Article 52 of Mexico’s Data Protection Regulations (the 'Regulations') requires that when using cloud services, private individuals or organisations who decide over the treatment of personal data (a 'Responsible Party') must ensure that its cloud service provider at least complies with the following requirements:
The referred Article of the Regulations defines cloud computing as the external supply of on-demand computer services which implicate the provision of infrastructure, platforms or software that are distributed through a flexible mode through virtualisation processes and with dynamically shared resources.
Article 52 of the Regulations further states that Mexican regulatory agencies, within the scope of their jurisdiction and with the collaboration of Mexico’s National Institute for Information Access (or INAI), shall issue governing criteria for the processing of personal data through cloud computing.
Some regulated industries, such as telecommunications, may be subject to additional data regulations but such additional regulations do not extend to cloud services.
According to the Software Business Alliance’s Global Cloud Computing Scorecard 2018, Mexico advanced two places in its readiness to adopt cloud computing and it is now in thirteenth place out of 134 countries.
Nonetheless, certain specific issues undermine the adoption of cloud computing in Mexico, which include:
See 1.1 Laws and Regulations.
See 1.1 Laws and Regulations.
Risk and liability challenges mainly relate to possible sanctions from Mexican regulators for the provision of unlicensed services or violations to Mexico’s Fintech Law and liability before the users in case of shut down or, or financial impossibility to operate due to hefty sanctions.fines. .
The main legal challenge to launch or use blockchain technology in Mexico has to do with the lack of a regulatory environment that provides legal certainty to both suppliers and users and allows blockchain-based services and other technologies to prosper.
Nevertheless, the Mexican Government is starting to provide legal certainty in new technology areas like Fintech, where Mexico’s Congress enacted a Fintech Law (Ley para Regular las Instituciones de Tecnología Financiera) on May 9, 2018.
Mexico’s Fintech Law recognizes Technology Financial Institutions or ITFs, which are subject to licensing from Mexico’s Securities and Banking Commission or CNBV and which Technology Financial Institutions can mainly exercise three types of activities, which are: (i) Electronic Payments, (ii) Crowd funding, and (iii) Operations with Virtual Assets (which applies to crypto currencies).
This law also includes a category named “innovative models” which applies to new financial applications that must be tested in a “sandbox” before they are finally approved by the Mexican regulator; innovative models are also subject to licensing with licensing being granted for a maximum of two years.
On the other hand, Mexico’s Central Bank or BANXICO is currently working in the deployment of a technological platform called Digital Collection or “CoDi” which will use Near Field Communications Technology or QR Codes to carry out electronic payments and digital collections in real time for face-to-face and online sales.
At the time of writing, BANXICO was seeking to launch a QR sales program with Amazon using BANXICO’s CoDi platform.
Intellectual property challenges such as trademarks, copyrights and patents would be the same as for other electronic and physical business activities.
Data privacy obligations would be the same as for other electronic and physical business activities, except for Article 52 of the Regulations and Article 73 of Mexico’s Fintech Law, which further protects information and documentation used by ITFs in the provision of their services.
In addition, chapter VI of the General Provisions for Mexico’s Fintech Law requires crowd funds to designate a Chief Information Security Officer and the adoption of security information procedures.
There would be no specific service levels applicable, unless the service provided belongs to a regulated industry such as Fintech.
No later than March 29, 2019 Mexico’s Commission for the Defense of Users of Financial Services (CONDUSEF) shall issue its guidelines for transparency and sane practices of ITFs.
In the case of regulated industries, most services would have to be provided by a local and duly licensed company and judgments or resolutions by competent authorities would be enforced locally.
As it refers to foreign-based providers, Mexican courts and authorities would in most cases have no jurisdiction to enforce their decisions.
With regards to Mexican regulation on big data, machine learning and artificial intelligence, the greatest legal challenge that exists is that there is no specific regulatory framework that easily allows the implementation of these technologies.
Mexico’s Telecommunication Regulator (Instituto Federal de Telecomunicaciones or IFT) has promoted the discussion of these topics during the last two years but no regulation exists at this time.
Thus, except for Article 52 of the Regulations and certain industry-specific regulation, any projects relating to big data, machine learning and artificial intelligence would be subject to the same liability and insurance, data protection, intellectual property, jurisdiction and fundamental rights of any regular project.
See 3.1 Big Data.
See 3.1 Big Data.
When contemplating a project with connected devices, there are no particular restrictions that can affect the project’s scope, as there is no regulation that applies to connected devices or near field communications technology in particular, although laws and regulation for spectrum use would apply.
In this case, the IFT would seek compliance of homologation, technical norms (NOMs), interconnection, no spamming, no phishing, consumer protection, collaboration with justice, numbering, net neutrality, spectrum use and signalling regulations applicable to all electronic communications but would not make a distinction as to whether such communications take place between users and/or connected devices (P2P, M2P, P2M, M2M).
Unlike other countries in Latin America, Mexico has no local data storage location requirements nor does it have any price restrictions, so it can be said that IT services remain mostly unregulated.
No response provided.
Mexico has an 'opt in' regime with regards to the treatment of personal data in which owners of personal data must consent to the treatment of their data through different available means, which may include a signature or a 'click'.
Unlike individuals, the Law does not recognise companies as entities that can have title to their personal data.
Thus, company data is protected by other laws such as the Industrial Property Law, the Tax Law, etc.
General processing of data is not subject to a specific regulation.
Responsible Parties that process (treat) personal data are obliged to safeguard and protect a person’s information, such as: name, address, e-mail, telephone number and any other data that serves to identify an individual.
Responsible Parties must publish a data privacy notice which must be made available to those persons whose information is collected, along with any changes to such data privacy notice.
Individuals whose personal data is collected have the right to access, rectify or cancel their information or to oppose to the use of it (commonly known as 'ARCO Rights').
Unless expressly authorised, a Responsible Party or a third party cannot use personal data to contact the user and offer or promote products or services.
There are no restrictions on monitoring and limiting use by employees of company computer resources except for the content of private communications.
Mexico’s Telecommunications and Broadcast Law (the “Telecom Law”) is technology-neutral and, therefore, there is no regulation applicable to a specific type of technology.
Thus, the Telecom Law and its subsidiary regulations govern services, use of spectrum and licensing but not technologies.
RFID tags are not specifically regulated and tag readers normally operate in free spectrum frequency bands.
Voice-over-IP has to be provided as a regular telephone service that is subject to numbering, interconnection and signalling regulations.
There is no regulation for instant messaging, such as WhatsApp, Wechat, Snapchat, etc.
Mexico’s Telecom Law has a pro-convergence approach and, therefore, it allows licensees to provide all telecommunications services that technology allows without limiting the scope of such licence to a specific technology.
Both services and spectrum licences are granted by the IFT.
Service licences are issued through an administrative proceeding that may be filed at any time, whereas spectrum licences are granted through public auctions.
In the case of service licences or concessions, the IFT has 120 business days to rule over an application, and the processing cost for the study and issuance of such licence is approximately USD1,500.
Regarding equipment, all equipment that transmits signals through the airwaves and/or that connects to a public telecommunications network has to be homologated, and when applicable, a National Norm Certification.
Homologation is carried out before the IFT, which has 60 business days to rule over an homologation application. Homologation certificates can be either provisional (with a one-year validity) or permanent.
Homologation costs are approximately USD250 for a provisional certificate and USD125 for a permanent homologation certificate.
As mentioned earlier, the Telecom Law foresees the granting of universal service licences or single concessions for all kind of services.
Thus, the licence to provide an audiovisual service such as Pay TV would be the same one as for a fixed broadband or telephony service.
That said, in the case of over-the-air TV and radio broadcast services, the Telecom Law foresees the granting of a spectrum licence that, in the case of commercial services, must be awarded through a public auction.
The proceeding and cost applicable to obtain a single or spectrum concession is the same one as the one mentioned in the preceding section.
With regards to online audiovisual services, currently these are not regulated and no licence is required; although like in other jurisdictions, it is possible that online content and services be regulated and taxed at some point in the future.
No requirements exist for online video channels.
Regarding encryption requirements, Mexico does not have a regulation or law on this matter.
Nonetheless, Article 8 of Mexico’s Advanced Electronic Signature Law recognises that the use of such signature in a document or message guarantees that it can only be encrypted and decrypted by the signer and the receiver.
Also, the IFT’s Collaboration with Justice Guidelines state that concessionaires shall guarantee that their electronic platforms use encryption tools or digital signatures to keep the confidentiality of metadata or real-time location information requested by competent authorities.
On the other hand, it is important to mention that most financial entities in Mexico, such as banks, have adopted encryption technologies in recent years as a security mechanism for financial operations and communications with their users.
Additionally, there is a Mexican Official Norm (NOM-151-SCFI-2016) which states the requirements to be observed for the preservation of data messages and document scanning. This NOM includes a provision whereby the Mexican Minister of Economy shall maintain in the Ministry’s web portal a list of cryptographic algorithms to be used for NOM compliance.
See 10.1 Legal Requirements Governing the Use of Encryption.
Mexico’s telecommunications landscape suffered significant structural changes during the last administration derived from the 2013 Constitutional Reform on Telecommunications and Competition, the enactment of new telecommunications and competition laws and the reconfiguration of the decision-making bodies, with the creation of the Federal Institute of Telecommunications (Instituto Federal de Telecomunicaciones – IFT) and the Federal Commission of Economic Competition (COFECE) as constitutional autonomous entities.
López Obrador’s administration took office on 1 December 2018. The new administration will be tasked with further promoting the development of this sector, which requires, among other issues, reformulating the criteria to determine the amount of compensation payable due to the extension of spectrum licences; developing and implementing efficient policies and programmes to ensure universal broadband coverage; bringing telecommunication services to unserved or underserved urban and rural communities; as well as improving the current legal framework to enable telecommunication operators to use federal and State government buildings throughout the country to deploy telecommunications and broadcasting infrastructure.
On analysis, the most important trends and developments for the telecommunications sector during 2019 are as follows.
Red Troncal (Backbone Network)
The 'Red Troncal' (backbone network) is one of the two major telecommunications projects stemming from the 2013 Constitutional Reform in the telecommunications sector. This project is organised and coordinated by Telecomunicaciones de Mexico, which is a government entity holding a long-term indefeasible right of use over four strands of dark fibre optics that are property of the government-owned power utility company, two of which will be contributed to a public-private partnership (PPP) to develop the nationwide Red Troncal project. The PPP agreement will be awarded through an international public bid.
This project is considered by sector specialists as the most important connectivity project and is in line with the country’s current connectivity needs and policy. The awardee of the project will have the obligation to connect at least 80% of the population, will complement existing telecommunications infrastructure and will open the door to telecommunications operators whose presence is only circumscribed to a part of the Mexican territory.
Due to the increasing demand of bandwidth, which is necessary to deploy new technologies and to provide better telecommunications services, the markets are eager about fibre optics. In particular, the Mexican fibre optics market has grown exponentially over the last couple of years, during which we have seen ambitious projects building and developing fibre optics rings in strategic cities supported by telecommunications operators. It is estimated that these kinds of projects will be replicated across the territory in the coming years, thus the importance of a backbone network functioning as a natural link between these projects.
The first coverage milestone of the Red Compartida was attained in March 2018.
Compliance with the second milestone will be closely followed during 2019; in accordance with the agreed coverage commitments, Altán, in charge of deploying Red Compartida, will have to meet a coverage commitment of 50% of the country’s population by 24 January 2020.
The deployment of telecommunications infrastructure in Mexico faces critical constraints, mainly derived from cumbersome procedures to obtain local permits that are not harmonised within municipalities (there are 2,458 municipalities in Mexico).
As an effort to address such problems, last year the Ministry of Communications and Transportation (Secretaría de Comunicaciones y Transportes) worked with the industry in a project to standardise permit procedures and fees across municipalities. Hidalgo was the first state to adopt the model of permit procedures proposed by the Ministry to simplify the authorisation process for the deployment of telecommunications infrastructure.
On the other hand, during the last quarter of 2018, the Energy Regulatory Commission (Comisión Reguladora de Energía) issued the general administrative provisions to allow access to operators and other entities providing telecommunication infrastructure to the facilities and rights of way of the National Electricity System, which is aimed to provide legal certainty to operators by setting forth the technical, administrative and economic conditions of access to 11 million poles under the “first come, first served” rule. During 2019, we will see the first agreements between telecommunications entities and the government-owned power utility company under these provisions.
Finally, last year the IFT initiated two investigations to determine the possible existence of barriers to entry that could generate anti-competitive effects in the telecommunications market in the State of Mexico and Guanajuato, respectively. As a result, the procedures to obtain permits in these jurisdictions will be thoroughly analysed during 2019. It is not certain if a resolution in these proceedings will be issued during 2019, as the IFT has the authority to extend the investigations until 2020.
Taxes and Government Fees
Telecommunications services in Mexico are currently subject to a 3% excise tax, a collection policy considered by many as contrary to the spirit of the 2013 Constitutional Reform and a deterrent to attain connectivity goals. In addition to that, telecommunications operators have to pay annual government fees for the use of spectrum, and such fees vary considerably depending of the allocated frequency band and served territory. The criteria upon which such variation is based was constitutionally challenged by a major mobile operator, and a resolution determining whether such payment is or is not in accordance with constitutional principles is expected this year.
In line with the industry’s requests, during the 2018 presidential campaign members of López Obrador’s advisory team mentioned in several fora that the collection of excise taxes imposed on telecommunications services, and fees applicable to spectrum use, would be thoroughly reviewed by the new administration.
Spectrum Auctions for 5G Technology
Consistent with the global trend in spectrum allocation for the deployment of 5G technology, the 2019 Annual Programme of Use and Exploitation of Frequency Bands (Programa Anual de Uso y Aprovechamiento de Bandas de Frecuencias 2019), issued by the IFT, considers at least the following three spectrum auctions during 2019:
Review of Asymmetric Measures Imposed on Preponderant Economic Agents
The 2013 Constitutional Reform mandated the IFT to review the telecommunications and broadcasting sectors in order to determine if the conditions to declare a preponderant economic agent (AEP per its acronym in Spanish) in each sector were met. As a result of such review, in 2014 the IFT declared América Móvil as the AEP in the telecommunications sector and Group Televisa as the AEP in the broadcasting sector. Consequently, asymmetric measures were imposed on these two economic agents, in view of increasing competition and a level playing field in each of these sectors.
The second review of compliance with asymmetric measures by each AEP will take place this year. Should the IFT determine that América Móvil is compliant with the imposed measures, the restriction to provide Pay-TV services to this operator could be lifted. It is important to highlight that despite asymmetric measures imposed four years ago, the incumbent maintains a market share of more than 60% in the telecommunications sector.
In addition, this year the Mexican Supreme Court of Justice is expected to rule on an injunction filed by América Móvil with respect to its preponderant status. This ruling is of great importance, as it could be seen as a step back from the 2013 Constitutional Reform, as well as affecting the ongoing process of functional separation of Telmex ordered by the IFT in 2018.
During the first half of 2018, the draft of the Mexican Official Standard NOM-184-SCFI-2017 (the Consumer’s Protection NOM) aiming to update and supersede the prior standard on the obligations of telecommunications operators vis-à-vis consumers, was released for public consultation.
Contrary to the previous standard, the Consumer’s Protection NOM exempts telecommunications operators from using a pre-formulated standard contract when (i) they are part of an auction process for provision of services organised by a public entity; (ii) the client does not meet the 'consumer' definition of the Consumer’s Protection Law; and (iii) they are providing wholesale services. In addition, the Consumer’s Protection NOM allows operators to comply with their obligations towards consumers through digital means (operators are still required to provide a physical address for customer service).
On the other hand, certain provisions of the Consumer’s Protection NOM have been identified as inconsistent with the obligation to provide customers with unlocked handsets at the time of purchase set forth in the Federal Telecommunications and Broadcasting Law.
Although the draft Consumer’s Protection NOM does not have a specific issuance date, its publication is expected to take place during the first half of 2019.