform certain acts of investigation, such as access to private communications and correspondence of individuals, which may include personal data.

Also, the Public Prosecutor may intercept private communications and correspondence with prior authorisation of the competent judge. For that purpose, the Public Prosecutor should communicate and justify the purpose and need to carry out such measure.

The request to the supervisory judge must specify the person, the place where the intervention will be carried out, the type of communication to be intervened, its duration, the lines, numbers or devices to be intervened, and the name of the telecommunications service concessionaire through which the communication is carried out.

The National Security Law (Ley de Seguridad Nacional) establishes that judicial authorisation is required to conduct interventions of private communications in cases relevant to national security. This Law contains a list of national security threats for which the Mexican state may request the intervention of private communications. This list includes terrorism, espionage, sabotage and genocide.

In addition, the Center for Investigation and National Security is authorised to assist in the prosecution of justice; however, such assistance will be regulated by the National Code of Criminal Procedures (Código Nacional de Procedimientos Penales) and not by the aforementioned National Security Law.

The data controller may transfer personal data to foreign governments without the consent of the data subject if a request is made by competent authority in compliance with a Mexican notification request. 

Mexico does not participate in a Cloud Act or similar agreements with the USA. 

In addition to the DPR, the General Law for the Protection of Personal Data in the Possession of Obligated Parties (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados) (LFPDPSO), regulates the protection of personal data in the possession of any authority, entity, government body, agency of the executive, legislative and judicial bodies, autonomous bodies, political parties, trusts and public funds. This Law regulates the manner in which the state guarantees the privacy of individuals with respect to information held by the government.

The LFPDPSO provides express obligations on how the government must take care of the personal data of individuals.

Key issues arise from the fact that the corresponding authority does not notify the data subject of violations of its rights under the law. 

The DPR permits data transfers abroad, subject to compliance with the information and consent requirements in the DPR. However, it is stated that general requirements apply, even in international data transfers. Regulation of the DPR also requires international data transfer receivers to assume the same obligations and responsibilities as the original controller.

The regulations of the DPR allow data controllers to use and dispose of any legal instruments to fulfil their obligations. Contract clauses are the first and only tools named explicitly in the DPR that data controllers may rely on to meet their international obligations when performing data transfers. As a general rule, these clauses must contain at least the following:

• the data receiver must agree to submit to the same obligations as the original data controller; and
• the data receiver must agree and acknowledge the authorisations granted by the data subject in the privacy notice.

The data controller can also request the INAI’s opinion regarding international data transfers. If deemed necessary, the data controller may submit a request to determine whether the data transfer complies with the DPR.

There are no government notifications or approvals required to transfer data internationally. The data controller will have to include in the privacy notice the transfers of personal data in order to inform the data subject.

There are no specific data localisation requirements. The DPR does not contemplate the need to maintain personal data in-country either. Therefore, it is possible to transfer data internationally; however, data controllers are still required to implement measures to safeguard the data and comply with the requirements for the transfer of personal data established in the DPR, such as the provision of the privacy notice to the data receiver.

Data controllers are not required to share any software code, algorithms or similar technical details with the government in advance. However, it is essential to note that, though it is not explicitly mentioned, an interpretation of Mexican legislation suggests it is possible for the INAI’s General Directorate of Investigation and Verification to request technical details. 

There are no specific requirements for foreign government data requests. Therefore, it is possible to transfer data internationally; however, data controllers are still required to comply with the requirements for the transfer of personal data established in the DPR.

In Mexico, other than the sovereignty of the nation and the provisions set forth in the constitution, there are no specific statutes regarding “blocking”. 

The DPR, which was issued in 2010, has not been subject to modifications. Therefore, it does not address or reflect current issues in the processing of personal data, such as those regarding the use of digital and technological resources. Notwithstanding the foregoing, the DPR addresses the following issues.

Automated Decision-Making

The DPR requires transparency when decisions without human intervention are part of the data processing. Controllers must inform data subjects of such situations before the data processing begins. It is considered good practice to notify the foregoing to the data subject in the privacy notice. 

Profiling or Microtargeting

One of the most common occurrences of this issue is cookies. Using this type of mechanism in electronic media requires controllers to inform the data subject accordingly. Specifically, it is required to notify data subjects (through privacy notice) about the presence and use of these technologies, as well as the collection of personal data through cookies and the way they may be disabled, if possible.

The widespread use of data to generate a profile of employees or candidates is still debatable. Therefore, though it is not specially regulated in Mexican provisions, it is highly recommended to exercise caution when executing psychometric tests and to review compliance with the principles defined in the DPR.

Biometric Data, Facial Recognition and Geolocation

Biometric data, facial recognition and geolocation are not explicitly mentioned in Mexican provisions. In the case of biometric data, the INAI՚s interpretation was published in a guideline in which it establishes that biometric data may not be considered as sensitive personal data. In order to determine whether biometric data should be considered sensitive personal data by the data controller, it is necessary to evaluate the purpose and the use that will be given to the biometric data. 

Other Current Issues

Mexican regulators and legislators must work on amendments to the DPR to regulate technological developments, such as: 

• big data;
• artificial intelligence (machine learning);
• internet of things or ubiquitous sensors;
• autonomous decision-making;
• drones;
• disinformation, deep fakes or other online harms;
• dark patterns or online manipulation; and
• fiduciary duty for privacy or data protection.

Nevertheless, through the application of the general principles of the DPR, it is possible to evaluate how cases involving these concepts may be analysed and resolved by the INAI. Therefore, whenever these concepts present themselves in practice, it is possible to act based on the principles of the DPR.

Data controllers are required to designate a person (or department) in charge of addressing ARCO Rights and promoting personal data protection within the organisation. However, there is no mention of their specific functions and responsibilities.

The INAI and the private sector have brought attention to the need for an ethics board in workplaces where technology is being innovated, primarily when referring to artificial intelligence. In Mexico, the United Nations Educational, Scientific and Cultural Organization has proposed the establishment of an Artificial Intelligence Committee, which would be responsible for strategy development focused on humans to govern ethics in that subject.

According to the INAI’s report, the imposed fines in 2022 exceeded MXN60 million (approximately USD3 million, at an exchange rate of MXN20 per USD1). This represents around a 33% reduction in total fines compared to 2021. When reviewed by sector, the following stand out as the most relevant figures:

• information in mass media was fined over MXN15 million (approximately USD750,000, at an exchange rate of MXN20 per USD1);
• financial services and insurance were fined over MXN14 million (approximately USD700,000, at an exchange rate of MXN20 per USD1);
• business support services and waste management services were fined over MXN2 million (approximately USD100,000, at an exchange rate of MXN20 per USD1); and
• other services were fined over MXN23 million (approximately USD1,150,000, at an exchange rate of MXN20 per USD1).

The INAI has identified the following conducts as the most frequent reasons for sanctions:

• collect and transfer of personal data without the explicit consent of the data subject;
• omitting required components in the privacy notice; and
• processing personal data contravening the principles outlined in the DPR.

Collective actions are not allowed under Mexico՚s personal data protection and privacy laws. Upon receiving multiple related complaints from data subjects, the INAI will process and resolve each claim individually; however, the INAI may initiate inspection visits to the data controller. Furthermore, private litigations regarding personal data protection and privacy are based on claims of damages and lost profits, which are not common in Mexico.

Depending on the nature of the transaction, the process for conducting diligence greatly varies (eg, the merger between companies may require a deep analysis of the data processing within the merged company). The standard process consists of the following steps.

• Identify if the transaction involves personal data at all.
1. It is essential to review the presence of sensitive data.
2. Assessing the categories of personal data involved during the transaction is highly recommended.
3. Review whether the involvement of personal data complies with the principles of proportionality and purpose.
• Identify the extent to which personal data will be exposed during and after the transaction.
1. Determine where the personal data is stored before the transaction.
2. Determine how the other party or the reviewer will access the personal data.        
3. Determine where personal data will be held during and after the transaction.
4. Most importantly, it must be determined who will access the personal data.
5. Identify if there have been any previous data breaches.
6. Identify risks of data breaches at three stages:

1. before the transaction;
2. during the transaction; and
3. after the transaction.
• Ensure proper measures are in place to comply with the data protection principles. 
1. When sensitive data is present in the transaction, the corresponding arrangements must be strict and secure under the DPR.
2. Determine if proper consent was collected; this includes identifying if the proper privacy notice was provided.
3. Review the security measures established to mitigate the identified risks.

There are no obligations in Mexican law that require companies to disclose cybersecurity risks. Mexican legislation does not focus on cybersecurity risks in its requirements; instead, it addresses risks in a broad scope. 

The DPR struggles to keep up with upcoming trends and innovations in technology. Though the principle-based model helps to deal with unforeseen situations and issues, data protection and privacy stand to gain from the implementation of new ideas into legislation. Recent technological developments are frequent, and the generalised approach needs to be revised to manage them properly. Gaps in the DPR have led to numerous interpretations. This, in turn, fosters uncertainty for everyone involved.

There is an increasing tendency for international companies with a presence in Mexico to adapt GDPR principles and obligations in the processing of personal data collected in Mexico. This trend, which is permitted by Mexican law, helps to strengthen personal data protection. 

There are no data protection or privacy issues of major importance not already covered in this chapter.