Unlike other jurisdictions in Latin America, Mexico has no general laws that impose limitations on the entrusting of certain processes or data to the cloud, although certain regulations – such as the IFT’s Collaboration with Justice Guidelines – require telecommunications licensees to store in Mexico the information necessary to respond to information warrants from Mexican courts or crime prosecution agencies.

Moreover, article 19.12 of the United States-Mexico-Canada Agreement (the USMCA) establishes that "No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory." Like other international treaties signed by Mexico, the USMCA has a legal hierarchy right below the Mexican Constitution and above domestic laws approved by the Mexican Congress. 

In addition, Mexico is the second largest cloud and data centre market in Latin America after Brazil, and several domestic and foreign companies now offer cloud computing services through a combination of domestic and international data centres that offer low latency and redundancy. 

Article 52 of Mexico’s Data Protection Regulations (the Regulations) requires that, when using cloud services, private individuals or organisations who decide the treatment of personal data (a Responsible Party) must ensure that their cloud service provider meets at least the following requirements:

• complies with privacy policies that are consistent with the privacy obligations under Mexico’s Data Protection Law (the Law) and the Regulations;
• makes transparent any subcontracting that involves the use of the information for which the cloud services are provided;
• abstains from including service conditions whereby the cloud service provider may or will acquire title to the information for which the service is provided;
• maintains the confidentiality of the personal data for which it provides cloud services;
• discloses changes to its privacy policies and to its service terms and conditions;
• allows a Responsible Party to limit personal data processing;
• establishes and maintains security measures for the protection of personal data for which it provides cloud services;
• guarantees the deletion of personal data once it ceases to provide services to a Responsible Party, and such Responsible Party is able to recover such personal data;
• blocks personal data access by persons who do not have privileged access, and informs the Responsible Party of any information requests from competent authorities; and
• does not obligate the Responsible Party to accept service terms and conditions that do not guarantee the due protection of personal data.

The cited article of the Regulations defines “cloud computing” as the external supply of on-demand computer services that implicate the provision of infrastructure, platforms or software that are distributed through a flexible mode and virtualisation processes with dynamically shared resources.

Article 52 of the Regulations further states that Mexican regulatory agencies shall issue governing criteria for the processing of personal data through cloud computing, within the scope of their jurisdiction and with the collaboration of Mexico’s National Institute for Information Access (INAI).

In July 2019, INAI issued its Minimum Standards for the Contracting of Cloud Computing Services that Involve the Processing of Personal Data (the Standards).

The Standards are not mandatory on cloud computing service providers, and only offer general recommendations to users who seek the safeguarding of their personal data.

The Standards’ main recommendations to cloud service users include the following:

• before executing a cloud services contract, users should:
1. identify the data, processes or functions that will participate in the cloud computing service;
2. identify the data provisioning model to guarantee the processing of personal data in the cloud computing service;
3. verify security policies and measures for the use of cloud computing services; and
4. evaluate all aspects of the service, as well as the terms and conditions of the cloud computing service to be contracted;
• reputation – users should verify the supplier’s level of compliance and the quality of its services and safety measures, and whether the supplier has been subject to complaints or investigations from personal data authorities around the world;
• users should check the supplier’s name or business name and means of contact for customer services (e-mail, phone, automated systems, etc), depending on the geographical area (regional offices, local offices, etc);
• users should check the governing law and location for the processing and storage of personal data, identifying certifications that are enforceable on the supplier and the governing law of the contract, as well as the location of systems for the processing and storage of personal databases and, where appropriate, the corresponding service’s regional office;
• clients should verify that the contract includes clauses that prevent the supplier and its subcontractors from claiming ownership of the information provided by the client, at any time, and clauses, policies or automated systems that:
1. guarantee that the supplier uses the information only for the purposes set forth in the terms and conditions of the cloud computing service;
2. restrict and limit the supplier from disclosing or modifying the processing of personal data or the information generated by the client;
3. keep the client informed as to who shall have access to its personal data and for what purpose;
4. guarantee that the client may access, modify or remove its personal data at any time;
5. notify the client in case of any changes or updates in the provision of the cloud computing service, as well as in case of any incident that causes a service interruption;
6. inform the client of any violation of safety measures for the processing of his personal data; and
7. provide compensation in case of failure or service interruption, or due to a violation of safety measures for the processing of the client’s personal data;
• principle of transparency – the supplier shall guarantee transparency in the following elements:
1. control over the people or companies subcontracted by suppliers for cloud computing services;
2. the mechanisms implemented to guarantee the processing of personal data by outsourced third parties;
3. clients’ requests to access, rectify or cancel their personal data or to oppose the use of it (ARCO Rights); and
4. the removal of personal data through mechanisms of safe deletion from the cloud, which prevents the recovery of personal data by an unauthorised third party;
• safety measures – the client shall select suppliers that have clauses, policies or automated systems that:
1. guarantee the processing of personal data in safe systems, whether they belong to the supplier and/or outsourced third parties;
2. guarantee the availability, integrity and isolation of the client’s personal data from the information of other clients;
3. guarantee the client’s administration, control and access over the processing of its personal data in the cloud computing services;
4. make suppliers subject to audits by third certified parties for their compliance to applicable regulations; and
5. make suppliers subject to certification;
• risk evaluation – clients shall be aware of the following risks when suppliers process personal data:
1. lack of control over the personal data life cycle in the cloud;
2. absence of transparency with outsourced third parties;
3. lack of automated systems or support mechanisms when processing personal data in the cloud;
4. inappropriate use of shared resources, and the absence of isolation of the client’s personal data in the cloud;
5. lack of portability or interoperability of the client’s personal data; and
6. misunderstandings of the process of personal data when the information is used by unauthorised third parties or multi-stakeholders, or for advertising purposes, without the client’s authorisation.
• return and removal of personal data – the client shall avoid contracting with suppliers that do not offer clauses, policies or mechanisms that offer and guarantee the retrieval of personal data when the service ends;
• interoperability and portability – the client shall verify the supplier’s terms and conditions for the interoperability and portability of his personal data; and
• adhesion contracts – the client shall prefer suppliers that allow contract negotiation in order to tailor the contract to the client’s service requirements.

Specific Industries with Greater Regulation

Some regulated industries, like fintech and telecommunications, may be subject to additional data regulations but such additional regulations do not extend to cloud services specifically.

The Processing of Personal Data in the Context of the Cloud

According to the Software Business Alliance’s latest Global Cloud Computing Scorecard (2018), Mexico advanced two places in its readiness to adopt cloud computing and ranks 13th out of 134 countries.

Nonetheless, certain specific issues undermine the adoption of cloud computing in Mexico, including:

• low coverage and penetration of broadband services;
• domestic and international cases relating to misuse of personal data in the cloud, such as the Cambridge Analytica case and the sale of Mexico’s voter registry;
• distrust over information processing (big brother syndrome);
• lack of regulation specifically applicable to cloud services;
• security breaches;
• the quality of suppliers' customer care;
• a shortage of trained personnel who know how to administer cloud services; and
• the possibility of security breaches and the exposure of sensible data, as well as a lack of legal and technical recourse.

The main legal challenges to launching or using blockchain technology in Mexico concern the following:

• the mechanisms that Mexican authorities and businesses use to process or exchange data are based on symmetric or asymmetric cryptography, and replacing such cryptography methods may represent additional costs for Mexican authorities and companies alike. Therefore, there is currently no incentive for Mexican businesses or authorities to adopt or introduce blockchain technology in their business models;
• the need for potential users to use electronic signatures or certifications provided by the Mexican Tax Administration Service (SAT) and/or third parties authorised by the Mexican Ministry of Economy or Mexico’s Central Bank;
• the uncertainty as to the validity Mexican courts and administrative authorities will assign to documents generated through blockchain, even though contracting through electronic means is recognised by Mexican law;
• the legal requirement that certain relevant transactions are formalised before Mexican notaries and registered before Mexican public registries; and
• the need for potential users to adjust their ordinary operations to the requirements this technology may present, even if such requirements are not significant.

On 9 May 2018, the Mexican Government enacted Mexico’s Fintech Law (Ley para Regular las Instituciones de Tecnología Financiera), which promotes the use of new technologies such as blockchain, although it is not explicitly named.

Mexico’s Fintech Law recognises Technology Financial Institutions (ITFs), which are subject to licensing from Mexico’s Securities and Banking Commission (CNBV).

Under Mexico’s Fintech Law, ITFs can mainly exercise three types of activities:

• electronic payments;
• crowd funding; and
• operations with virtual assets or cryptocurrencies (cryptocurrencies are usually based on blockchain technology).

The Fintech Law also includes a category named “innovative models”, which applies to new financial applications that must be tested in a “sandbox” before they are finally approved by the CNBV; innovative models are also subject to licensing, which is granted for a maximum of two years.

Since Mexican law gives fintech companies the opportunity to adopt technological alternatives in all of their operations, innovative models may constitute a gateway for the adoption of blockchain technology in the Mexican financial ecosystem, especially in areas such as data transfer and processing, smart contracts, e-signatures, etc.

Prior to the enactment of the Fintech Law, there were companies that already operated non-regulated fintech models that were later subject to licensing. The Fintech Law gave such companies 12 months to file for an ITF licence or otherwise refrain from continuing to provide their services.

This 12-month period came into effect on 25 September 2018, after the CNBV published its General Provisions applicable to the operation of ITFs under the Fintech Law.

In addition, on 8 March 2019, Mexico’s Central Bank issued its resolution number 4/2019, which referred to the risks associated with operations with virtual assets (cryptocurrencies) and imposed additional requirements on their operation.

All of the above could be responsible for the fact that only a few ITF licence applications have been filed; according to the CNBV, only 85 ITF licence applications were presented, 60 of which referred to crowdfunding licences and 25 to electronic payments.

Notwithstanding the above, in 2019 Mexico’s Central Bank launched a technological platform called Digital Collection (or CoDi), which uses QR Codes and NFC technology to carry out electronic payments and digital collections in real time for face-to-face and online sales, thus evidencing Mexico’s Central Bank's interest in promoting the adoption of new technologies and the digitalisation of payments.

Also, Mexico’s Ministry of Finance and Tax Administration Service and Mexico’s Banks Association announced that, from 2020, payments made with credit or debit cards will allow the automatic issuance of a tax invoice using the card holder’s tax number, which will be recorded in the card’s chip, whereas payment terminals will have real-time communication with Mexico’s Tax Administration Service for the validation of tax information and records prior to the issuance of such invoice.

Risk and Liability

Risk and liability challenges relate mainly to possible sanctions and hefty fines from Mexican regulators for violations of Mexico’s Fintech Law and liability towards end users. However, there is no risk or liability for the use of blockchain technology per se.

Intellectual Property

There are no intellectual property rights or creative commons specifically applicable to blockchain technologies, so all rights and proceedings related to blockchain technologies are governed by ordinary proceedings, laws and regulations.

Data Privacy

Data privacy obligations would be the same as for other electronic and physical business activities, except for Article 52 of the Regulations and Article 73 of Mexico’s Fintech Law, which further protect information and documentation used by ITFs in the provision of their services.

As mentioned earlier, blockchain might be used by ITFs in order to secure sensitive data or any information related to their financial services.

In addition, chapter VI of the General Provisions for Mexico’s Fintech Law requires crowd funds to designate a Chief Information Security Officer and to adopt security information procedures.

Service Levels

There are no specific service levels applicable to blockchain.

Jurisdictional Issues

In the case of regulated industries, most services would have to be provided by a local and duly licensed company, and judgments or resolutions by competent authorities would be enforced locally.

Regarding foreign-based providers, Mexican courts and authorities would – in most cases – have no jurisdiction to enforce their decisions.

The biggest legal challenge relating to big data, machine learning and artificial intelligence is that there is no specific regulatory framework that easily allows the implementation of these technologies.

However, machine learning is currently used in the provision of financial services, data processing, compliance of standards, surveillance, fraud detection, product recommendations, trading, customer care and chatbots.

Mexico’s Telecommunication Regulator (Instituto Federal de Telecomunicaciones – IFT) has promoted the discussion of these topics over the last three years but no regulation exists at this time.

Therefore, except for article 52 of the Regulations and certain industry-specific regulations, any projects relating to big data, machine learning and artificial intelligence would be subject to the same liability and insurance, data protection, intellectual property, jurisdiction, and even fundamental rights as any regular project.

There are no particular restrictions that can affect the scope of a project with connected devices, as there is no regulation that currently applies to connected devices technology in particular.

In this case, the IFT would seek compliance with the regulations regarding homologation, interconnection, no spamming, no phishing, consumer protection, collaboration with justice, numbering, net neutrality, spectrum use and signalling that apply to all electronic communications, but would not make a distinction as to whether such communications take place between users and/or connected devices (P2P, M2P, P2M, M2M).

In addition, the IFT recently published its draft Network and Traffic Management Guidelines (the Guidelines) for public consultation, which shall apply to internet service providers (ISPs) once approved.

The Guidelines are intended to ensure net neutrality and that ISPs establish general network traffic policies that comply with the following requirements:

• to guarantee the quality and speed of internet access services contracted by the end user;
• to preserve the integrity and security of internet access networks, as well as end users’ private communications;
• to guarantee users’ freedom of choice to access any content, application or internet service, without the ISP limiting, degrading, restricting or discriminating access to them;
• to guarantee non-discriminatory treatment of end users, applications, content and/or service providers, similar types of traffic as well as own and third-party traffic on the network; and
• to foster commercial innovation.

On the other hand, the Guidelines will allow ISPs to supply Differentiated or Specialised Services.

The Guidelines define Differentiated Services as those in which ISPs give special treatment to content, apps or services accessed by end users.

In this case, the cost of data for access to a specific content, application or service is sponsored by a third interested party, provided that the end user has an active data balance in either its prepaid or post-paid services.

The IFT’s draft Guidelines also allow for the provision of Differentiated Services when the end user does not have an active data balance, provided that such Differentiated Services have the purpose of reducing the digital divide by way of public services or services that promote education, finance or work inclusion, or promote digital skills.

This last restriction would limit the business activities of transport, content, social network, communication and commerce app service providers who could be willing to sponsor data consumption for end users who do not have a data balance so they can still have access to a “soft version” of such apps, as is the case in certain Asian countries.

The IFT’s Guidelines are still not final, and Mexico’s TMT sector will likely push for the IFT to remove these restrictions for the benefit of both users and the TMT sector.

The Guidelines define Specialised Services as those that ISPs offer to app, content or service providers through the payment of a consideration, in order to provide specific or superior network resources to transmit and improve upload and download speeds or the users’ experience.

Specialised Services shall in no way affect the quality or speed of other traffic transmitted through a public telecommunications network, and ISPs shall in no case bill content, app or service providers for the transmission of their traffic under standard conditions.

Pursuant to the Guidelines, the ISPs that offer Specialised Services shall provide them on a non-discriminatory basis, and shall make them available to all providers of applications, content or services, under the same conditions of diversity, price and quality, including equivalent service levels and time for the resolution of failures. Furthermore, ISPs shall refrain from denying the provision of such services for unjustified reasons, entering into exclusivity agreements or performing conducts that have similar effects.

It is important to highlight that ISPs that distribute content, applications or services of their own through the use of specific resources of their networks shall make such resources available to providers of applications, content or any other internet-based service, and in no circumstance shall such Specialised Services require the providers of applications, content or any internet-based service to pay for the transmission of the traffic generated by their content, applications or services, under standard conditions.

Machine-to-machine communications will likely be the ones to make the most use of Specialised Services once the IFT publishes its final Guidelines. This will especially be the case for financial, gaming, security, healthcare, transportation or emergency apps and services. It is therefore reasonable to assume that banks, gaming platforms, child or elderly care companies or institutions will seek to contract these Specialised Services from ISPs.

The Guidelines further require ISPs to:

• file with the IFT a quarterly report that includes the name of the companies or individuals with whom they have entered into agreements for the provision of Differentiated Services (data consumption sponsorship), the service rate registered before the IFT and the term of such agreement(s), within the ten business days following the closing of each quarter;
• register with the IFT the commercial agreements (as amended) for Specialised Services that they enter into with third parties, within ten business days of their execution date; and
• publish in their web portals their policy code for traffic management (the Policy Code), which shall incorporate the principles under which the ISP shall carry out its traffic and network management.

The Policy Code shall also include:

• a clear description of the ISP's network monitoring techniques that will serve as a basis for the administration of traffic and the ISP’s network;
• recommendations to end users on how to reduce risks to the privacy of their communications and their network’s security;
• updated references to current legal and regulatory framework and, in its case, to international standards that support traffic and network management; and
• the last date on which the Policy Code was updated.

The IFT’s public consultation for its draft Network and Traffic Management Guidelines ended on 15 July 2020, and there is no specific date for the IFT to publish its final Network and Traffic Management Guidelines.

Mexico remains one of the most open economies in the world, having signed a total of 12 free trade agreements, including the North American Free Trade Agreement (NAFTA) and its successor, the USMCA, the Mexico-Japan Free Trade Agreement of 2004 and the Mexico-EU Free Trade Agreement of 2000, as well as 32 agreements for the reciprocal protection of investments and nine economic complementation agreements. Mexico's legal framework is quite open to IT entry.

Thus, Mexico has no provisions on IT price revisions nor restrictions on the importation of equipment (other than compliance with general technical norms and homologation), international data transfers or storage location, and it does not require a licence for the provision of IT or value-added services.

The USMCA includes specific provisions for financial services and digital trade that prohibit the signing parties from requiring the use or location of computing facilities in such party’s territory as a condition for conducting business in that territory.

Regarding financial services, Chapter 17 of the USMCA establishes that no party to the USMCA shall require another to use or locate computing facilities in the party’s territory as a condition for conducting business in that territory, so long as the party’s financial regulatory authorities – for regulatory and supervisory purposes – have immediate, direct, complete and ongoing access to information processed or stored on computing facilities located outside the party’s territory.

Chapter 17 further defines “computing facilities” as a computer server or storage device for the processing or storage of information for the conduct of business within the scope of the licence, authorisation or registration of a covered person, and defines “covered person” as:

• a financial institution of another party; or
• a cross-border financial service supplier of another party that is subject to regulation, supervision, licensing, authorisation or registration by a financial regulatory authority of the party.

Regarding digital trade, Chapter 19 of the USMCA states that no party shall require a covered person to use or locate computing facilities in that party’s territory as a condition for conducting business in that territory.

Chapter 19 defines “computing facility” as a computer server or storage device for processing or storing information for commercial use, and defines “covered person” as:

• a covered investment as defined in Article 1.5 (General Definitions);
• an investor of a party as defined in Article 14.1 (Definitions); or
• a service supplier of a party as defined in Article 15.1 (Definitions).

In addition, Article 19.11 of the USMCA requires the USA, Mexico and Canada not to prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person.

However, Article 19.11 does not prevent a party from adopting or maintaining a measure that is inconsistent with the above, as long as such measure is necessary to achieve a legitimate public policy objective and is not applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade, and does not impose greater restrictions on transfers of information than are necessary to achieve the objective.

The USMCA became effective on 1 July 2020.

Core Rules Regarding Data Protection

Mexico has an “opt in” regime regarding the treatment of personal data, under which owners of personal data must consent to the treatment of their data through different available means, which may include a signature or a “click”.

Distinction Between Companies/Individuals

Unlike individuals, the law does not recognise companies as entities that can have title to personal data. Therefore, company data is protected by other laws, such as Industrial Property Law, Tax Law, etc.

General Processing of Data

General processing of data is not subject to specific regulation.

Processing of Personal Data

Responsible Parties that process (treat) personal data are obliged to safeguard and protect a person’s information, such as their name, address, e-mail, telephone number and any other data that serves to identify an individual.

Responsible Parties must publish a data privacy notice, which must be made available to those persons whose information is collected, along with any changes to such data privacy notice.

Individuals whose personal data is collected shall exercise their ARCO Rights.

Unless expressly authorised, a Responsible Party or a third party cannot use personal data to contact the user to offer or promote products or services.

There are no restrictions on monitoring and limiting employees' use of company computer resources, except for the content of private communications.

Technologies Falling within the Scope of Local Rules

Mexico’s Telecommunications and Broadcast Law (the Telecom Law) is technology-neutral, so there is no regulation that applies to a specific type of technology. The Telecom Law and its subsidiary regulations govern services, use of spectrum and licensing, but not technologies.

RFID tags

Radio frequency identification (RFID) tags are not specifically regulated, and tag readers normally operate in free spectrum frequency bands.

Voice-over-IP

Voice-over-IP has to be provided as a regular telephone service that is subject to numbering, interconnection and signalling regulations.

Instant message

There is no regulation for instant messaging services like WhatsApp, WeChat, Snapchat, etc.

Requirements Prior to Bringing a Product/Service to the Market

Mexico’s Telecom Law has a pro-convergence approach and therefore allows licensees to provide all telecommunications services that technology allows, without limiting the scope of such licence to a specific technology.

Both services and spectrum licences are granted by the IFT.

Service licences are issued through an administrative proceeding that may be filed at any time, whereas spectrum licences are granted through public auctions.

In the case of service licences or concessions, the IFT has 120 business days to rule over an application, and the processing cost for the study and issuance of such licence is approximately USD1,500.

All equipment that transmits signals through the airwaves and/or connects to a public telecommunications network has to be homologated, must not cause harmful interferences to other telecommunications systems and, when applicable, must comply with the applicable National Norm Certification.

Homologation is carried out before the IFT, which has 60 business days to rule over a homologation application. Homologation certificates can be either provisional (with a one-year validity) or permanent.

Homologation costs are approximately USD350 for a provisional certificate and USD130 for a permanent homologation certificate.

As mentioned earlier, the Telecom Law foresees the granting of universal service licences or single concessions for all kinds of services.

Thus, the licence to provide an audio-visual service such as pay TV would be the same as the licence for a fixed broadband or telephony service.

However, in the case of over-the-air TV and radio broadcast services, the Telecom Law foresees the granting of a spectrum licence that – in the case of commercial services – must be awarded through a public auction.

The proceeding and costs applicable to obtain a single or spectrum concession are the same as those mentioned in 8 Scope of Telecommunications Regime.

Online audio-visual services are not currently regulated, and no licence is required.

Mexico does not have a specific regulation or law on encryption requirements.

Nonetheless, article eight of Mexico’s Advanced Electronic Signature Law recognises that the use of such signature in a document or message guarantees that it can only be encrypted and decrypted by the signer and the receiver.

Also, the IFT’s Collaboration with Justice Guidelines state that concessionaires shall guarantee that their electronic platforms use encryption tools or digital signatures to maintain the confidentiality of metadata or real-time location information requested by competent authorities.

It is important to mention that, in recent years, most financial entities in Mexico, such as banks, have adopted encryption technologies as a security mechanism for financial operations and communications with their users.

On the other hand, Article 12.C.2 of Annex 12-C to the USMCA establishes that no party to the treaty shall require a manufacturer or supplier of ICT goods of another party, as a condition of the manufacture, sale, distribution, import or use of the good (in their territory), to:

• transfer or provide access to any proprietary information relating to cryptography, including by disclosing a particular technology or production process or other information. This can be related to the sharing restriction on a party or a person in the party’s territory of a private key, a secret parameter, or an algorithm specification of the ICT good;
• partner or otherwise co-operate with a person in its territory in the development, manufacture, sale, distribution, import or use of the ICT product; or
• use or integrate a particular cryptographic algorithm or cipher.

Annex 12-C sets out the following definitions:

• “cryptography” is the principles, means or methods for the transformation of data in order to conceal or disguise its content, prevent its undetected modification or prevent its unauthorised use, limited to the transformation of information using one or more secret parameters – for example, crypto variables, or associated key management; and
• “encryption” is the conversion of data (plaintext) through the use of a cryptographic algorithm into a form that cannot be easily understood without subsequent re-conversion (ciphertext) and the appropriate cryptographic key.

The provisions of Article 12.C.2 apply to ICT goods that use cryptography but do not apply to:

• law enforcement authorities requiring service suppliers using encryption they control to provide unencrypted communications pursuant to that party’s legal procedures, such as IFT’s Collaboration with Justice Guidelines;
• the regulation of financial instruments;
• a requirement that a party adopts or maintains access to networks, including user devices, that are owned or controlled by the government of that party, including those of central banks;
• a measure taken by a party pursuant to a supervisory, investigatory or examination authority relating to financial institutions or financial markets; or
• the manufacture, sale, distribution, import or use of the good by or for the government of the party.

Like most countries, Mexico has adopted emergency measures to contain the spread of COVID-19.

These measures were adopted at the end of March 2020 and most of them are still in force, albeit with limited results since Mexico has one of the lowest COVID-19 testing rates in the world, as well as a high mortality rate.

The Mexican government’s emergency measures include the suspension of non-essential activities such as schools, movie theatres, restaurants, bars, etc, whereas telecommunications, broadcast, financial, health, groceries and public safety services have been declared essential activities.

In addition, the Mexican Health Ministry has implemented an epidemiologic traffic light guide system that classifies health emergency levels into four colours: green, yellow, orange and red.

The colour for each Mexican state is updated on a weekly basis. At the time of writing, Mexico City and four other states were in red, 22 states were in orange, three states were in yellow and two states (Chiapas and Campeche in the Mexican south east) were in green.

It is likely that certain factories and activities in Mexico that relate to the US supply chain may resume as the United States starts coming out of the COVID-19 health emergency, especially considering the restructuring of supply chains from China.

Regarding COVID-19 vaccination, the Mexican government has published a national vaccination programme that seeks to vaccinate all persons aged 60 and over by the end of March 2021, and to continue with the rest of the population in accordance with age groups, until the end of 2021.

Although Mexico has secured one of the greatest numbers of contracts to get access to COVID-19 vaccines, the effectiveness of the federal government’s vaccination programme remains to be seen.