Unlike other jurisdictions in Latin America, Mexico has no general laws that impose limitations on the entrusting of certain processes or data to the cloud, although certain regulations – such as the IFT’s Collaboration with Justice Guidelines – require telecommunications licensees to store in Mexico the information necessary to respond to information warrants from Mexican courts or crime prosecution agencies.
Moreover, article 19.12 of the United States-Mexico-Canada Agreement (the USMCA) establishes that "No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory." Like other international treaties signed by Mexico, the USMCA has a legal hierarchy right below the Mexican Constitution and above domestic laws approved by the Mexican Congress.
In addition, Mexico is the second largest cloud and data centre market in Latin America after Brazil, and several domestic and foreign companies now offer cloud computing services through a combination of domestic and international data centres that offer low latency and redundancy.
Article 52 of Mexico’s Data Protection Regulations (the Regulations) requires that, when using cloud services, private individuals or organisations who decide the treatment of personal data (a Responsible Party) must ensure that their cloud service provider meets at least the following requirements:
The cited article of the Regulations defines “cloud computing” as the external supply of on-demand computer services that implicate the provision of infrastructure, platforms or software that are distributed through a flexible mode and virtualisation processes with dynamically shared resources.
Article 52 of the Regulations further states that Mexican regulatory agencies shall issue governing criteria for the processing of personal data through cloud computing, within the scope of their jurisdiction and with the collaboration of Mexico’s National Institute for Information Access (INAI).
In July 2019, INAI issued its Minimum Standards for the Contracting of Cloud Computing Services that Involve the Processing of Personal Data (the Standards).
The Standards are not mandatory on cloud computing service providers, and only offer general recommendations to users who seek the safeguarding of their personal data.
The Standards’ main recommendations to cloud service users include the following:
Specific Industries with Greater Regulation
Some regulated industries, like fintech and telecommunications, may be subject to additional data regulations but such additional regulations do not extend to cloud services specifically.
The Processing of Personal Data in the Context of the Cloud
According to the Software Business Alliance’s latest Global Cloud Computing Scorecard (2018), Mexico advanced two places in its readiness to adopt cloud computing and ranks 13th out of 134 countries.
Nonetheless, certain specific issues undermine the adoption of cloud computing in Mexico, including:
The main legal challenges to launching or using blockchain technology in Mexico concern the following:
On 9 May 2018, the Mexican Government enacted Mexico’s Fintech Law (Ley para Regular las Instituciones de Tecnología Financiera), which promotes the use of new technologies such as blockchain, although it is not explicitly named.
Mexico’s Fintech Law recognises Technology Financial Institutions (ITFs), which are subject to licensing from Mexico’s Securities and Banking Commission (CNBV).
Under Mexico’s Fintech Law, ITFs can mainly exercise three types of activities:
The Fintech Law also includes a category named “innovative models”, which applies to new financial applications that must be tested in a “sandbox” before they are finally approved by the CNBV; innovative models are also subject to licensing, which is granted for a maximum of two years.
Since Mexican law gives fintech companies the opportunity to adopt technological alternatives in all of their operations, innovative models may constitute a gateway for the adoption of blockchain technology in the Mexican financial ecosystem, especially in areas such as data transfer and processing, smart contracts, e-signatures, etc.
Prior to the enactment of the Fintech Law, there were companies that already operated non-regulated fintech models that were later subject to licensing. The Fintech Law gave such companies 12 months to file for an ITF licence or otherwise refrain from continuing to provide their services.
This 12-month period came into effect on 25 September 2018, after the CNBV published its General Provisions applicable to the operation of ITFs under the Fintech Law.
In addition, on 8 March 2019, Mexico’s Central Bank issued its resolution number 4/2019, which referred to the risks associated with operations with virtual assets (cryptocurrencies) and imposed additional requirements on their operation.
All of the above could be responsible for the fact that only a few ITF licence applications have been filed; according to the CNBV, only 85 ITF licence applications were presented, 60 of which referred to crowdfunding licences and 25 to electronic payments.
Notwithstanding the above, in 2019 Mexico’s Central Bank launched a technological platform called Digital Collection (or CoDi), which uses QR Codes and NFC technology to carry out electronic payments and digital collections in real time for face-to-face and online sales, thus evidencing Mexico’s Central Bank's interest in promoting the adoption of new technologies and the digitalisation of payments.
Also, Mexico’s Ministry of Finance and Tax Administration Service and Mexico’s Banks Association announced that, from 2020, payments made with credit or debit cards will allow the automatic issuance of a tax invoice using the card holder’s tax number, which will be recorded in the card’s chip, whereas payment terminals will have real-time communication with Mexico’s Tax Administration Service for the validation of tax information and records prior to the issuance of such invoice.
Risk and Liability
Risk and liability challenges relate mainly to possible sanctions and hefty fines from Mexican regulators for violations of Mexico’s Fintech Law and liability towards end users. However, there is no risk or liability for the use of blockchain technology per se.
There are no intellectual property rights or creative commons specifically applicable to blockchain technologies, so all rights and proceedings related to blockchain technologies are governed by ordinary proceedings, laws and regulations.
Data privacy obligations would be the same as for other electronic and physical business activities, except for Article 52 of the Regulations and Article 73 of Mexico’s Fintech Law, which further protect information and documentation used by ITFs in the provision of their services.
As mentioned earlier, blockchain might be used by ITFs in order to secure sensitive data or any information related to their financial services.
In addition, chapter VI of the General Provisions for Mexico’s Fintech Law requires crowd funds to designate a Chief Information Security Officer and to adopt security information procedures.
There are no specific service levels applicable to blockchain.
In the case of regulated industries, most services would have to be provided by a local and duly licensed company, and judgments or resolutions by competent authorities would be enforced locally.
Regarding foreign-based providers, Mexican courts and authorities would – in most cases – have no jurisdiction to enforce their decisions.
The biggest legal challenge relating to big data, machine learning and artificial intelligence is that there is no specific regulatory framework that easily allows the implementation of these technologies.
However, machine learning is currently used in the provision of financial services, data processing, compliance of standards, surveillance, fraud detection, product recommendations, trading, customer care and chatbots.
Mexico’s Telecommunication Regulator (Instituto Federal de Telecomunicaciones – IFT) has promoted the discussion of these topics over the last three years but no regulation exists at this time.
Therefore, except for article 52 of the Regulations and certain industry-specific regulations, any projects relating to big data, machine learning and artificial intelligence would be subject to the same liability and insurance, data protection, intellectual property, jurisdiction, and even fundamental rights as any regular project.
There are no particular restrictions that can affect the scope of a project with connected devices, as there is no regulation that currently applies to connected devices technology in particular.
In this case, the IFT would seek compliance with the regulations regarding homologation, interconnection, no spamming, no phishing, consumer protection, collaboration with justice, numbering, net neutrality, spectrum use and signalling that apply to all electronic communications, but would not make a distinction as to whether such communications take place between users and/or connected devices (P2P, M2P, P2M, M2M).
In addition, the IFT recently published its draft Network and Traffic Management Guidelines (the Guidelines) for public consultation, which shall apply to internet service providers (ISPs) once approved.
The Guidelines are intended to ensure net neutrality and that ISPs establish general network traffic policies that comply with the following requirements:
On the other hand, the Guidelines will allow ISPs to supply Differentiated or Specialised Services.
The Guidelines define Differentiated Services as those in which ISPs give special treatment to content, apps or services accessed by end users.
In this case, the cost of data for access to a specific content, application or service is sponsored by a third interested party, provided that the end user has an active data balance in either its prepaid or post-paid services.
The IFT’s draft Guidelines also allow for the provision of Differentiated Services when the end user does not have an active data balance, provided that such Differentiated Services have the purpose of reducing the digital divide by way of public services or services that promote education, finance or work inclusion, or promote digital skills.
This last restriction would limit the business activities of transport, content, social network, communication and commerce app service providers who could be willing to sponsor data consumption for end users who do not have a data balance so they can still have access to a “soft version” of such apps, as is the case in certain Asian countries.
The IFT’s Guidelines are still not final, and Mexico’s TMT sector will likely push for the IFT to remove these restrictions for the benefit of both users and the TMT sector.
The Guidelines define Specialised Services as those that ISPs offer to app, content or service providers through the payment of a consideration, in order to provide specific or superior network resources to transmit and improve upload and download speeds or the users’ experience.
Specialised Services shall in no way affect the quality or speed of other traffic transmitted through a public telecommunications network, and ISPs shall in no case bill content, app or service providers for the transmission of their traffic under standard conditions.
Pursuant to the Guidelines, the ISPs that offer Specialised Services shall provide them on a non-discriminatory basis, and shall make them available to all providers of applications, content or services, under the same conditions of diversity, price and quality, including equivalent service levels and time for the resolution of failures. Furthermore, ISPs shall refrain from denying the provision of such services for unjustified reasons, entering into exclusivity agreements or performing conducts that have similar effects.
It is important to highlight that ISPs that distribute content, applications or services of their own through the use of specific resources of their networks shall make such resources available to providers of applications, content or any other internet-based service, and in no circumstance shall such Specialised Services require the providers of applications, content or any internet-based service to pay for the transmission of the traffic generated by their content, applications or services, under standard conditions.
Machine-to-machine communications will likely be the ones to make the most use of Specialised Services once the IFT publishes its final Guidelines. This will especially be the case for financial, gaming, security, healthcare, transportation or emergency apps and services. It is therefore reasonable to assume that banks, gaming platforms, child or elderly care companies or institutions will seek to contract these Specialised Services from ISPs.
The Guidelines further require ISPs to:
The Policy Code shall also include:
The IFT’s public consultation for its draft Network and Traffic Management Guidelines ended on 15 July 2020, and there is no specific date for the IFT to publish its final Network and Traffic Management Guidelines.
Mexico remains one of the most open economies in the world, having signed a total of 12 free trade agreements, including the North American Free Trade Agreement (NAFTA) and its successor, the USMCA, the Mexico-Japan Free Trade Agreement of 2004 and the Mexico-EU Free Trade Agreement of 2000, as well as 32 agreements for the reciprocal protection of investments and nine economic complementation agreements. Mexico's legal framework is quite open to IT entry.
Thus, Mexico has no provisions on IT price revisions nor restrictions on the importation of equipment (other than compliance with general technical norms and homologation), international data transfers or storage location, and it does not require a licence for the provision of IT or value-added services.
The USMCA includes specific provisions for financial services and digital trade that prohibit the signing parties from requiring the use or location of computing facilities in such party’s territory as a condition for conducting business in that territory.
Regarding financial services, Chapter 17 of the USMCA establishes that no party to the USMCA shall require another to use or locate computing facilities in the party’s territory as a condition for conducting business in that territory, so long as the party’s financial regulatory authorities – for regulatory and supervisory purposes – have immediate, direct, complete and ongoing access to information processed or stored on computing facilities located outside the party’s territory.
Chapter 17 further defines “computing facilities” as a computer server or storage device for the processing or storage of information for the conduct of business within the scope of the licence, authorisation or registration of a covered person, and defines “covered person” as:
Regarding digital trade, Chapter 19 of the USMCA states that no party shall require a covered person to use or locate computing facilities in that party’s territory as a condition for conducting business in that territory.
Chapter 19 defines “computing facility” as a computer server or storage device for processing or storing information for commercial use, and defines “covered person” as:
In addition, Article 19.11 of the USMCA requires the USA, Mexico and Canada not to prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person.
However, Article 19.11 does not prevent a party from adopting or maintaining a measure that is inconsistent with the above, as long as such measure is necessary to achieve a legitimate public policy objective and is not applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade, and does not impose greater restrictions on transfers of information than are necessary to achieve the objective.
The USMCA became effective on 1 July 2020.
Core Rules Regarding Data Protection
Mexico has an “opt in” regime regarding the treatment of personal data, under which owners of personal data must consent to the treatment of their data through different available means, which may include a signature or a “click”.
Distinction Between Companies/Individuals
Unlike individuals, the law does not recognise companies as entities that can have title to personal data. Therefore, company data is protected by other laws, such as Industrial Property Law, Tax Law, etc.
General Processing of Data
General processing of data is not subject to specific regulation.
Processing of Personal Data
Responsible Parties that process (treat) personal data are obliged to safeguard and protect a person’s information, such as their name, address, e-mail, telephone number and any other data that serves to identify an individual.
Responsible Parties must publish a data privacy notice, which must be made available to those persons whose information is collected, along with any changes to such data privacy notice.
Individuals whose personal data is collected shall exercise their ARCO Rights.
Unless expressly authorised, a Responsible Party or a third party cannot use personal data to contact the user to offer or promote products or services.
There are no restrictions on monitoring and limiting employees' use of company computer resources, except for the content of private communications.
Technologies Falling within the Scope of Local Rules
Mexico’s Telecommunications and Broadcast Law (the Telecom Law) is technology-neutral, so there is no regulation that applies to a specific type of technology. The Telecom Law and its subsidiary regulations govern services, use of spectrum and licensing, but not technologies.
Radio frequency identification (RFID) tags are not specifically regulated, and tag readers normally operate in free spectrum frequency bands.
Voice-over-IP has to be provided as a regular telephone service that is subject to numbering, interconnection and signalling regulations.
There is no regulation for instant messaging services like WhatsApp, WeChat, Snapchat, etc.
Requirements Prior to Bringing a Product/Service to the Market
Mexico’s Telecom Law has a pro-convergence approach and therefore allows licensees to provide all telecommunications services that technology allows, without limiting the scope of such licence to a specific technology.
Both services and spectrum licences are granted by the IFT.
Service licences are issued through an administrative proceeding that may be filed at any time, whereas spectrum licences are granted through public auctions.
In the case of service licences or concessions, the IFT has 120 business days to rule over an application, and the processing cost for the study and issuance of such licence is approximately USD1,500.
All equipment that transmits signals through the airwaves and/or connects to a public telecommunications network has to be homologated, must not cause harmful interferences to other telecommunications systems and, when applicable, must comply with the applicable National Norm Certification.
Homologation is carried out before the IFT, which has 60 business days to rule over a homologation application. Homologation certificates can be either provisional (with a one-year validity) or permanent.
Homologation costs are approximately USD350 for a provisional certificate and USD130 for a permanent homologation certificate.
As mentioned earlier, the Telecom Law foresees the granting of universal service licences or single concessions for all kinds of services.
Thus, the licence to provide an audio-visual service such as pay TV would be the same as the licence for a fixed broadband or telephony service.
However, in the case of over-the-air TV and radio broadcast services, the Telecom Law foresees the granting of a spectrum licence that – in the case of commercial services – must be awarded through a public auction.
The proceeding and costs applicable to obtain a single or spectrum concession are the same as those mentioned in 8 Scope of Telecommunications Regime.
Online audio-visual services are not currently regulated, and no licence is required.
Mexico does not have a specific regulation or law on encryption requirements.
Nonetheless, article eight of Mexico’s Advanced Electronic Signature Law recognises that the use of such signature in a document or message guarantees that it can only be encrypted and decrypted by the signer and the receiver.
Also, the IFT’s Collaboration with Justice Guidelines state that concessionaires shall guarantee that their electronic platforms use encryption tools or digital signatures to maintain the confidentiality of metadata or real-time location information requested by competent authorities.
It is important to mention that, in recent years, most financial entities in Mexico, such as banks, have adopted encryption technologies as a security mechanism for financial operations and communications with their users.
On the other hand, Article 12.C.2 of Annex 12-C to the USMCA establishes that no party to the treaty shall require a manufacturer or supplier of ICT goods of another party, as a condition of the manufacture, sale, distribution, import or use of the good (in their territory), to:
Annex 12-C sets out the following definitions:
The provisions of Article 12.C.2 apply to ICT goods that use cryptography but do not apply to:
Like most countries, Mexico has adopted emergency measures to contain the spread of COVID-19.
These measures were adopted at the end of March 2020 and most of them are still in force, albeit with limited results since Mexico has one of the lowest COVID-19 testing rates in the world, as well as a high mortality rate.
The Mexican government’s emergency measures include the suspension of non-essential activities such as schools, movie theatres, restaurants, bars, etc, whereas telecommunications, broadcast, financial, health, groceries and public safety services have been declared essential activities.
In addition, the Mexican Health Ministry has implemented an epidemiologic traffic light guide system that classifies health emergency levels into four colours: green, yellow, orange and red.
The colour for each Mexican state is updated on a weekly basis. At the time of writing, Mexico City and four other states were in red, 22 states were in orange, three states were in yellow and two states (Chiapas and Campeche in the Mexican south east) were in green.
It is likely that certain factories and activities in Mexico that relate to the US supply chain may resume as the United States starts coming out of the COVID-19 health emergency, especially considering the restructuring of supply chains from China.
Regarding COVID-19 vaccination, the Mexican government has published a national vaccination programme that seeks to vaccinate all persons aged 60 and over by the end of March 2021, and to continue with the rest of the population in accordance with age groups, until the end of 2021.
Although Mexico has secured one of the greatest numbers of contracts to get access to COVID-19 vaccines, the effectiveness of the federal government’s vaccination programme remains to be seen.