The right to privacy or intimacy is contemplated in Paragraphs 1 and 12 of Article 16 of the Mexican Constitution, which prohibits anyone from intruding onto an individual's person, family, domicile, documents or belongings (including any wiretapping of communication devices), except when ordered by a competent authority supported by the applicable law. The right to data protection is stipulated in Paragraph 2 of Article 16 of the Constitution, which seeks to set a standard for all collecting, using, storing, divulging or transferring (collectively processing) of personal data (as defined below) to secure the right to privacy and self-determination. The right to privacy and data protection are closely related fundamental rights that, along with other fundamental rights, seek to protect individuals' ability to guard a portion of their lives from the intrusion of third parties. Notwithstanding this, while a breach of privacy usually results in a breach of the right to protection of personal data, a data protection breach does not always result in a breach of privacy.
The first formal effort to address personal data protection was introduced in 2002 when the Mexican Congress approved the Federal Law for Transparency and Access to Public Governmental Information (the Former Transparency Law). Although the Former Transparency Law was mainly aimed at securing access to any public information in the possession of the branches of government and any other federal governmental body, it also incorporated certain principles and standards for the protection of personal data being handled by those government agencies. This effort was followed by similar legislation at the state level.
After several attempts to address data protection rights more decisively, in 2009 Congress finally approved a crucial amendment to the Constitution that recognised the protection of personal data as a fundamental right. Consequently, Congress enacted the Federal Law for the Protection of Personal Data in Possession of Private Parties (the Private Data Protection Law), which became effective on 6 July 2010 and was followed by the Regulations of the Private Data Protection Law on 22 December 2011.
Additionally, in January 2014 Congress approved an amendment to the Constitution to create an autonomous entity to be in charge of enforcing the Private Data Protection Law and to take on the duties of the former Federal Institute for Access to Information and Protection of Data (the former IFAI), which was originally created as a semi-autonomous agency separate from the federal public administration. However, in a rather controversial move, the former IFAI amended its internal regulations so that it could assume the necessary characteristics, and role, of the proposed autonomous entity. Consequently – and as a result of the new General Law for Transparency and Access to Public Governmental Information, which annulled the effect of the former Transparency Law – all matters previously dealt with by the former IFAI are now being handled by the 'new IFAI' as an autonomous entity; and it has adopted the title National Institute of Transparency, Access to Information and Protection of Personal Data (INAI).
The Private Data Protection Law is an omnibus data protection law that sets the principles and minimum standards that shall be followed by all private parties when processing any personal data. However, the Private Data Protection Law also recognises that standards for implementing data protection may vary depending on the industry or sector; accordingly, the Private Data Protection Law can certainly be complemented by sectorial laws and self-imposed regulatory schemes, which would focus on particular industry standards and requirements, to the extent that those standards and requirements comply with the data protection principles in the Private Data Protection Law. There have been efforts to promote such sector-specific rules among those processing any personal data within the same industry.
Finally, on 13 December 2016 the Mexican Congress approved the General Law for the Protection of Personal Data in Possession of Governmental Entities (the Governmental Data Protection Law, and collectively with the Private Data Protection Law, the Data Protection Laws), which was enacted on 27 January 2017, to establish a legal framework for the protection of personal data by any authority, entity or organ of the executive, legislative and judicial branches, political parties, and trust and public funds operating at federal, state and municipal level. On the understanding that this particular publication is intended to address issues arising from data protection in the private sector, we will not address in detail the governmental Data Protection Law, unless it is necessary to add context.
The INAI is in charge of promoting the rights to protection of personal data, and enforcing and supervising compliance with the Data Protection Laws and those secondary provisions deriving from those Laws. To this end, with respect to the private sector, the INAI has been authorised to supervise and verify compliance with the Private Data Protection Law; interpret administrative aspects of the Data Protection Laws; and resolve claims and, inter alia, impose fines and penalties. The INAI has been actively working through media campaigns to raise awareness among corporations and individuals of the relevance of adequate protection of personal data. Although the INAI has the authority to initiate enforcement activities, most fines and penalties imposed have resulted from claims filed by data subjects. We are aware that companies that have been fined by the INAI for breaching the Private Data Protection Law have challenged the decisions by means of nullity claims and amparo lawsuits; however, the relevant files are not publicly available.
II THE YEAR IN REVIEW
During 2018, the INAI continued to enforce the Private Data Protection Law at a slower pace but at the same time issued more guidelines intended to protect personal data when using technological means.
On 23 April 2018 INAI, published in the Federal Official Gazette an agreement that modifies the electronic system to file DPPs (as defined below) and complaints for the protection of rights. As a result of such amendment, this system allows: (1) private entities to review resolutions imposing sanctions; (2) submittal of any documents associated with a proceeding; and (3) private entities to access information about the status of a proceeding.
On 28 May 2018, the INAI issued a non-binding guideline to assist data controllers in the processing of biometric data in compliance with the Private Data Protection Law. Such guideline reaffirms the criteria about what data is deems as 'personal data' or 'sensitive personal data' by explaining that biometric data would be considered as personal data when it directly identifies a person or allows the identification of a person, and as sensitive personal data when (1) such refers to the most intimate sphere of a data subject; (2) undue use can lead to discrimination; and (3) illegitimate use results in material risk to the data subject.
On May 2018 several banks in Mexico suffered a major cyberattack on their Interbank Electronic Payments System (SPEI), and approximately 400 million Mexican pesos were stolen. From the information publicly available, it appears that money was stolen from accounts owned by the banks and not by accountholders. The Attorney General Office (PGR) is still conducting an investigation on such cyberattack. INAI is also investigating if such attack constitutes a data breach.
It was published on 12 June 2018 in the Federal Official Gazette the approval of the Mexican Senate to adhere to the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data dated 28 January 1981 (Convention 108) and its additional Protocol dated 8 November 2001 (ETS 181), which will enter into force on 1 October 2018. The Mexican government is now committed through Convention 108 and ETS 181 to take necessary measures to give effect to the provisions of said Convention, and, therefore, it is foreseeable that a bill may be submitted in the near future to amend the Data Protection Laws. As of the time of writing, Mexico has not yet adhered to the Additional Protocol of Convention 108 that was approved by the Committee of Ministers of the Council of Europe on 18 May 2018 (ETS 223) since such is still open for signing until 10 October 2018.
On 15 July 2018 INAI published a bulleting informing that it would initiate a proceeding to impose penalties against the data controller operating in Mexico the application 'Pig.gi'. Although there is limited public information, we understand that the investigation against said company was initiated ex officio by INAI, considering that (1) the respective privacy notice does not include all of the elements described in the Private Data Protection Law; (2) the data controller processed users' personal data for purposes that are not described in their privacy notice; and (3) failed to implement those means necessary to comply with data protection principles, such as responsibility and legality.
On 16 July 2018, INAI published certain recommendations to assist data controllers in preventing theft of personal data while using public Wi-Fi networks to reduce risks associated with undue processing of personal data.
On July 2018, INAI published a certain non-binding guideline to protect personal data while using social media applications. Among other matters, such guideline provides instructions and recommendations about access control and consent for applications, webpages, and games, as well as suggestions to protect personal data when interacting in any social media.
Although the General Data Protection Regulations (GDPR) applicable in the European Union (EU) are not enforceable per se in Mexico, some provisions of GDPR are intended to address processing beyond the borders of the EU, to the extent such processing is with respect to personal data of EU citizens or residents or EU Member States. As a result of the above, it is foreseeable that (1) those entities that intend to carry on any business operation in the EU (even through remote means), shall meet with these new standards imposed by the GDPR; and (2) those Mexican companies whose parent company is headquartered in the EU, or process personal data on behalf of those EU companies or subsidiaries, may be asked to meet with these new standards imposed by the GDPR.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
The most relevant pieces of legislation addressing personal data protection in Mexico are the following:
- the Constitution;
- the Private Data Protection Law;
- the Governmental Data Protection Law;
- the Regulations of the Private Data Protection Law;
- the Guidelines for Privacy Notices; and
- the Self-Regulation Parameters on Data Protection, which are applicable to the private sector.
The Private Data Protection Law identifies those data protection principles governing all processing of personal data, as well as the obligations imposed on any private person, whether an individual or entity, that has control over the processing of personal data (a data controller), data processors (as defined below), third parties and any others engaged in the processing of personal data. As demanded by the Private Data Protection Law, the Mexican executive branch issued the Regulations of the Private Data Protection Law with the intention of clarifying the scope of those principles and obligations provided by the Private Data Protection Law. The Regulations also set out the rules applicable to the exercise by data subjects of their rights in relation to data controllers and those proceedings arising from claims before the INAI filed by data subjects in the event of a breach of the Private Data Protection Law by a data controller. Finally, the Guidelines for Privacy Notices (the Guidelines), issued by the Secretariat of the Economy, set the standard of detail that should be met by data controllers when drafting their own privacy notices and the scope of the language in privacy notices, and the Self-Regulation Parameters on Data Protection establish the rules, criteria and procedures for the development and implementation of self-regulatory schemes on data protection, and were also issued by the Secretariat of the Economy.
Both the Federal Consumer Protection Law and Federal Consumer Protection Law for the Users of Financial Services also contain stipulations protecting consumers, whether individuals or entities, from any processing of their information for marketing purposes. Corporations or financial entities that wish to market products must first review the list of consumers who do not wish to receive marketing information and recorded in the Public Registry of Consumers held by the Federal Consumers Attorney's Office (Profeco), or the Public Registry of Individual Users, which is managed by the National Commission for the Protection of Financial Services Users (Condusef). Any marketing activity with any consumers enrolled in the registries may result in fines by Profeco or Condusef, as applicable.
In addition to any other terms defined herein, the following terms in particular should be taken into consideration for a better understanding of Mexican law on the subject:
- data processor: any natural person or entity that individually or jointly with others carries out the processing of personal data on behalf of the data controller;
- data subject: the natural person whom the personal data concerns;
- personal data: any information related to an identified or identifiable individual. The following information would not be subject to the Private Data Protection Law:
- information collected and stored for personal use and not intended for divulgence or commercialisation;
- information collected by credit bureaux;
- information about entities;
- information about any individual when acting as a merchant or professional practitioner; and
- information about any individual when rendering services to a legal entity or to a merchant or professional practitioner, provided that information is limited to the subject's name, duties or position, business address, business email, business telephone and business facsimile, and the information is processed when representing the merchant or professional practitioner;
- public access source: a database that may be accessed by anyone without complying with any requirement, except for the payment of a fee;
- sensitive personal data: personal data affecting the most intimate sphere of the data subject, or of which the misuse may be a cause for discrimination or great risk for the data subject, such as information regarding racial or ethnic origins, political opinions, religious beliefs, trade union membership, physical or mental health, and sex life;
- transfer: any kind of communication of personal data made to a person other than the controller, data processor or data subject; and
- remittance: any kind of communication of personal data between the data controller and the data processor, within or outside Mexican territory.
Data protection principles
In consideration of the fact that the Private Data Protection Law is inspired by the European model provided in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on free movement of such data, the backbone of the Private Data Protection Law lies in the principles by which each data controller must abide to protect the personal data being processed by the same. These principles are summarised as follows.
- Legality: all personal data shall be lawfully collected and processed, and its collection shall not be made through fraudulent or deceitful means.
- Consent: all processing of personal data shall be subject to the consent (whether express or implied) of the data subject, with certain exemptions set out in the Private Data Protection Law. If it is not exempted, when a data controller is processing any sensitive personal data, the data controller must obtain the express consent of the data subject to process this data, which must be evidenced in writing or through an electronic signature or any other authentication mechanism developed for that purpose. Exemptions to the requirement to obtain consent exist when:
- processing is permitted by law;
- the personal data are publicly available;
- processing prevents association between the personal data and the data subject or his or her identification because of the structure, content or grade of disaggregation of the personal data;
- processing is intended to comply with obligations resulting from a legal relationship between the data controller and the data subject;
- there is an emergency situation that may injure an individual or damage his or her assets;
- processing is essential for the purposes of rendering healthcare services or assistance, the application of preventive medicine, determination of medical diagnosis or the management of healthcare services, as long as the data subject is unable, in the terms provided by the General Health Law, to grant his or her consent for the applicable procedure; and
- a competent authority orders the processing.
- Quality: the data controller shall cause personal data in a database to be relevant, accurate and up to date for the purpose for which it is meant to be used, and shall only retain personal data for as long as is necessary to fulfil the specified purpose or purposes.
- Purpose: processing of personal data shall be limited to the purpose or purposes specified in the privacy notice. No database containing sensitive personal data shall be created without justifying that the purpose for its collection is legitimate, concrete and in compliance with those activities or explicit purposes sought by the data controller. Any processing of personal data for a purpose that is not compatible or analogous to what is set forth in the privacy notice shall require a new consent from the data subject.
- Proportionality: processing of personal data must be necessary, adequate and relevant for the purpose or purposes set forth in the privacy notice. With respect to sensitive personal data, reasonable efforts shall be made to keep the period of processing to a minimum.
- Loyalty: processing of personal data shall favour the interests of the data subject and a reasonable expectation of privacy, which shall be understood as the level of confidence that any person deposits in another that the personal data exchange between them shall be processed as agreed between them in compliance with the Private Data Protection Law.
- Transparency: data controllers shall inform data subjects, by means of a privacy notice, about the personal data that will be subject to processing, and the purpose or purposes for the processing. With respect to sensitive personal data, the privacy notice shall expressly state that the information is of a sensitive nature.
- Responsibility: data controllers shall adopt the necessary measures to comply with all data protection principles during the processing of personal data, even if the processing is carried out by data processors or third parties. Therefore, a data controller shall ensure full compliance with the privacy notice delivered to the data subject by that data controller or by third parties with whom it has a legal relationship.
In addition to the aforementioned principles, all data controllers shall comply with the duties of security and confidence, which are also applicable to data processors and third parties receiving any personal data from a data controller, in which case the latter must verify that these duties are observed by the third parties concerned.
Data controllers shall implement appropriate organisational, technical and physical security measures to protect personal data against unauthorised damage, loss, modification, destruction, access or processing. These measures shall be at least equivalent to those implemented for their own confidential information.
Further, all personal data shall be kept confidential, even upon the termination of any relationship with the data subject.
INAI has ex officio authority to supervise compliance with the Private Data Protection Law, to date, many proceedings to verify compliance have resulted from claims filed by data subjects, however, INAI determined to initiate ex officio proceedings when deemed appropriate.
ii General obligations for data handlers
Although a data controller must comply with each and all of the principles described above (see Section III.i), the most basic obligations imposed on data controllers are mainly the drafting of privacy notices and making these available to data subjects, as well as gathering consent with the processing of personal data, unless exempted under the Private Data Protection Law.
The drafting and delivery of the privacy notice to a data subject constitutes a key factor in complying with the principle of transparency described above and, therefore, there are no exemptions to the same. As a result of the above, the privacy notice must be drafted complying with strict standards and requirements stipulated in the Private Data Protection Law, its Regulations and, particularly, the Guidelines. There are three types of privacy notices whose general characteristics, terms and conditions are as follows:
- full: a full privacy notice must be used when the personal data is personally collected from a data subject, and must contain all elements contained in the corresponding provisions of the Private Data Protection Law, the Regulations and the Guidelines;
- simplified: a simplified privacy notice may be used when the personal data are collected directly but using remote means from the data subject and must contain all elements contained in the corresponding provisions of the Private Data Protection Law, the Regulations and the Guidelines; and
- abbreviated: an abbreviated privacy notice may be used when personal data is directly obtained from a data subject by printed means and when the personal data collected is minimal. It must be drafted in accordance with Article 28 of the Regulations and Guideline 38 of the Guidelines.
When drafting the privacy notice, data controllers must identify the different uses intended for the personal data, and also distinguish those uses required for the legal relationship between the data controller and data subject (necessary purposes) from those that are not (secondary purposes). This requirement is important considering that a data subject may choose to reject (or in the future withdraw consent for) processing for those secondary purposes without affecting his or her relationship with the data controller.
When required, consent for processing any personal data must be obtained upon the collection of the personal data if the collection is made personally or directly from the data subject, or before any processing if personal data was not collected by the data controller directly from the data subject.
Data subjects also have the following rights, which are meant to secure protection of personal data (the ARCO rights):
- access: a data subject is entitled to access his or her personal data held by a data controller, as well as to know the privacy notice to which processing is subject;
- rectification: a data subject is entitled to rectify his or her personal data when it is inaccurate or incomplete;
- cancellation: a data subject shall always be entitled to cancel his or her personal data. The cancellation of personal data implies that the information shall be kept by the data controller as long as required under the applicable legal relationship or once that time has elapsed, the data controller shall delete the corresponding personal data, unless otherwise requires by an applicable statute; and
- opposition: a data subject shall always be entitled, with legal cause, to oppose the processing of his or her data. If a data subject does so, the data controller shall not be entitled to process the data concerning that data subject.
Notwithstanding the above, and in addition to the ARCO rights, the data subject shall also be entitled to withdraw consent (withdrawal), either in whole or in part, with respect to the processing of personal data, and may limit the use or divulgement of personal data (data limitation), and, collectively with the ARCO rights and the right of withdrawal (data claims), by opting out mechanisms or enrolling in lists kept by the data controller, or of Profeco or Condusef, of those data subjects unwilling to receive marketing communications. The data controller shall describe the means available to the data subject to exercise any of the data claims. Data claims shall be exercised free of charge, unless the data subject exercises the same claim to access personal data within a period of 12 months, in which case the data controller may charge a fee that shall not exceed three times the unit for measure and update (UMA) in force. Unfortunately, the creation of awareness in Mexico regarding the protecting of personal data is still a major challenge, considering that the lack of knowledge (and, in some cases, interest) together with the degree of specialisation of this matter may be delaying proper compliance with the Private Data Protection Law. Many data controllers are still gaining interest and experience in these matters, which has caused inadequate implementation of privacy notices, since this requires adequately mapping all data being processed to assess all implications. It is still common to see data controllers drafting their privacy notices without considering whether they are in fact processing any personal data, and to what extent.
iii Specific regulatory areas
Notwithstanding the fact that the Private Data Protection Law is applicable to all private parties processing personal data, with certain exceptions, and that the Governmental Data Protection Law is enforceable in respect of any processing carried out by public agencies, Mexican Official Standard NOM-004-SSA3-2012 regarding medical records is currently the only extant industry- or sector-specific legal framework – despite the idea fostered by the Private Data Protection Law that laws or regulations applicable to specific sectors or industries should be enacted. Among other relevant provision made by this standard, it defines the concept of 'clinical records' and imposes obligations of confidentiality in respect of these records; health providers and establishments that gather, manage and store clinical records are required to implement all measures necessary to maintain this confidentiality (e.g., password-protected firewalls).
iii Technological innovation and privacy law
Technological innovations pose a challenge under the Private Data Protection Law, as this area is broadly and scarcely regulated, with no specific rules applicable to processing affected by such developments. Concepts such as 'big-data analytics' and the 'internet of things' have not yet been defined under the Private Data Protection Law or other applicable data protection legislation. However, processing of personal data using any technological innovation (including the use of remote or local communications media or any other technology) is governed by the Private Data Protection Law, therefore the challenge lies in determining the degree of applicability of that Law, given that the data subject must be informed of the processing. When using remote or local communications media or any other technology, notification must be given to the data subject through a visible communication or warning about the use of those technologies to process his or her personal data, and about the manner in which the technological mechanism may be disabled (unless its use is fundamental for technical reasons). This information must be also included in the full privacy notice, clearly identifying the personal data being collected by that means, as well as the purpose of the collection. In addition, notwithstanding that the concept of biometric data is not defined under the Private Data Protection Law or other applicable data protection legislation, the non-binding guideline issued by INAI defines biometric data and reaffirms that biometric data is deemed 'personal data' or 'sensitive personal data'.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
Mexico is party to several international organisations (such as APEC – the Asia-Pacific Economic Cooperation – and the Organization of American States) that aim to protect personal data being transferred within their respective regions, whether domestically or internationally. Convention 108 and ETS 181 establishes that the parties shall adopt provisions and restrictions for the transfer of personal data between the parties subject to such convention and non-party countries.
Under the Private Data Protection Law, an international communication of personal data originating from a data controller subject to the Private Data Protection Law may be deemed either a 'transfer' or a 'remittance', depending on the purpose for communicating the data and the recipient of the same. Each of these communications must meet specific requirements, which are described below.
i Transfer of personal data
A transfer is any communication of personal data by a data controller to any private or public entity different from the data subject or the data processor. In this regard, any transfer of personal data must be consented to by the data subject concerned, except where exempted pursuant to Article 37 of the Private Data Protection Law; the transfer must be notified to the data subject by means of a privacy notice and limited to those purposes justifying the transfer.
A data controller would be able to transfer personal data without the consent of a data subject if the transfer is:
- stipulated by a law or treaty to which Mexico is party;
- needed for prevention of illness or medical diagnosis, healthcare assistance, medical treatment or management of health services;
- made to holding companies, subsidiaries or affiliates under common control of the data controller who operate under the same processes and internal policies;
- required by an agreement entered into or to be entered into between the data controller and a third party in the interest of the data subject;
- necessary or legally required to protect the public interest or the prosecution or enforcement of justice;
- required for the acknowledgment, exercise or defence of a right in a judicial proceeding; or
- necessary for the preservation of, or compliance with, a legal relationship between the data controller and the data subject.
Any international data transfer shall be evidenced by an agreement or any other document whereby the third party assumes the same data protection obligations undertaken by the data controller and the conditions for processing as consented to by the data subject as detailed in the corresponding privacy notice. International data transfers do not need the approval of the INAI or any other Mexican regulatory agency to be completed and there is no need to submit standard contractual clauses or comparable instruments to any of them; however, a data controller may seek, at its sole discretion, the opinion of the INAI on whether an international transfer complies with these applicable requirements before completing such transfer.
ii Remittance of personal data
A remittance is any communication of personal data made by a data controller to an individual or legal entity that is unrelated to the data controller with the purpose of conducting any processing on behalf of the data controller.
A remittance does not need to be notified to a data subject by means of a privacy notice, nor does it require the consent of the data subject. However, to carry out the remittance, a data controller and data processor shall enter into a certain agreement with the purpose of evidencing the existence, scope and content of the relationship, which should be consistent with the privacy notice delivered by the data controller to the relevant data subject.
Under the GDPR, certain restrictions or requirements may have to be fulfilled prior to completion of an international transfer of personal data to data controllers or data processors located in Mexico. Notwithstanding the approval of the Convention 108 and ETS 181, as of the date of our review, Mexico has not been recognised by, the European Commission as a third country providing adequate data protection to facilitate personal data transfers to countries within the EU.
V COMPANY POLICIES AND PRACTICES
The following are among the security measures data controllers must implement:
- carry out data mapping to identify the personal data that are subject to processing and the procedures involving in the processing;
- establish the posts and roles of those officers involved in the processing of the personal data;
- identify risk and carry out a risk assessment when processing personal data;
- implement security measures;
- carry out a gap analysis to verify those security measures for which implementation is still pending;
- develop a plan to implement those security measures that are still pending;
- implement audits;
- conduct training for those officers involved in the processing;
- have a record of the means used to store personal data; and
- put in place a procedure to anticipate and mitigate any risks arising from the implementation of new products, services, technologies and business plans when processing personal data.
VI DISCOVERY AND DISCLOSURE
Data controllers are obliged to disclose personal data in the event that there is a binding and non-appealable resolution from a competent Mexican authority. A data subject's consent for the processing of personal data shall not be required to the extent that the processing is meant to comply with a resolution from a competent Mexican authority. The Constitution grants all individuals the fundamental right to protect their personal data, as well as the right to access, rectify, cancel and oppose any processing of the same. It should be noted that the Constitution recognises that this right is not without limit; therefore, those principles protecting personal data are subject to certain exceptions for national security, public policy, public security and health, or to protect third-party rights.
Transfers of personal data for legal proceedings or investigations in other countries shall always be carried out in compliance with the Private Data Protection Law and through a letter rogatory following the adequate diplomatic or judicial channels. Data controllers should always analyse whether the privacy notice was disclosed to the data subject, whether the consent is required or exempted and was properly granted, and whether the transfer is limited to those purposes used to justify it. Additionally, the data controller and the relevant authority should enter into an agreement or any other document, as described in Section IV.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
Initiation of proceedings
The INAI takes charge of data protection proceedings (DPPs) and of compliance-verification proceedings (VPs).
DPPs are intended to resolve claims filed by a data subject or his or her legal representative alleging that a data controller has failed to attend to a claim exercising the data subject's ARCO rights or when the resolution of the data controller does not satisfy the data subject.
VPs may be commenced ex officio by the INAI or at the request of a party. An ex officio VP will take place following a breach of a resolution issued in connection with a DPP, or if a breach of the Private Data Protection Law is presumed to be founded and substantiated by the INAI. During a VP, the INAI shall have access to the information and documentation deemed necessary, in accordance with the resolution originating the verification.
In the event that the INAI becomes aware during a DPP or VP of a presumed breach of the Private Data Protection Law, a proceeding to impose penalties will commence assessing the infringement. The available penalties include the following:
- a warning issued by the INAI urging a data controller to comply with the data subject's demands. Note that this course of action is limited to certain types of infringement;
- fines representing an amount of between 100 and 320,000 times the UMA,2 which is published by the National Institute of Statistics and Geography, which will be determined based on the nature of the infringement; and
- imprisonment for up to three years in certain cases, such as when someone authorised to process any personal data causes a security breach in relation to the data under his or her control with the purpose of obtaining a gain; or imprisonment for up to five years when someone processes personal data with the intention of obtaining a gain by deceiving, or taking advantage of the error of, a data subject or the person authorised to transfer any personal data.
The penalties set out in (b) and (c) above may be doubled if the infringement involves sensitive personal data. Although the Private Data Protection Law does not entitle a data subject to receive any indemnification in light of damage suffered because of a data controller's breach, it does acknowledge that any of the fines or penalties indicated above would be imposed against a data controller without prejudice to any liability that the data controller may have in civil and criminal law.
When assessing the fine or penalty to be imposed, the INAI would consider:
- the nature of the personal data;
- the inappropriateness of the failure to comply with the claim of the data subject;
- whether the action or omission was deliberate;
- the economic capacity of the data controller; and
- any reoccurrence of the breach.
Data controllers may challenge these sanctions or fines by means of a nullity claim before the Federal Court of Tax and Administrative Justice.
In addition, Profeco and Condusef are entitled to verify the adequate use of consumer information. If either of them finds that a corporation is engaging in unsolicited marketing to a customer enrolled in the Public Registry of Consumers or the Public Registry of Individual Users, or that it has used consumers' data for a purpose other than marketing, the following shall apply: as of 2017, Profeco may impose fines of up to 1.56 million Mexican pesos; or Condusef may impose fines of up to 2,000 times the UMA in force.3
In recent years, the INAI has fined, inter alia, financial institutions, telecom companies and healthcare providers. The most significant fines imposed by the INAI so far are discussed below. However, most of these fines have been challenged by the data controllers concerned and the proceedings are pending resolution.
A fine of 9.8 million Mexican pesos was imposed on Tarjetas Banamex, SA de CV SOFOM, ER (Tarjetas Banamex) on the grounds that Tarjetas Banamex personnel made telephone calls to collect an unpaid balance but to a telephone number belonging to a data subject that was different from the cardholder in question, and failed to allow the data subject to rectify and cancel his personal data stored with Tarjetas Banamex. This resolution has been removed from INAI's webpage, as a result of a preventive measure issued by the Federal Fiscal and Administrative Court.
A fine of 4.6 million Mexican pesos was imposed to Operadora de Hospitales Ángeles, SA de CV (the hospital) on the grounds that the hospital was negligent when processing and answering a claim filed by a data subject to request access to her clinical file. Given that the clinical file contained sensitive personal data of the data subject, the fine was doubled.
A fine of 10.2 million Mexican pesos was imposed on Radiomóvil Dipsa, SA de CV (Telcel). Telcel personnel had made calls to collect unpaid balances from individuals who were on a frequently dialled-number list of persons owing money to Telcel, and divulged to them the amount owed without the express consent of the data subject.
A fine of 32 million Mexican pesos was imposed on Banco Mercantil del Norte, SA, Institución de Banca Múltiple, Grupo Financiero Banorte (Banorte). Banorte collected sensitive personal data without the consent of the data subject and stored the data without a legal justification in breach of the principles of information, proportionality and legality, as it failed to deliver a privacy notice to the claimant and processed personal data of the husband of the claimant that was not necessary, adequate or relevant for the purpose of the data collection.
ii Recent enforcement cases
A fine of 1.402 million Mexican pesos was imposed to a travel agency. The INAI's decision to fine the travel agency was based on the following arguments:
- the travel agency obstructed INAI's verification proceeding, by failing to answer the official requirements for information;
- the travel agency privacy notice did not comply with the Private Data Protection Law;
- the travel agency processed personal data, including financial information of the data subject, without the express consent of the data subject; and
- the travel agency processed personal data from the data subject in breach of the principles of information, responsibility and legality, since it failed to deliver its privacy notice to the data subject and processed personal data in contravention of the Private Data Protection Law.
A fine of 35,050 Mexican pesos was imposed on a fitness club. The INAI's decision to fine the fitness club was based on the following arguments:
- fingerprints are biometric data and constitute sensitive personal data, therefore the fitness club collected the data without the written consent of the data subject;
- the fitness club privacy notice did not comply with the Private Data Protection Law; and
- the fitness club processed personal data from the claimant in breach of the principles of information, responsibility and legality, since the fitness club failed to deliver its privacy notice to the claimant, did not adopt adequate security measures and processed personal data in contravention of the Private Data Protection Law.
iii Private litigation
The Private Data Protection Law makes no provision regarding remedies or financial recovery for the data subject as a result of a breach of data protection rights; however, data subjects are entitled to file a claim before the civil courts to seek indemnification resulting from moral damage. We are not aware of any claims of this nature. The first chamber of the Mexican Supreme Court has issued certain ground breaking, non-binding court precedents resolving that, when awarding damages, courts and judges shall considering aggravating factors, such as the degree of responsibility, to determine a fair indemnification, thereby openly recognising concepts such as 'punitive damages', which were not developed in court precedents.
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
The Private Data Protection Law is applicable to:
- data processors not located in Mexico, but that process personal data on behalf of data controllers located in Mexico;
- data controllers that are not located in Mexico, but that are subject to Mexican laws as a result of an agreement or in terms of international laws; or
- data controllers using means located in Mexico (even if they are not established in Mexico), except if those means are merely for transit purposes, without involving the processing of personal data.
As a result of the above, foreign companies must always analyse whether their activities, or the activities of their affiliates, would result in the application of the Private Data Protection Law.
Foreign companies have also faced certain challenges considering that, under the premise that privacy notices should be simple and easy to understand, the INAI has been reluctant to accept privacy notices issued by multiple data controllers, even if they are part of the same corporate group.
IX CYBERSECURITY AND DATA BREACHES
Cybersecurity is broadly addressed within the Private Data Protection Law and its Regulations, by establishing that all private entities processing personal data, and data controllers in particular, shall have adequate physical, technical and organisational measures to prevent any personal data breach. It should be noted that the Private Data Protection Law and its Regulations do not attempt to impose a catalogue of security measures to be adopted by those bound by them, but rather outlines general principles applicable to security measures that shall be implemented by those processing personal data. In that spirit, the INAI has issued certain documents in an attempt to simplify the implementation of security measures, such as:
- the Recommendations on Personal Data Security outlining the minimum actions needed to securely process personal data;
- the Methodology for Analysing Risk to assess the risks when processing personal data;
- the Guide to Implementing a Personal Data Security Management System to establish security measures based on the cyclic model of 'planning, doing, checking and acting'; and
- the Guide on Personal Data Security for Micro, Small and Medium-Sized Businesses, which guides such companies in compliance with the Private Data Protection Law and its Regulations with respect to security measures and the implementation of a personal data security management system.
A data controller must notify each data subject upon confirmation that a data breach has occurred, once it has taken any actions intended to assess the magnitude of the breach. The notice shall contain at least the nature of the incident, the personal data affected, advice on the actions that may be adopted by the data subject to protect his or her interests, the remedial actions that were immediately carried out and the means through which the data subject may obtain further information. In addition, the data controller would have to take corrective and preventive actions and improve its security measures to avoid the reoccurrence of the same breach.
The Private Data Protection Law and its Regulations do not oblige a data controller to notify the INAI upon the occurrence of a breach or of the measures taken by the data controller. However, failing to comply with any of the obligations mentioned above may constitute an infraction under the Private Data Protection Law that may result in the imposition of sanctions by the INAI.
We are not aware of any intended amendments to the Private Data Protection Law since the previous edition of this publication; however, we anticipate that a bill will be submitted in order to harmonise the Data Protection Laws with the Convention 108 and ETS 181.