Mexican Data Protection Regulations (DPRs)

In Mexico, personal data protection is regulated by the highest hierarchy in its legal system. The Federal Mexican Constitution (Constitución Política de los Estados Unidos Mexicanos) grants and recognises the protection of personal data as a human right.

In order to regulate this human right, Mexico’s legal framework divides the regulation into the private and public sector.

The Federal Law for the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), its Regulation (Reglamento) and other secondary provisions (jointly, the Private Data Protection Regulations (Private DPRs)), serve as the tools to protect this right and feature as the core of Mexican personal data protection in the private sector.

On the other hand, data privacy for public entities is regulated by the General Law for the Protection of Personal Data Held by Obligated Parties (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados) (the Public DPRs and jointly with the DPRs, the Mexican DPRs), and several other provisions.

The Mexican DPRs were prepared based on and include the principles of data protection set forth in the EU Data Protection Directive (the “EU Directive”). Mexico has not adopted the new regulation set forth in the General Data Protection Regulation (GDPR). As of this date, there is no public information on any proposed bill to amend the Mexican DPRs regarding enforcing the GDPR or any other multi-national systems. The Mexican DPRs do not have strict risk assessment obligations and risk mitigation measures compared to other national systems. Additionally, the Mexican DPRs do not explicitly address the challenges posed by emerging technologies such as AI, blockchain and big data analytics, which are already subject to specific regulations in other countries.

Mexico has a total of 33 authorities dedicated in part to data protection. Currently, the National Institute for Transparency, Access to Information and Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (INAI) is the sole authority responsible for enforcing the Mexican DPRs throughout the country. As part of its surveillance responsibility, it has the authority to conduct audits and investigations by its own initiative or at the request of an interested third party.

However, Mexico’s federal regulatory landscape is expected to undergo significant transformation in the coming months, driven by the transition to a new federal administration. This transformation follows the publication of an amendment to the Federal Mexican Constitution on 20 December 2024. The primary objective of this amendment is to abolish certain governmental agencies, including the INAI.

In response to this amendment, the Mexican Congress will comprehensively overhaul all secondary legal provisions currently governing the affected agencies. This process involves not only the dissolution of these agencies but also the establishment of new regulatory bodies to assume their roles and responsibilities. Currently, it remains unclear which government agency will ultimately inherit the powers and duties previously held by the INAI. The proposal suggests that responsibilities related to the private sector could be transferred to the Ministry of Anti-Corruption and Good Governance.

Furthermore, local congresses will need to adjust their legislative frameworks to align with the amendment. The impact of these changes on local governmental entities and their respective authorities will depend significantly on the specific regulatory provisions implemented. The effects could range from minor procedural adjustments to substantial reforms in how local authorities manage their operations and engage with constituents.

Despite these changes, there is no indication of amendments to the Mexican DPRs as a result of the replacement of the INAI.

Under the DPRs, currently the INAI may initiate the following procedures.

• The ARCO Rights protection procedure can be initiated by the data subjects before the INAI, in which the data subjects can claim that the data controller has violated their rights of access, rectification, cancellation or opposition (the “ARCO Rights”).
• The verification procedure can be initiated by the INAI ex officio or at the request of a third party, with the purpose of obtaining the appropriate information to verify any violation of the DPRs.

If the INAI determines that the DPRs have been breached, it will commence the procedure for imposing sanctions.

The DPRs provide the following penalties:

• a warning notice, exclusively applied when the data controller fails to comply with a request to exercise a data subject right; or
• a fine, which varies depending on the infraction of the DPR.

Fines range from 100 to 320,000 times the daily minimum wage or the Unit of Measurement and Update (UMA). In 2024, each UMA was valued at MXN108.57 (approximately 5.43USD). Depending on the circumstances, higher fines are imposed in cases involving sensitive personal data and data breaches.

The DPRs also include the following criminal offences:

• security violations committed by authorised personnel for profit are punished with three months to three years in prison; and
• data processing offences related to deceit, taking advantage of the data subject’s or authorised personnel’s error to profit inappropriately, are penalised with six months to five years in prison.

If the infraction or conduct involves sensitive personal data, the fines are doubled.

For Public DPRs, there is only the verification procedure. This procedure may be initiated by the INAI ex officio or at the request of a third party to verify a violation of the Public DPRs. Furthermore, each state has its own legislation on the subject. Considering the corresponding authorities closely resemble the INAI, procedures should be similar to those listed above. Nevertheless, it is essential to review the applicable provisions in each case.

In cases of violations relating to the processing of sensitive personal data, the Public DPRs provide no specific penalty for their violation. As such, the focus is directed towards the relevant authorities and their respective legislation. Therefore, each case must be analysed on an individual basis.

The INAI has certain processes at their disposal that can be initiated to supervise compliance with the Mexican DPRs. The regulator may initiate inspection visits or verification proceedings at any moment in response to any alleged violations of the Mexican DPRs, which may arise from a complaint by a data subject or from its own investigation. Other authorities can initiate the verification proceedings detailed in the Public DPRs and any other DPRs regulated in their corresponding state law.

During enforcement procedures, data controllers have the burden of proof. Individuals and entities subject to the Mexican DPRs are responsible for providing evidence that supports all their claims, arguments and defences regarding their compliance. Therefore, data controllers must maintain appropriate security and record-keeping practices.

Since privacy and data protection violations are reviewed and penalised specifically through administrative procedures, there is no civil recourse to enforce privacy or data protection under the Mexican DPRs. However, Mexican legislation allows data subjects to pursue compensation through civil courts by claiming damages and lost profits derived from the violation of the Mexican law.

In 2023, the INAI reported imposing fines totalling nearly MXN47 million on individuals and entities that violated the DPRs. Among the most heavily sanctioned sectors were financial and insurance services, which faced penalties amounting to nearly MXN22 million.

There is no public information on fines imposed during 2024. This lack of reporting may be attributed, in part, to a significant budget reduction in 2024, which adversely affected the INAI’s ability to exercise its sanctioning powers effectively.

In the past few years, Mexico has been addressing the challenges and opportunities posed by AI. While the country lacks AI-specific legislation, several initiatives and frameworks have been introduced to regulate AI’s development and application, particularly in the context of data protection.

The Mexican DPRs do not specify AI-related obligations; however, the obligations they regulate are broad and applicable to AI activities. This creates a framework that, while not explicitly tailored to AI, can be applied to certain aspects of AI-related operations.

In the last four years, more than 50 legislative initiatives, ranging from constitutional reforms to proposals for specific laws related to AI, have been introduced. However, none have progressed.

The most recent initiative was presented on 13 December 2024 by Senator Juanita Guerra Mena. This initiative proposes to issue the National Law Regulating the Use of Artificial Intelligence (AI). The initiative aims to define AI, establish a national policy for its use, outline guiding principles such as privacy by design and transparency, and create both a National Centre for Artificial Intelligence and a National AI System to co-ordinate efforts among public, private and academic sectors. The proposal remains pending before the Senate committees for further review.

Furthermore, the Plenary of the Transparency, Access to Public Information, Personal Data Protection, and Accountability Institute of Mexico City, issued an initiative entitled the “Law for the Use of Artificial Intelligence (AI) and the Processing of Personal Data by Obligated Entities in Mexico City”. This initiative aims to establish principles, rules and procedures to ensure the protection of personal data in the development and use of AI systems. The proposed law incorporates international approaches from organisations such as the OECD and the European Union’s AI Act, addressing key issues like cybersecurity, transparency, risk management and algorithmic audits in the use of AI. It also includes measures and sanctions for those misusing personal data, ensuring the protection of fundamental rights in compliance with the Mexican DPRs. Although the initiative represents an advancement at a local level, it represents a significant step in Mexico’s legal framework to safeguard personal data in the digital age and in the use of AI systems. The initiative is pending review before the Congress of Mexico City.

In Mexico, AI regulation is in its early stages, with no specific legislation addressing the unique challenges posed by AI technologies. However, the DPRs indirectly apply to AI activities. These impose broad obligations that govern the collection, processing, storage and transfer of personal data, including sensitive personal data, which are relevant to AI systems that handle such data.

Data controllers (responsables), data subjects (titulares), personal data (datos personales) and data processing (tratamiento) are key concepts under the Mexican DPRs. These concepts are critical when considering the regulation of AI, as the processing of personal data is central to AI systems, which may collect, analyse or store large amounts of data.

Mexican DPRs have a heavy emphasis on regulating data controllers and their actions. Accordingly, data controllers are bound by the principles of lawfulness, loyalty, information, consent, quality, purpose, proportionality and responsibility. Compliance with these principles ensures that data controllers collect and process personal data properly and implement the necessary measures to protect such personal data. These principles apply to AI systems as they ensure that any data collected or processed by AI systems is carried out legally, transparently and with the consent of the data subject.

In Mexico, it is not common to initiate private litigation related to data privacy conflicts. Instead, disputes concerning violations of personal data protection are typically resolved through the procedures established before the INAI, as outlined in 1.3 Enforcement Proceedings and Fines.

In Mexico, there is no significant or public recent or ongoing litigation related to data privacy under the framework of personal data protection laws. Unlike jurisdictions with a strong tradition of case law, such as the European Union and its CJEU jurisprudence concerning Articles 82 and 83 of the GDPR, Mexico primarily relies on administrative procedures handled by the INAI. For further reference to the fines imposed by the INAI as a result of these procedures, please refer to section 1.4 Data Protection Fines in Practice.

In Mexico, there are no collective redress mechanisms specifically provided for under the Mexican DPRs. Collective redress mechanisms are available in Mexico for civil regulations and consumer protection laws.

Mexico does not have specific regulations governing IoT services as seen in other countries. Instead, the use of IoT services, as well as the rights and obligations of data subjects and data processing services, are regulated under the general framework of the Mexican DPRs. Consequently, IoT-related activities must adhere to the principles established in these regulations and data subjects can exercise their ARCO Rights as described in 1.3 Enforcement Proceedings and Fines.

In Mexico, data regulation and data protection are regulated in the Mexican DPRs. The interplay between regulation and protection is evident in several key aspects. Data controllers must implement comprehensive privacy policies, obtain informed consent before processing data, and ensure transparency in their practices. Specific obligations include securing personal data through physical, technical and administrative measures, and providing data subjects with mechanisms to exercise their rights ARCO Rights.

Processing of data (including IoT services) processing must comply with the following obligations.

• Obtain consent: collect and process personal data only after obtaining the data subject’s consent (the type of consent will depend on the type of data to be processed), except in cases where exceptions apply.
• Provide a privacy notice: deliver a privacy notice that includes, among others, the purposes of data processing, transfers to be carried out, types of data collected, and rights of the data subjects.
• Data quality: ensure that the personal data collected is accurate, relevant and up to date for its intended purposes.
• Data security: implement appropriate technical, physical and administrative measures to protect personal data from unauthorised access, loss or damage.
• Guarantee ARCO Rights: allow data subjects to exercise their ARCO Rights and provide mechanisms and procedures that comply with the Mexican DPRs for their exercise.
• Retention period: store personal data only for the duration necessary to fulfil the purposes stated in the privacy notice.
• Internal procedures: establish internal policies, procedures and training to ensure compliance with the Mexican DPRs, including the appointment of a Data Protection Officer.
• Data breach notification: notify data subjects in compliance with the requirements set forth in the Mexican DPRs if the data controllers are subject to a data breach.
• Third-party compliance: verify that any third-party data processor or recipient of personal data adheres to the Mexican DPRs and aligns with the terms of the controller’s privacy notice.

Currently, as described in 1.2 Regulators, the INAI is the authority responsible for enforcing data regulation in Mexico. However, the amendment to the Federal Mexican Constitution will lead to the dissolution of the INAI as a government agency. Consequently, the Mexican Congress, through upcoming amendments to secondary provisions, will create new regulatory entities that will assume the responsibilities previously held by the INAI. 

In Mexico, cookies are defined in the Mexican DPRs as a data file stored on the hard drive of a user’s computer or electronic communication device when browsing a specific website, which enables the exchange of state information between the site and the user’s browser. The state information may reveal session identifiers, authentication or user preferences, as well as any data stored by the browser regarding the website.

The DPRs oblige data controllers to inform data subjects when using remote or local electronic, optical or other technologies that automatically and simultaneously collect personal data upon interaction, such as cookies. This notification must be provided at the moment of contact through a visible communication or warning, detailing the use of such technologies, the data collected and how the cookies can be disabled.

Pursuant to the DPR, if the data controller processes personal data for purposes that are not necessary or give rise to the legal relationship between the data controller and the data subject, these will be considered secondary purposes (marketing communications, spam email, advertising, call, texts, commercial prospecting, among others).

The data subject has the right to deny or revoke their consent, as well as to oppose the processing of their personal data when the processing is for secondary purposes. These secondary purposes will have to be included in the privacy notice as well as the means by which the data subject may exercise the right to deny, revoke and oppose the processing for such purposes.

In the context of personalised advertising, the collection of sensitive and non-sensitive data for profiling is permissible only when data subjects are properly informed about the nature of the data processing and when consent is obtained. This is done through privacy notices, which must clearly explain the purpose of data collection and processing, including advertising purposes.

Workplace Privacy

Mexican DPRs apply to the data that is processed by the employer the same as any other data controller. This implies that the employer must comply with all the corresponding requirements and obligations of the Mexican DPRs when processing the personal data of their employees.

Communications Monitoring

In general, surveillance and supervision in work environments must always be proportional and adequate to the situation at hand. Although communication tools, such as corporate e-mails or mobile phones, are considered work instruments, privacy remains a crucial issue. Therefore, clear and precise procedures must be established, which must be communicated to employees in advance in compliance with Mexican DPRs.

Whistle-Blower and Anonymous Reporting

Internal complaint systems must always comply with the Mexican DPRs and their principles. However, given the nature of the relationship between employer and employee, the fulfilment of obligations as data controllers acquires new elements, eg, proportionality will require that data processing and complaints should focus exclusively on the employment relationship to maintain the principle of proportionality. Additionally, acting in a manner that protects the reporter’s interests is essential to protect the principle of loyalty.

Labour Unions

Labour unions must follow the same principles provided in the DPRs and must ensure the protection of their members’ information.

In Mexico, data processing during asset deals are subject to the obligations set forth in the DPRs. When personal data is processed or processed as part of an asset deal, specific measures must be implemented to ensure compliance with the DPRs.

Typically, in asset deals the parties perform a due diligence process to identify any personal data that will be transferred and processed during the deal and verify if the parties are complying with their data privacy obligations to ensure security. In this regard, companies should map the personal data being transferred to determine its type, source, and purpose of processing to identify any potential risks or compliance issues that must be addressed during the asset transaction.

The parties must have the consent of the data subjects to use and transfer their personal data for purposes of the asset deals and must have provided their privacy notice to the data subjects.

If the asset deal involves the transfer of personal data between different entities, it is a common practice to execute a data processing agreement between the buyer and seller to regulate the responsibilities, security measures and other relevant obligations concerning data processing. This agreement should clarify the purposes of processing, data retention periods and security requirements.

After an asset deal, the buyer must integrate the personal data from the seller’s systems, ensuring compliance with Mexican DPRs, especially regarding data security and the rights of data subjects. Data subjects maintain their ARCO Rights, and the buyer must ensure they can exercise these rights. Both parties are responsible for implementing adequate security measures, such as encryption and secure data transfer protocols, and must have procedures in place to address data breaches, notify affected individuals and report to the relevant authorities.

Restrictions on International Data Issues

The Mexican DPRs permit data transfers abroad, subject to compliance with the information and the consent requirements in the Mexican DPRs. However, it is stated that general requirements apply, even in international data transfers. Mexican DPRs also require international data transfer receivers to assume the same obligations and responsibilities as the original controller.

Mechanisms or Derogations That Apply to International Data Transfers

Mexican DPRs allow data controllers to use and dispose of any legal instruments to fulfil their obligations. Contract clauses are the first and only tools named explicitly in the Mexican DPRs that data controllers may rely on to meet their international obligations when performing data transfers. As a general rule, these clauses must provide at least that:

• the data receiver must agree to submit to the same obligations as the original data controller; and
• the data receiver must agree and acknowledge the authorisations granted by the data subject in the privacy notice.

The data controller can also request the INAI’s opinion regarding international data transfers. If deemed necessary, the data controller may submit a request to determine whether the data transfer complies with the Mexican DPRs.

Government Notifications and Approvals

There are no government notifications or approvals required to transfer data internationally. The data controller will have to include the transfers of personal data in the privacy notice in order to inform the data subject.

Data Localisation Requirements

There are no specific data localisation requirements, nor do the Mexican DPRs contemplate the need to store personal data in-country. Therefore, it is possible to transfer data internationally; however, data controllers are still required to implement measures to safeguard the data and comply with the requirements for the transfer of personal data established in the DPR, such as the provision of the privacy notice to the data receiver.

Sharing Technical Details

According to the Public DPRs, governmental authorities must conduct a privacy impact assessment in certain cases and submit it to them.

Limitations and Considerations

There are no specific requirements for foreign government data requests. Therefore, it is possible to transfer data internationally; however, data controllers are still required to comply with the requirements for the transfer of personal data established in the DPRs.

There are no government notifications or approvals required to transfer data internationally. The data controller will have to include the transfers of personal data in the privacy notice in order to inform the data subject.

There are no specific data localisation requirements, nor do the Mexican DPRs contemplate the need to store personal data in-country. Therefore, it is possible to transfer data internationally; however, data controllers are still required to implement measures to safeguard the data and comply with the requirements for the transfer of personal data established in the DPR, such as the provision of the privacy notice to the data receiver.

In Mexico, other than the sovereignty of the nation and the provisions set forth in the constitution, there are no specific “blocking” statutes.

The most significant recent development is the administrative change involving the dissolution of the INAI, with its functions being transferred to another authority. Other than the foregoing, there have been no recent reforms or proposed regulations to further tighten the rules on the international transfer of personal data. With the new administrative changes described in 1.2 Regulators, it remains to be seen whether any new regulations will be introduced to address this matter more rigorously.