Within current Mexican regulation, the existence of the metaverse or of facts or legal acts, including advertising or economic transactions explicitly covered in the metaverse or through the use of mixed virtual reality devices, is not regulated per se. Thus, any promotions and advertisements made in the metaverse would be subject to the applicable provisions of the Consumer Protection Act, as well as any relevant legal provisions pertaining to specific categories such as food, beverages, health and others. If, within the metaverse, banking services are offered, specific financial regulations apply, depending on which service is being offered or carried out. While Mexico has put in place an Act to Regulate Financial Technology Institutions (the “Fintech Act”), the act regulates specific models that may or may not exist in the metaverse, such as cryptocurrencies, and, therefore, while not specifically regulated, the scope of the act as drafted is broad enough to regulate the activities that take place in the metaverse, rather than regulate the Metaverse itself.
However, not all Mexican laws and legal provisions would apply in this way. For example, when talking about the sale of spaces that can be purchased within the metaverse, one might think that the specific law that regulates the same activity in the physical world would apply. However, one would be wrong to make this assumption because certain laws exist that speak exclusively of physical spaces. This topic has been widely commented upon in forums discussing the legal nature of such activity and the general consensus is that what would be purchased would not be any land or space or any title that entitles a person to any type of property right as such, but a licence to use a space within a software would be purchased and, therefore, it would be regulated by the Mexican copyright statutes.
Additionally, there is general concern about security in the metaverse. The metaverse, being essentially a space that allows and encourages interaction between users, allows freedom of behaviour and, therefore, certain crimes such as sexual harassment can be committed. Despite the fact that, within the Federal Criminal Code, such crime is typified in a way that implies that it is physical (such as obscene touching or groping), certain acts that simulate it can be performed in the metaverse. Therefore, it does not directly fall within the aforementioned definition and so it is not considered a crime. However, from the psychological and social point of view, it can have negative and harmful effects on the victim, and yet, under the current legislation, the victim will not be protected. The current legislation needs to be reformed in order to protect possible victims from this type of interaction that can occur in the metaverse.
As the regulations continue to evolve, responsibility still currently falls on the platforms that facilitate access to the metaverse. From a social perspective, these platforms will be required to efficiently moderate content, promptly address and respond to reports of aggressive and dangerous behaviour, with the ultimate goal of safeguarding users. Additionally, there are emerging technologies that enable users to record the final minutes of an incident, such as acts of violence or harassment, and submit these reports directly to the platform for further action.
This brings conflicts, mainly the fact that the biggest sanction that the platform can issue, not being an authority, is the banning of the user to prevent them from continuing to perform such acts in that same platform, which allows them to switch to another platform and continue with such violent acts.
Additionally, the aforementioned measure brings serious privacy concerns as it is constantly recording every interaction and/or any action performed in said metaverse. This is of concern mainly due to the fact that it collects information from users, which in certain occasions can become personal data. Given its primarily social nature, there is a possibility of sharing sensitive information like sexual preferences, religious beliefs, and other personal data. It is crucial to analyse the underlying purposes (beyond the obvious) of the platforms through which one accesses the metaverse. Additionally, current technologies used for creating digital avatars that graphically represent users in the metaverse may require a photo or a scan of the user, thus capturing biometric data.
This is made worse when considering the potential cybersecurity risks that may be involved, particularly considering the collection of various personal data on such platforms. The current data privacy laws in Mexico have relatively limited protection and would require a pro-human rights interpretation in order to effectively protect users who may be at risk when entering the metaverse.
To regulate e-commerce, the Mexican Secretariat of Economy issued the NMX-COE-001-SCFI in 2018, which provides guidelines for individuals and entities offering, marketing, or selling goods, products, or services through digital platforms. This standard specifically targets those who regularly or professionally promote, market or distribute goods, products or services using electronic, optical or other technologies. Its application is exclusively for consumer transactions between suppliers, intermediary suppliers or third-party providers, and the consumers of these goods, products or services. This regulation establishes a set of practices and standards for e-commerce in Mexico, focusing particularly on consumer protection and rights. It addresses issues ranging from transparency in advertising and terms of sale to security in online transactions, including the protection of personal data. It also covers the specifics of cross-border e-commerce, setting clear guidelines for payment methods and delivery processes. The primary goal is to create a secure, reliable and equitable e-commerce environment, where both consumers and businesses are protected, and transactions are conducted fairly and transparently.
Legislatively, there have been attempts to incorporate the provisions of the NMX into the Consumer Protection Act and even into the Commercial Code. However, these reforms have not been approved.
Additionally, the United States-Mexico-Canada Agreement (USMCA) dedicates an entire chapter to regulating e-commerce, representing a legislative effort to adapt and modernise the legal framework in the face of the challenges and opportunities of e-commerce. With clear and detailed definitions, it lays the foundation for understanding and regulating the complexities of digital commerce, including aspects like algorithms, electronic authentication, and digital products. It aims not only to protect consumers in electronic transactions but also to ensure the privacy and security of their personal data. At the same time, it prohibits practices such as imposing tariffs on digital products and promotes fair and non-discriminatory treatment in digital trade.
The USMCA emphasises the importance of international co-operation on these issues, recognising that digital commerce transcends borders. This implies a joint effort to address challenges such as cybersecurity and source code management, crucial for maintaining integrity and trust in the digital space.
It is also important to refer again to the Fintech Act, which primarily regulates five types of institutions. The first and most utilised are Electronic Payment Fund Institutions (EPFIs), requiring authorisation from the National Banking and Securities Commission to perform activities like opening and managing electronic payment fund accounts for clients, transferring electronic payment funds, and handling national and foreign currency and virtual assets.
The second institution regulated under this act is Collective Funding Institutions (CFIs). These institutions act as intermediaries between investors and funding applicants, facilitating debt financing, equity financing, and co-ownership or royalty financing.
Additionally, the act begins to regulate cryptocurrencies, specifically the operations conducted with these virtual assets, understood as electronically registered value representations used as a means of payment for various legal acts and transferable through electronic means.
Moreover, the act attempts to regulate companies authorised to operate with innovative models, also known as the Sandbox. These are start-ups that, on a temporary basis, can provide a novel financial service using technology. Despite its promising nature and apparent encouragement of financial market innovation, this model has not yet been utilised by any company.
The fifth and last institution regulated by the Fintech Act are the Application Programming Interfaces (APIs), which are defined as programming methods that allow communication and information sharing between two or more sites or applications. The Fintech Act specifically aims for financial intermediaries to share information uniformly. Consequently, it imposes an obligation on certain financial entities to implement APIs that facilitate connectivity and access to other APIs developed by other entities, for sharing open financial data, aggregated information, and transactional data of users.
The Fintech Act’s approach is to create a more integrated and efficient financial services landscape, enhancing the capacity for innovation and adaptation in the rapidly evolving digital finance sector. This regulatory framework is crucial in establishing a solid foundation for the growth and development of financial technology in Mexico, ensuring that it remains competitive, transparent and secure.
In Mexico, there is currently no specific regulation on cloud and edge computing. However, Article 52 of the Regulations for the Federal Act on the Protection of Personal Data Held by Private Parties (PDPL) provides a definition for cloud computing as “the model for the external provision of on-demand computer services, entailing the supply of infrastructure, platforms or software, which is flexibly distributed through virtualization processes on dynamically shared resources”.
Furthermore, the PDPL allows for regulatory departments, along with the National Institute of Transparency, Access to Information and Personal Data Protection (INAI), to issue criteria for the proper processing of personal data using cloud computing services. The INAI has, accordingly, issued guidelines for “Minimal Suggested Criteria for the Hiring of Cloud Computing Services Involving the Processing of Personal Data”.
Given the fact that the PDPL and its regulations are mandatory, and that there are currently no specific acts in Mexico regulating cloud and edge computing, there are no specific restrictions for industries regarding the processing of personal data via cloud and edge computing services. Relationships with third-party vendors providing cloud and edge computing services are subject to compliance with-, and hence governed exclusively by traditional rules on third-party data processing (with cloud vendors being regarded as data processors acting on behalf of a data controller).
The cloud service providers must have personal data protection policies that comply with the principles and obligations set forth by the act and its regulations. It is crucial that they disclose any subcontracting that affects the managed information, and it is prohibited for them to assume ownership or control of such information. Moreover, they are required to maintain the confidentiality of personal data at all times.
Additionally, providers must implement mechanisms to inform about changes in their privacy policies or service conditions. It is important that they allow the data controller to limit the processing of personal data and that they establish adequate security measures for its protection. Upon termination of the service, they must guarantee the deletion of personal data and ensure that the data controller can recover it. Providers are also required to restrict access to the data to unauthorised persons and, in the event of access by a competent authority, to inform the data controller about it.
The lack of further regulation has allowed data controllers to process data unrestrictedly in the context of cloud and edge computing. However, the increased use of these technologies may result in the enactment of specific regulations or legislation, which passing should, accordingly, be closely monitored.
Currently, there are no specific acts or statutes regulating Artificial Intelligence (AI) in Mexico. However, the parliamentary group of one political party has introduced an initiative to enact the Act on Ethical Regulation of Artificial Intelligence and Robotics.
Under the Federal Copyright Act (FCL) only natural persons (who have created literary or artistic works susceptible to being disclosed or reproduced) can be considered authors. Therefore, the operation of AI paves the way for certain discussions, with one key focus being the attribution of authorship. Given that AI cannot be considered as author under applicable acts in Mexico, the work-product resulting from the use of AI cannot be considered as a creation of the authorship and, thus, under the ownership of AI directly. A notable aspect under consideration is whether creators of AI should be acknowledged as authors for the works produced by their AI systems, or if the AI itself can be regarded as an independent authorial entity separate from its human creators. Additionally, further discussion arises regarding whether AI, while learning from copyrighted information, inadvertently infringes upon the copyrights of other authors. This regard gives place to an additional discussion: whether AI, in its autonomous learning processes (which virtually do not fall under a fair use doctrine), might unintentionally violate the intellectual property rights of original creators whose works contribute to its knowledge base.
By the same token, under the Federal Act on the Protection of Industrial Property, AI cannot be deemed an inventor, as it expressly establishes that inventions are “human creations”.
The absence of regulations on AI in Mexico poses certain difficulties to the determination of rights and obligations concerning the works generated by AI, which will likely result in the enactment of specific regulations or legislation.
In Mexico, as of publication of this guide (February 2024), there is no specific regulation regarding cybersecurity. However, on 25 April 2023, a draft federal cybersecurity act was introduced, which has not yet been approved. This proposed act was motivated by various attacks on different systems since 2018, including, but not limited to, the following:
The purpose of this bill is as follows:
Additionally, this bill begins to regulate not only cybersecurity but also brings definitions of important concepts for any type of regulation of interactions between individuals, companies, and/or government institutions.
It also aims to create an Intersecretarial Commission of Information and Communication Technologies and Information Security, which could act as a co-ordinating body among authorities responsible for implementing and developing actions in the field of information and communication technologies, as well as computer security in the federal public administration.
In Mexico, Normalización y Certificación NYCE, S.C. (NYCE) currently standardises communication between electronic devices to facilitate and improve such communication. This is achieved through specific norms and standards that devices must comply with, including aspects of security, quality and compatibility, among others.
Furthermore, Mexican regulations include the Guidelines for the Standardisation of Products, Equipment, Devices or Apparatus for Telecommunications or Broadcasting (the “Devices”), issued by the Plenum of the Federal Telecommunications Institute (the “Institute”), which came into force on 27 June 2022. These guidelines are mandatory as they were issued in compliance with Article 15, Section I of the Federal Telecommunications and Broadcasting Act, which empowers the Institute to issue general administrative provisions.
These guidelines involve the standardisation of Devices through Homologation Certificates granted by the Institute through a procedure supervised and determined by the Institute’s Unit of Concessions and Services. Among the conditions to be met to obtain the certificate, the following stand out:
There are different types of standardisation, Type A, Type B and Type C, which follow different procedures but share the following steps.
This certificate, being of a mandatory nature, is necessary to connect, install, operate or use the Devices, which would be considered duly standardised.
Internationally, there is the Budapest Convention on Cybercrime, to which the member countries of the Council of Europe are parties, primarily regulating aspects of criminal law, specifically computer crimes related to content, intellectual property, and procedural aspects. However, it is important to mention that Mexico has not ratified this convention and therefore it is not applicable within its national territory, even though it could be very helpful in regulating these aspects at a national level.
Under the Federal Telecommunications and Broadcasting Act (FTBA), a licence is required to provide telecommunications and/or broadcasting public services. Such licence can be granted for a term of up to 30 years and may be extended.
In addition to the foregoing, free-to-air TV, broadcasted radio and providers of any other services which require to use spectrum frequencies, must either lease such spectrum for licensed holders or secure their own spectrum licences (which are auctioned and require the payment of annual duties).
Likewise, the provision of satellite telecommunications services requires a separate orbital slot concession, which is also granted subject to availability to Mexico of such slots per international treaties and through public tender proceedings.
While traditional audio-visual media services such as paid TV or free-to-air TV require a licence, online audio-visual platforms and over-the-top services (OTTs) are not considered telecommunications services nor broadcast and therefore do not require a licence to operate in Mexico.
In order to obtain a telecommunications or broadcasting licence, an application must be filed before the Federal Telecommunications Institute (IFT), along with the technical plans that support the telecommunications and/or broadcasting services for which a licence is sought, and documents and information that establish the administrative, legal and economic capacity of the applicant to render such services according to applicable laws and regulations. The IFT has 60 calendar days to analyse and assess the documents submitted and may request additional information when necessary. Once such term has expired and all requirements have been met, the IFT shall grant the licence.
Governmental duties payable to secure the aforementioned licence amount to approximately USD1,200.
On the other hand, spectrum licences are granted through a public tender process (in the case of commercial services) and upon payment of an upfront consideration and an annual royalty. This type of licence can be granted for a term of up to 20 years and may be extended up to equal terms. To grant such licence IFT will take into consideration the economic proposal, coverage, quality and innovation, lower prices to the end user, prevention of concentration, and entry of new competitors into the market.
The FTBA regulates telecommunications and broadcasting services. The Federal Telecommunications Institute, the agency vested with applying the FTBA and the Federal Competition Act in the telecommunications and broadcasting industries, has defined, among others, paid-TV, fixed and wireless broadband access, fixed and wireless voice. Along the same lines, satellite communications are also considered telecommunications services. Hence, audio-visual streaming, instant messaging or video/audio calls do not fall within the scope of local telecommunications rules.
On the infrastructure side, while no licence is required to own or commercialise telecommunications infrastructure (towers, antennas, fibre optic), only licensed carriers may provide services on such infrastructure. The use thereof, however, is subject to telecommunications rules as it forms an integral part of the telecommunications network.
Other cases where authorisation from the IFT is required are:
The IFT may exempt authorisation to those transmitting earth stations which, by complying with established standards, do not cause harmful interference to other telecommunications systems.
These authorisations shall be valid for a term of up to ten years and may be extended for up to equal terms; the process to obtain such authorisations shall be resolved within 30 business days after submitting the application. Once this period expires, with no resolution from the IFT, the authorisation shall be considered granted.
Currently, one of the most relevant challenges that organisations face when entering into a technology agreement is the lack of standardisation of contracts in the sector. This is a general rule, as there are some specific sectors that have managed to standardise to a certain extent; however, this is the exception to the rule and it is not an absolute standardisation.
This lack of standardisation means that, at the time of contract negotiation, it becomes extremely technical and complex, which may lead to the fact that, in the event of a controversy and/or litigation, the judge may have problems in correctly understanding the essence of such contracts and, therefore, may not judge correctly in such lawsuits. This could even cause the parties to actively seek arbitration as a method of dispute resolution in order to have a judge who has the technical knowledge of the issues since, unfortunately, current judges do not have sufficient technological knowledge.
Additionally, due to the lack of standardisation, technology agreements can also suffer from the opposite issue and not be technical enough, which could leave a lot of room for interpretation by either the parties or a judge and therefore not be an ideal contract for the specific transaction and/or operation. This is often reflected in definitions being invented specifically for a contract and, in the absence of specific regulation, these can be erroneous because the process requires a lawyer who fully understands the operation, as well as the functioning, of the technology involved, in order to properly tailor a certain contract to that operation.
The Commercial Code distinguishes between three categories of electronic signatures: simple electronic signature, advanced or reliable electronic signature (FEA), and certified advanced electronic signature. Each is defined as follows.
The legal effects of the FIEL (Advanced Electronic Signature) are regulated within the Advanced Electronic Signature Act, which establishes that electronic documents and data messages signed through such means have the same probative value as applicable provisions grant them. Among these provisions, those of the fiscal sector stand out, as they have enabled means like the taxpayers’ tax mailbox, allowing both individuals and legal entities to present annual or supplementary declarations, defence mechanisms such as revocation appeals, notices provided within Annex 1-A of the Miscellaneous Fiscal Resolution (such as the appointment of a legal representative by foreign companies), and even consultations to the Tax Administration Service. The aforementioned documents enjoy full probative value in accordance with applicable fiscal provisions.
By defining the electronic signature, it is established that it has the same legal validity and is accepted as evidence in court just like a handwritten signature. In this context, the Federal Code of Civil Procedures as well as the Commercial Code recognise the validity of electronically generated information as evidence. Both codes consider the reliability of the method used to generate, communicate, receive or store that information when assessing its probative force.
Moreover, the Commercial Code indicates that electronic signatures created abroad are equally valid and have the same probative value as those issued in Mexico, as long as they align with internationally recognised standards.
Although there are few judicial precedents regarding the use of electronic signatures, most recognise their validity. However, it is important to note that electronic information can be altered. Therefore, any electronic signature, regardless of its type, can be questioned in litigation or arbitration proceedings. In such cases, it would be necessary to present additional technological evidence, which may pose procedural challenges.
For this reason, use of an electronic signature that offers the highest possible probative value in case of dispute, such as an FEA or a certified FEA, is recommended. In dispute situations, the responsibility of proving the reliability of the electronic signature falls on the signatory, who must provide the necessary evidence to support its authenticity.
Section 19.6 of the USMCA (United States-Mexico-Canada Agreement) states that the legal validity of an electronic signature should not be denied simply because it is electronic, except under specific circumstances. It also prohibits legal entities from adopting measures that limit the choice of electronic authentication methods or electronic signatures in electronic transactions, or that prevent parties from demonstrating their legal compliance in judicial or administrative processes. Thirdly, it allows for certain categories of transactions to require specific performance standards or certification by accredited authorities for electronic signatures or authentication methods. Lastly, it encourages the promotion of interoperable electronic authentication use among the parties.
Blvd Manuel Avila Camacho 24-7
Col. Lomas de Chapultepec
11000 Mexico City
Mexico
+52 55 5540 9200
+52 55 5540 9200
galicia@galicia.com.mx www.galicia.com.mx