Mexico Data Protection Law: What is it & How to Comply?
More and more countries are introducing data compliance laws. One country that has recently released a fairly new data protection law is Mexico. Mexico's data protection law covers all 126.7 million people living there.
It’s essential to follow all the regulations set by this compliance framework because it is one of the most comprehensive data privacy regulations globally.
If you’re running a business in Mexico or have Mexican consumers, it’s essential to understand this privacy law. So, without further ado, let’s cover their law.
- The Mexico data protection law applies to people in Mexico. Businesses and legal entities conducting commercial activities and any personal data processing within or related to Mexican jurisdiction must abide by these laws.
- Data subjects in Mexico have access to four ARCO rights: Access, Rectification, Cancelation, and Opposition of their collected data.
- Non-compliance with Mexico’s Data Protection Law can lead to severe financial or criminal penalties, depending on the severity of the breach and whether it was done for gainful intent.
What is the Mexico Data Protection Law?
The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) became effective on July 5th, 2010.
The law establishes guidelines for the collection, use, disclosure, and protection of personal information of individuals.
However, this is only one of several privacy laws in Mexico (remember when we said that Mexico has one of the most comprehensive data privacy regulations in the world?).
Together, this group of laws is known as “Mexican Privacy Laws”, besides the FLPPDHPP includes:
- The Regulations to the Federal Law on the Protection of Personal Data held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares), enacted on December 22nd, 2011
- The Privacy Notice Guidelines (Las Directrices del Aviso de Privacidad), which is effective as of April 8th, 2013
- The Recommendations on Personal Data Security (Las Recomendaciones sobre la Seguridad de los Datos Personales), which came into force on November 30th, 2013
- The Parameters for Self-Regulation regarding Personal Data (Los Parámetros de Autorregulación en materia de Datos Personales), effective as of May 30th, 2014, and finally,
- The General Law for the Protection of Personal Data in Possession of Obligated Subjects (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados), became official on January 27th, 2017.
Data protection in Mexico is based on the:
- Articles 6 and 16 of the Mexican Constitution
- The Federal Law for the Protection of Personal Data Held by Private Parties (FLPPDHPP)
- The General Law for the Protection of Personal Data in the Possession of Obliged Subjects (GLPPDPOS)
- And other relevant laws and regulations.
Responsible for overseeing this and, where necessary, imposing fines and penalties for violations is the National Institute for Transparency, Access to Information, and Personal Data Protection (INAI).
Key Definitions of Terms
- ARCO rights - Access, rectification, cancellation, and opposition. The four individual rights of a data subject
- Consent - A freely given and clear approval by the data subject or someone acting with legal authority in their name that allows the data processor to collect and process their personal information for a specific purpose
- Personal data - Any information related to an individual that could be used to identify them
- Data processing - Any form of collection, use, storing, or transfer of personal data (regardless of the means)
- Data controller - Individual or private entity that processes data or provides guidelines to a third party for data processing
- Data processor - Individual or legal entity that processes personal data of individuals on behalf of the data controller
- Data subject - An individual (i.e., consumer) whose personal data is being collected and processed by the data processor and the data collector.
- Sensitive personal information - Data that can be used to identify or reveal private information about an individual.
Who Does Mexico Data Protection Law Apply to?
The Mexico data protection law applies only to:
- Private individuals (consumers)
- Businesses and other legal entities that process, collect, use, or store personal data for commercial purposes
Furthermore, Mexican Privacy Laws apply to any personal data processing, including:
- Processing by a data controller in Mexico
- Processing by a data processor on behalf of a data controller in Mexico, regardless of the location of the data processor itself
- Processing by or on behalf of a data controller who is not located in Mexico, if the Mexican legislation applies
- Processing within Mexico for the data controller not located in the country, except for processing for transit purposes exclusively
It’s worth noting that their laws do not apply to the following categories:
- The government
- Individuals who are collecting and storing personal data solely for personal and not commercial use
- Credit reporting companies, which are governed by the Mexican Law of Credit Institutions (Ley de Instituciones de Crédito o LIC)
In addition, this law, in general, does not apply to business-to-business (B2B) data such as:
- Data of legal entities
- Data of subjects acting as merchants and professionals
- Data of natural persons who are acting on behalf of a business, where the personal data is limited to:
- First and last name, business contact data and job title, position, and function
- Personal data that is processed only to represent the business
Individual Rights Under Mexico Data Protection Law
The data protection laws in Mexico include a similar set of data subject rights as the General Data Protection Regulation (GDPR) does. However, there are some differences between the two.
Individual rights under Mexico’s data protection law are collectively known as ARCO (Access, Rectification, Cancelation, and Opposition) rights.
- Right of Access: Data subjects can request access to their processed data
- Right of Rectification: The data subject can request rectification of inaccurate data
- Right of Cancelation: Data subjects can also request for their personal data to be deleted
- Right of Opposition: Finally, data subjects can request the end of processing of their personal data in certain situations
Mexico Data Protection Law Principles
Mexico has several key principles that guide how businesses should conduct compliance. The key principles of data protection regulation in Mexico are as follows:
- Lawful basis for processing - Data processing must be done following the relevant laws and regulations
- Data minimization - The data controller should process only the minimum necessary amount of data for the specific purpose
- Purpose limitation - Data can only be processed for a specific purpose and not beyond it
- Transparency - Personal data can not be collected, stored, used, or shared through fraudulent or deceitful means (for instance, without the data subject’s consent or knowledge)
- Consent - The data controller must obtain consent from the data subject before processing their personal data
- Responsibility - The data controller is legally responsible for the data subject that they are processing
How to Comply with Mexico Data Protection Law
Compliance with Mexico’s data protection laws is essential for all organizations that process personal information. This section will provide an overview of the key steps necessary to ensure compliance in order to respect individuals' privacy and their rights under Mexican law.
1. Appointment of Data Protection Officer
Organizations must appoint a Data Protection Officer or department to manage requests from individuals exercising their ARCO Rights (Access, Rectification, and Cancellation). The DPO will be responsible for overseeing and advising on how best to protect any personal information being processed.
2. Preparation Of Privacy Notice (Aviso de Privacidad)
Organizations must make a privacy notice available before processing an individual’s personal data.
This will need to include specific details such as who the data controller is, what personal information they will be collecting and why, and how an individual’s consent can be withdrawn or their ARCO rights exercised.
Any transfers of collected data to third parties (not including processors), etc. Depending on the circumstances, gathering this information requires a comprehensive, simplified, or short-form privacy notice.
3. Obtaining Consent To Data Processing
Obtaining valid consent from individuals is essential for organizations processing personal data.
Depending on the data type, this consent may be implicit or explicit (verbal/written). There are also certain exceptions to when valid consent is not required; however, a privacy notice must still always be provided.
Certain organizations are exempted from the need to obtain consent before collecting and/or processing data if their purpose is for research, historical recording, or statistical purposes. Organizations are required to provide details of the scope and purposes for which any data will be used before an exemption can apply.
4. Put Necessary Security Measures in Place
Under Mexican privacy laws, all data controllers must establish and maintain physical, technical, and administrative security measures designed to protect personal data from damage or unauthorized use.
The risks involved with the processing activities need to be taken into account when developing the security measures, and added care should be taken with sensitive personal data. This includes personnel training on handling this information.
To put necessary security measures in place:
- Establish an inventory of personal data and relevant processing systems, updating at least once per year with respect to sensitive personal information
- Identify the duties/obligations applied to those handling this data on behalf or for the controller.
- Perform a risk assessment/analysis identifying potential risks while also emphasizing strengths within security programs (if any).
- Create and maintain policies for effective implementation of identified security measures as well as create documentation to support their continual maintenance
- Evaluate and improve security continually, addressing any missing steps which become identified due to a breach.
- Maintain documentation regarding personal data storage.
5. Establish Breach Notification Measures
Under current Mexican privacy laws, if any security breach happens that significantly affects the property or moral rights of data subjects, controllers have an obligation to inform immediately all affected individuals. This includes at least informing them on what happened and how they can protect/safeguard their interests.
Here are the steps to establish proper breach notification measures:
- Establish a written security breach notification process and procedure to be followed when such an instance occurs.
- Create visible messaging which informs customers of what actions are being taken in the event of personal data breaches (i.e., preparing message timelines for use across channels). This should include language that clearly outlines both the type/cause of any alleged breach as well as corrective action plans implemented or still needing to be addressed on behalf of documentable measures put into place to reinforce new policies.
- Take steps to communicate breach notification processes and messaging, both internally as well as externally, to your customers.
Consequences of Non-Compliance with Mexico Data Protection Law
The Mexico Data Privacy Law is governed by the National Institute of Transparency, Access to Information, and Protection of Personal Data (Instituto Nacional de Transparencia, Acceso a la Informacion y Proteccion de Datos Personales), or simply INAI.
INAI can conduct an on-site investigation of the data controller to determine if it complies with the law.
If not, the data controller found in violation can be fined or, in certain situations, imprisoned.
To determine the severity of the fine or the duration of imprisonment, INAI will look at several factors:
- The nature of the data violated
- The nature of the violation and whether it was intentional or unintentional
- The economic position of the Data Controller
- Whether the Data Controller has willingly worked with the data subject
For monetary fines, they range from 100 up to 320,000 times the minimum wage in Mexico City. This can increase to double that amount for sensitive personal data.
However, in situations when the data protection officer (DPO) authorized to process personal data causes a breach for profit, they may suffer from three months and up to three years of imprisonment instead.
Finally, if the data processor processes personal data deceitfully and takes advantage of the data subject’s error to gain unlawful profit, they can be imprisoned from six months to five years.
Mexico has some of the most in-depth data protection and privacy laws in the world that, on some level, even rival those of the EU’s GDPR in terms of legislative scope, data subject rights, and fines and penalties for violations.
However, while similar in many ways to GDPR or other laws like the CPRA in California, or the LGPD in Brazil, Mexico’s data protection law is still unique and you must take careful measures to ensure compliance.
That’s where experts like Captain Compliance can help you. We have the best compliance solutions on the market to ensure you have stress-free compliance.
So, ensure your business’ compliance and get in touch with Captain Compliance now!
Is Mexico Part of the GDPR?
Mexico is not a part of the European Union and therefore is not GDPR. However, if a business located in Mexico is collecting and processing the personal data of EU citizens, it needs to comply with the General Data Protection Regulation nevertheless.
What are the penalties for data protection in Mexico?
There are two types of penalties for data privacy violations according to the Federal Law on the Protection of Personal Data held by Private Parties (FLPPDHPP) or “the Law” - monetary and imprisonment.
Monetary fines go from 100 to 320,000 times the current minimum wage in Mexico City.
For violations where the data protection officer has caused a data security breach for profit, the sanction can be three months to three years of imprisonment.
Also, if the DPO has taken advantage of an error by the data subject to gain profit, the penalty can be six months to five years of imprisonment.
Who governs Mexicans’ right to privacy?
In Mexico, the data privacy of individuals is governed by the Federal Law on the Protection of Personal Data held by Private Parties.
What are the data subject rights in Mexico?
Data subject rights in Mexico are known as “ARCO” rights, which include:
- Right of Access
- Right of Rectification
- Right of Cancellation
- Right of Opposition
What are the cyber laws in Mexico?
Mexico does not have a specific cybersecurity law. Instead, it has several legal provisions regarding cybersecurity.