The right to privacy or intimacy is contemplated in Paragraphs 1 and 12 of Article 16 of the Mexican Constitution, which prohibits anyone from intruding into an individual's person, family, domicile, documents or belongings (including any wiretapping communication devices), except when ordered by a competent authority supported by the applicable law. The right to data protection is stipulated in Paragraph 2 of Article 16 of the Constitution, which seeks to set a standard for all collecting, using, storing, disclosing or transferring (collectively processing) of personal data (as defined below) to secure the right to privacy and self-determination. The right to privacy and data protection are closely related fundamental rights that, along with other fundamental rights, seek to protect individuals' ability to guard a portion of their lives from the intrusion of third parties. Notwithstanding this, while a breach of privacy usually results in a breach of the right to protection of personal data, a data protection breach does not always result in a breach of privacy.
The first formal effort to address personal data protection was introduced in 2002 when the Mexican Congress approved the Federal Law for Transparency and Access to Public Governmental Information (the Former Transparency Law). Although the Former Transparency Law was mainly aimed at securing access to any public information in the possession of the branches of government and any other federal governmental body, it also incorporated certain principles and standards for the protection of personal data being handled by those government agencies. This effort was followed by similar legislation at the state level.
After several attempts to address data protection rights more decisively, in 2009 Congress finally approved a crucial amendment to the Constitution that recognised the protection of personal data as a fundamental right. Consequently, Congress enacted the Federal Law for the Protection of Personal Data in Possession of Private Parties (the Private Data Protection Law), which became effective on 6 July 2010 and was followed by the Regulations of the Private Data Protection Law on 22 December 2011.
Additionally, in January 2014 Congress approved an amendment to the Constitution to create an autonomous entity to be in charge of enforcing the Private Data Protection Law and to take on the duties of the former Federal Institute for Access to Information and Protection of Data (the former IFAI), which was originally created as a semi-autonomous agency separate from the federal public administration. However, in a rather controversial move, the former IFAI amended its internal regulations so that it could assume the necessary characteristics, and role, of the proposed autonomous entity. Consequently – and as a result of the new General Law for Transparency and Access to Public Governmental Information, which annulled the effect of the former Transparency Law – all matters previously dealt with by the former IFAI are now being handled by the 'new IFAI' as an autonomous entity; and it has adopted the title National Institute of Transparency, Access to Information and Protection of Personal Data (INAI).
The Private Data Protection Law is an omnibus data protection law that sets the principles and minimum standards that shall be followed by all private parties when processing any personal data. However, the Private Data Protection Law also recognises that standards for implementing data protection may vary depending on the industry or sector. Accordingly, the Private Data Protection Law can certainly be complemented by sectorial laws and self-imposed regulatory schemes, which would focus on particular industry standards and requirements, to the extent that those standards and requirements comply with the data protection principles in the Private Data Protection Law. There have been efforts to promote such sector-specific rules among those processing any personal data within the same industry.
Finally, on 13 December 2016 the Mexican Congress approved the General Law for the Protection of Personal Data in Possession of Governmental Entities (the Governmental Data Protection Law, and collectively with the Private Data Protection Law, the Data Protection Laws), which was enacted on 27 January 2017, to establish a legal framework for the protection of personal data by any authority, entity or organ of the executive, legislative and judicial branches, political parties, and trust and public funds operating at federal, state and municipal level. On the understanding that this particular publication is intended to address issues arising from data protection in the private sector, we will not address in detail the governmental Data Protection Law, unless it is necessary to add context.
The INAI is in charge of promoting the rights to protection of personal data and enforcing and supervising compliance with the Data Protection Laws and those secondary provisions deriving from those Laws. To this end, with respect to the private sector, the INAI has been authorised to supervise and verify compliance with the Private Data Protection Law; interpret administrative aspects of the Data Protection Laws; and resolve claims and, inter alia, impose fines and penalties. The INAI has been actively working through media campaigns to raise awareness among corporations and individuals of the relevance of adequate protection of personal data. Although the INAI has the authority to initiate enforcement activities, most fines and penalties imposed have resulted from claims filed by data subjects. We are aware that companies that have been fined by the INAI for breaching the Private Data Protection Law have challenged the decisions by means of nullity claims and amparo lawsuits; however, the relevant files are not publicly available.
II THE YEAR IN REVIEW
During 2019, the INAI continued to enforce the Private Data Protection Law and, at the same time issued opinions and guidelines that may in the future translate into amendments to the Private Data Protection Law, particularly with respect to the use of mobile devices.
On 28 September 2018 the Federal Official Gazette published the decree issuing the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data dated 28 January 1981 (Convention 108) and its additional Protocol dated 8 November 2001 (ETS 181).
On 24 November 2018 INAI published a bulletin informing the public that it would verify if the Attorney General of the Republic (FGR) breached the Governmental Data Protection Law by using Pegasus, software for criminal investigations that was allegedly used to spy on journalists, activists and human rights observers. The bulletin detailed how the current FGR had to demonstrate that the software had been uninstalled from the equipment of the Unit for Cyber Investigations and Technological Operations of the Criminal Investigation Agency, as well as from any other equipment and submit evidence on the politicies, methods and techniques followed to uninstall such software.
On 4 January 2018 Congressman Ramón Villagómez Guerrero submitted a bill to modify the Private Data Protection Law, to standardise it with the Governmental Data Protection Law, and include a definition of concepts that are currently defined in the Regulation; this bill has not yet been approved by Congress.
On 8 February 2019, the INAI made available to data controllers a tool called the 'data breach evaluator', which allows data controllers to register and record the current security measures within companies with the purpose of minimising the occurrence and impact of data breaches. This tool was created exclusively to help data controllers improve their security measures. It is our understanding that the INAI does not have access to the information registered in this tool.
On 25 February 2019, the INAI published a bulletin stating that as a result of a data breach in which the National Savings and Financial Services Bank (Bansefi) exposed the personal data of a user (including their name, address, bank account information and email address) on their website from 2013 to 2018, the Internal Control Body of Bansefi should impose penalties on the officer responsible for disclosing the personal data. The penalty may not be paid with public resources.
On 21 and 22 March 2019, the Ministry of Finance and Public Credit issued several provisions that amend, add and eliminate different articles of the General Provisions for the Prevention of Money Laundering and Terrorism Financing applicable to the services that may be rendered by financial entities such as credit institutions and exchange offices. These are services such as opening accounts, entering into agreements or performing financial operations through the use of the internet or mobile devices. Financial entities will request geolocalisation of clients, as well as biometric data such as voice and image matching to perform such operations, and will, therefore, require express written consent from clients.
In May 2019, the INAI published non-binding guidelines in relation to different tools and applications that may be used by parents to supervise or limit access and content in mobile devices used by their children. This is to protect children from disclosing their personal data on unsecured sites.
On 4 July 2019, the INAI published a bulletin stating that it will initiate a constitutional proceeding before the Mexican Supreme Court against the Administrative Liability Law for the state of Nuevo Leon issued on 7 June 2019, arguing that several provisions included violate the data protection right provided in the Constitution, specifically, the principles of legality, purpose and proportionality established in the Governmental Data Protection Law.
On 16 July 2019, the INAI published certain recommendations to prevent theft, disclosure or alteration of personal data in this digital era, including security configurations, mobile applications, and software that are considered useful so that users can safely protect and maintain their privacy and personal data while using the internet.
The Organization of American States (OAS) published a study on the state of cybersecurity in the Mexican financial system to increase awareness of the growing threats to digital security in the Latin American and Caribbean region.
In a recent interview with local newspapers, the Commissioner-President of the INAI said that considering recent data breaches it is important to amend the Private Data Protection Law to stipulate that data controllers should have the obligation to inform the INAI of any data breaches that they suffered. However, no bill to amend the Private Data Protection Law has been submitted yet.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
The most relevant pieces of legislation addressing personal data protection in Mexico are the following:
- the Constitution;
- the Private Data Protection Law;
- the Governmental Data Protection Law;
- the Regulations of the Private Data Protection Law;
- the Guidelines for Privacy Notices; and
- the Self-Regulation Parameters on Data Protection, which are applicable to the private sector.
The Private Data Protection Law identifies data protection principles governing all processing of personal data, as well as the obligations imposed on any private person, whether an individual or entity, that has control over the processing of personal data (a data controller), data processors (as defined below), third parties and any others engaged in the processing of personal data. As demanded by the Private Data Protection Law, the Mexican executive branch issued the Regulations of the Private Data Protection Law with the intention of clarifying the scope of those principles and obligations provided by the Private Data Protection Law. The Regulations also set forth the rules applicable to the exercise by data subjects of their rights in relation to data controllers and those proceedings arising from claims before the INAI filed by data subjects in the event of a breach of the Private Data Protection Law by a data controller. Finally, the Guidelines for Privacy Notices (the Guidelines), issued by the Ministry of the Economy, set the standard of detail that should be met by data controllers when drafting their own privacy notices and the scope of the language in privacy notices; and the Self-Regulation Parameters on Data Protection establish the rules, criteria and procedures for the development and implementation of self-regulatory schemes on data protection, which were also issued by the Ministry of the Economy.
Both the Federal Consumer Protection Law and Federal Consumer Protection Law for the Users of Financial Services also contain stipulations protecting consumers, whether individuals or entities, from any processing of their information for marketing purposes. Corporations or financial entities that wish to market products must first review the list of consumers who do not wish to receive marketing information and record it in the Public Registry of Consumers held by the Federal Consumers Attorney's Office (Profeco), or the Public Registry of Individual Users, which is managed by the National Commission for the Protection of Financial Services Users (Condusef). Any marketing activity with any consumers enrolled in the registries may result in fines by Profeco or Condusef, as applicable.
In addition to any other terms defined herein, the following terms in particular should be taken into consideration for a better understanding of Mexican law on the subject:
- data processor: any natural person or entity that individually or jointly with others carries out the processing of personal data on behalf of the data controller;
- data subject: the natural person whom the personal data concerns;
- personal data: any information related to an identified or identifiable individual. The following information would not be subject to the Private Data Protection Law:
- information collected and stored for personal use and not intended for disclosure or distribution;
- information collected by credit bureaux;
- information about entities;
- information about any individual when acting as a merchant or professional practitioner; and
- information about any individual when rendering services to a legal entity or to a merchant or professional practitioner, provided that information is limited to the subject's name, duties or position, business address, business email, business telephone and business facsimile, and the information is processed when representing the merchant or professional practitioner;
- public access source: a database that may be accessed by anyone without complying with any requirement, except for the payment of a fee;
- sensitive personal data: personal data affecting the most intimate sphere of the data subject, or of which the misuse may be a cause for discrimination or great risk for the data subject, such as information regarding racial or ethnic origins, political opinions, religious beliefs, trade union membership, physical or mental health, and sex life;
- transfer: any kind of communication of personal data made to a person other than the controller, data processor or data subject; and
- remittance: any kind of communication of personal data between the data controller and the data processor, within or outside Mexican territory.
Data protection principles
In consideration of the fact that the Private Data Protection Law is inspired by the European model provided in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on free movement of such data, the Private Data Protection Law is based on the principles by which each data controller must abide to protect the personal data being processed. These principles are summarised as follows.
- Legality: all personal data shall be lawfully collected and processed.
- Consent: all processing of personal data shall be subject to the consent (whether express or implied) of the data subject, with certain exemptions set out in the Private Data Protection Law. If it is not exempted, when a data controller is processing any sensitive personal data, the data controller must obtain the express consent of the data subject to process this data, which must be evidenced in writing or through an electronic signature or any other authentication mechanism developed for that purpose. Exemptions to the requirement to obtain consent exist when:
- processing is permitted by law;
- the personal data is publicly available;
- processing prevents association between the personal data and the data subject or his or her identification because of the structure, content or grade of disaggregation of the personal data;
- processing is intended to comply with obligations resulting from a legal relationship between the data controller and the data subject;
- there is an emergency situation that may injure an individual or damage his or her assets;
- processing is essential for the purposes of rendering healthcare services or assistance, the application of preventive medicine, determination of medical diagnosis or the management of healthcare services, as long as the data subject is unable, in the terms provided by the General Health Law, to grant his or her consent for the applicable procedure; and
- a competent authority orders the processing.
- Quality: the data controller shall cause personal data in a database to be relevant, accurate and up to date for the purpose for which it is meant to be used, and shall only retain personal data for as long as is necessary to fulfil the specified purpose or purposes. Regarding sensitive personal data, reasonable efforts shall be made to keep the period of processing to a minimum.
- Purpose: processing of personal data shall be limited to the purpose or purposes specified in the privacy notice. No database containing sensitive personal data shall be created without justifying that the purpose for its collection is legitimate, concrete and in compliance with those activities or explicit purposes sought by the data controller. Any processing of personal data for a purpose that is not compatible or analogous to what is set forth in the privacy notice shall require a new consent from the data subject.
- Proportionality: processing of personal data must be necessary, adequate and relevant for the purpose or purposes set forth in the privacy notice.
- Loyalty: processing of personal data shall favour the interests of the data subject and a reasonable expectation of privacy, which shall be understood as the level of confidence that any person deposits in another that the personal data exchange between them shall be processed as agreed between them in compliance with the Private Data Protection Law. Its collection shall not be made through fraudulent or deceitful means.
- Transparency: data controllers shall inform data subjects, by means of a privacy notice, about the personal data that will be subject to processing, and the purpose or purposes for the processing. With respect to sensitive personal data, the privacy notice shall expressly state that the information is of a sensitive nature.
- Responsibility: data controllers shall adopt the necessary measures to comply with all data protection principles during the processing of personal data, even if the processing is carried out by data processors or third parties. Therefore, a data controller shall ensure full compliance with the privacy notice delivered to the data subject by that data controller or by third parties with whom it has a legal relationship.
In addition to the aforementioned principles, all data controllers shall comply with the duties of security and confidence, which are also applicable to data processors and third parties receiving any personal data from a data controller, in which case the latter must verify that these duties are observed by the third parties concerned.
Data controllers shall implement appropriate organisational, technical and physical security measures to protect personal data against unauthorised damage, loss, modification, destruction, access or processing. These measures shall be at least equivalent to those implemented for their own confidential information.
Further, all personal data shall be kept confidential, even upon the termination of any relationship with the data subject.
INAI has ex officio authority to supervise compliance with the Private Data Protection Law. Currently, many proceedings to verify compliance have resulted from claims filed by data subjects; however, the INAI determined to initiate ex officio proceedings when appropriate.
ii General obligations for data handlers
Although a data controller must comply with each and all of the principles described above (see Section III.i), the most basic obligations imposed on data controllers are mainly the drafting of privacy notices and making these available to data subjects, as well as gathering consent with the processing of personal data, unless exempted under the Private Data Protection Law.
The drafting and delivery of the privacy notice to a data subject constitutes a key factor in complying with the principle of transparency described above and, therefore, there are no exemptions to the same. As a result of the above, the privacy notice must be drafted complying with strict standards and requirements stipulated in the Private Data Protection Law, its Regulations and, particularly, the Guidelines. There are three types of privacy notices whose general characteristics, terms and conditions are as follows:
- full: a full privacy notice must be used when the personal data is personally collected from a data subject, and must include all elements contained in the corresponding provisions of the Private Data Protection Law, the Regulations and the Guidelines;
- simplified: a simplified privacy notice may be used when the personal data is collected directly but using remote means from the data subject and must contain all elements contained in the corresponding provisions of the Private Data Protection Law, the Regulations and the Guidelines; and
- abbreviated: an abbreviated privacy notice may be used when personal data is directly obtained from a data subject by printed means and when the personal data collected is minimal. It must be drafted in accordance with Article 28 of the Regulations and Guideline 38 of the Guidelines.
When drafting the privacy notice, data controllers must identify the different uses intended for the personal data, and also distinguish those uses required for the legal relationship between the data controller and data subject (necessary purposes) from those that are not (secondary purposes). This requirement is important considering that a data subject may choose to reject (or in the future withdraw consent for) processing those secondary purposes without affecting his or her relationship with the data controller.
When required, consent for processing any personal data must be obtained upon the collection of the personal data if the collection is made personally or directly from the data subject, or before any processing if personal data was not collected by the data controller directly from the data subject.
The data controller shall describe the means available to the data subject to exercise their right to access, rectify, cancel or oppose the processing of their personal data (ARCO rights), as well as to withdraw consent (withdrawal), either in whole or in part, with respect to the processing of personal data, and to limit the use or disclosure of personal data (data limitation), collectively with the ARCO rights and the right of withdrawal (data claims). Data claims shall be exercised free of charge, unless the data subject exercises the same claim to access personal data within a period of 12 months, in which case the data controller may charge a fee that shall not exceed three times the unit for measure and update (UMA) in force. Unfortunately, awareness in Mexico regarding the protection of personal data is still a major challenge, considering the lack of knowledge (and, in some cases, interest) together with the degree of specialisation of this matter, which may be delaying proper compliance with the Private Data Protection Law. Many data controllers are still gaining interest and experience in these matters, which has caused inadequate implementation of privacy notices, since this requires adequately mapping all data being processed to assess all implications. It is still common to see data controllers drafting their privacy notices without considering whether they are in fact processing any personal data, and to what extent.
iii Data subject rights
Data subjects have the following rights, which are intended to secure protection of personal data (the ARCO rights):
- access: a data subject is entitled to access his or her personal data held by a data controller, as well as to know the privacy notice to which processing is subject;
- rectification: a data subject is entitled to rectify his or her personal data when it is inaccurate or incomplete;
- cancellation: a data subject shall always be entitled to cancel his or her personal data. The cancellation of personal data implies that the information shall be kept by the data controller as long as required under the applicable legal relationship or once that time has elapsed, the data controller shall delete the corresponding personal data, unless otherwise required by an applicable statute; and
- opposition: a data subject shall always be entitled, with legal cause, to oppose the processing of his or her data. If a data subject does so, the data controller shall not be entitled to process the data concerning that data subject.
Notwithstanding the above, and in addition to the ARCO rights, the data subject shall also be entitled to withdraw consent, either in whole or in part, with respect to the processing of personal data, and may limit the use or divulgement of personal data collectively with the ARCO rights and the right of withdrawal. Additionally, a data subject has the right to opt out or join lists of those unwilling to receive marketing communications or materials kept by the data controller, Profeco or Condusef.
In addition, data subjects have the right to file claims before the INAI if that data controller fails to address a claim concerning the data subject's ARCO rights or when the resolution of the data controller does not satisfy the data subject. If, as a result of that claim, the INAI becomes aware of a breach of the Private Data Protection Law, it may impose penalties on a data controller. However, the Private Data Protection Law makes no provision for remedies or financial recovery for the data subject as a result of a breach of its data protection rights. Notwithstanding this, data subjects have the right to file a claim before civil courts to seek indemnification resulting from moral damage.
iv Specific regulatory areas
Notwithstanding the fact that the Private Data Protection Law is applicable to all private parties processing personal data, with certain exceptions, and that the Governmental Data Protection Law is enforceable in respect of any processing carried out by public agencies, Mexican Official Standard NOM-004-SSA3-2012 regarding medical records is currently the only extant industry- or sector-specific legal framework – despite the idea fostered by the Private Data Protection Law that laws or regulations applicable to specific sectors or industries should be enacted. Among other relevant provision made by this standard, it defines the concept of 'clinical records' and imposes obligations of confidentiality in respect of these records; health providers and establishments that gather, manage and store clinical records are required to implement all measures necessary to maintain this confidentiality (e.g., password-protected firewalls).
v Technological innovation and privacy law
Technological innovations pose a challenge under the Private Data Protection Law, as this area is broadly and scarcely regulated, with no specific rules applicable to processing affected by such developments. Concepts such as 'big-data analytics' and the 'internet of things' have not yet been defined under the Private Data Protection Law or other applicable data protection legislation. However, processing of personal data using any technological innovation (including the use of remote or local communications media or any other technology) is governed by the Private Data Protection Law, therefore the challenge lies in determining the degree of applicability of that Law, given that the data subject must be informed of the processing. When using remote or local communications media or any other technology, notification must be given to the data subject through a visible communication or warning about the use of those technologies to process his or her personal data, and about the manner in which the technological mechanism may be disabled (unless its use is fundamental for technical reasons). This information must be also included in the full privacy notice, clearly identifying the personal data being collected by that means, as well as the purpose of the collection. In addition, notwithstanding that the concept of biometric data is not defined under the Private Data Protection Law or other applicable data protection legislation, the non-binding guideline issued by INAI defines biometric data and reaffirms that biometric data is deemed 'personal data' or 'sensitive personal data'.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
Mexico is party to several international organisations (such as APEC – the Asia-Pacific Economic Cooperation – and the Organization of American States) that aim to protect personal data being transferred within their respective regions, whether domestically or internationally. Convention 108 and ETS 181 establishes that the parties shall adopt provisions and restrictions for the transfer of personal data between the parties subject to such convention and non-party countries.
Under the Private Data Protection Law, an international communication of personal data originating from a data controller subject to the Private Data Protection Law may be deemed either a 'transfer' or a 'remittance', depending on the purpose for communicating the data and the recipient of the same. Each of these communications must meet specific requirements, which are described below.
i Transfer of personal data
A transfer is any communication of personal data by a data controller to any private or public entity different from the data subject or the data processor. In this regard, any transfer of personal data must be consented to by the data subject concerned, except where exempted pursuant to Article 37 of the Private Data Protection Law; the transfer must be notified to the data subject by means of a privacy notice and limited to those purposes justifying the transfer.
A data controller would be able to transfer personal data without the consent of a data subject if the transfer is:
- stipulated by a law or treaty to which Mexico is party;
- needed for prevention of illness or medical diagnosis, healthcare assistance, medical treatment or management of health services;
- made to holding companies, subsidiaries or affiliates under common control of the data controller who operate under the same processes and internal policies;
- required by an agreement entered into or to be entered into between the data controller and a third party in the interest of the data subject;
- necessary or legally required to protect the public interest or the prosecution or enforcement of justice;
- required for the acknowledgment, exercise or defence of a right in a judicial proceeding; or
- necessary for the preservation of, or compliance with, a legal relationship between the data controller and the data subject.
Any international data transfer shall be evidenced by an agreement or any other document whereby the third party assumes the same data protection obligations undertaken by the data controller and the conditions for processing as consented to by the data subject as detailed in the corresponding privacy notice. International data transfers do not need the approval of the INAI or any other Mexican regulatory agency to be completed and there is no need to submit standard contractual clauses or comparable instruments to any of them; however, a data controller may seek, at its sole discretion, the opinion of the INAI on whether an international transfer complies with these applicable requirements before completing such transfer.
ii Remittance of personal data
A remittance is any communication of personal data made by a data controller to an individual or legal entity that is unrelated to the data controller with the purpose of conducting any processing on behalf of the data controller.
A remittance does not need to be notified to a data subject by means of a privacy notice, nor does it require the consent of the data subject. However, to carry out the remittance, a data controller and data processor shall enter into a certain agreement with the purpose of evidencing the existence, scope and content of the relationship, which should be consistent with the privacy notice delivered by the data controller to the relevant data subject.
Under the GDPR, certain restrictions or requirements may have to be fulfilled prior to completion of an international transfer of personal data to data controllers or data processors located in Mexico. Notwithstanding the approval of the Convention 108 and ETS 181, as of the date of our review, Mexico has not been recognised by the European Commission as a third country providing adequate data protection to facilitate personal data transfers to countries within the EU.
V COMPANY POLICIES AND PRACTICES
The following are among the security measures data controllers must implement:
- carry out data mapping to identify the personal data that is subject to processing and the procedures involving in the processing;
- establish the posts and roles of those officers involved in the processing of the personal data;
- identify risk and carry out a risk assessment when processing personal data;
- implement security measures;
- carry out a gap analysis to verify those security measures for which implementation is still pending;
- develop a plan to implement those security measures that are still pending;
- implement audits;
- conduct training for those officers involved in the processing;
- have a record of the means used to store personal data; and
- put in place a procedure to anticipate and mitigate any risks arising from the implementation of new products, services, technologies and business plans when processing personal data.
Data controllers have the obligation to include in their privacy notice a mechanism for data subjects to exercise their ARCO rights or withdraw consent, either in whole or in part, with respect to the processing of personal data, and to limit the use or disclosure of personal data. Additionally, data controllers should make opt-out mechanisms or lists for those unwilling to receive marketing communications available to data subjects. These lists are kept by the data controller, Profeco or Condusef.
In terms of the Private Data Protection Law, while processing personal data, a data controller must distinguish such processing based on the following: (a) those purposes that, based a contractual relationship between data controller and data subject, require the processing of personal data, in which case consent for such processing is not required and the opt-out option would not be available; and (b) those secondary purposes where compliance with any commitments is not required under any relationship between the data controller and data subject, in which case the data subject is entitled to opt out and the data controller must provide mechanisms allowing the data subject to opt out prior to such processing.
VI DISCOVERY AND DISCLOSURE
Data controllers are obliged to disclose personal data in the event that there is a binding and non-appealable resolution from a competent Mexican authority. A data subject's consent for the processing of personal data shall not be required to the extent that the processing is meant to comply with a resolution from a competent Mexican authority. The Constitution grants all individuals the fundamental right to protect their personal data, as well as the right to access, rectify, cancel and oppose any processing of the same. It should be noted that the Constitution recognises that this right is not without limit; therefore, those principles protecting personal data are subject to certain exceptions for national security, public policy, public security and health, or to protect third-party rights.
Transfers of personal data for legal proceedings or investigations in other countries shall always be carried out in compliance with the Private Data Protection Law and through a letter rogatory following the adequate diplomatic or judicial channels. Data controllers should always analyse whether the privacy notice was disclosed to the data subject, whether the consent is required or exempted and was properly granted, and whether the transfer is limited to those purposes used to justify it. Additionally, the data controller and the relevant authority should enter into an agreement or any other document, as described in Section IV.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
Initiation of proceedings
The INAI takes charge of data protection proceedings (DPPs) and of compliance-verification proceedings (VPs).
DPPs are intended to resolve claims filed by a data subject or his or her legal representative alleging that a data controller has failed to attend to a claim exercising the data subject's ARCO rights or when the resolution of the data controller does not satisfy the data subject.
VPs may be commenced ex officio by the INAI or at the request of a party. An ex officio VP will take place following a breach of a resolution issued in connection with a DPP, or if a breach of the Private Data Protection Law is alleged to be founded and substantiated by the INAI. During a VP, the INAI shall have access to the information and documentation deemed necessary, in accordance with the resolution originating the verification.
In the event that the INAI becomes aware during a DPP or VP of an alleged breach of the Private Data Protection Law, a proceeding to impose penalties will commence assessing the infringement. The available penalties include the following:
- a warning issued by the INAI urging a data controller to comply with the data subject's demands. Note that this course of action is limited to certain types of infringement;
- fines representing an amount of between 100 and 320,000 times the UMA,2 which is published by the National Institute of Statistics and Geography, which will be determined based on the nature of the infringement; and
- imprisonment for up to three years in certain cases, such as when someone authorised to process any personal data causes a security breach in relation to the data under his or her control with the purpose of obtaining a gain; or imprisonment for up to five years when someone processes personal data with the intention of obtaining a gain by deceiving, or taking advantage of the error of, a data subject or the person authorised to transfer any personal data.
The penalties set out in items (b) and (c) above may be doubled if the infringement involves sensitive personal data. Although the Private Data Protection Law does not entitle a data subject to receive any indemnification in light of damages suffered because of a data controller's breach, it does acknowledge that any of the fines or penalties indicated above would be imposed against a data controller without prejudice to any liability that the data controller may have in civil and criminal law.
When assessing the fine or penalty to be imposed, the INAI would consider:
- the nature of the personal data;
- the inappropriateness of the failure to comply with the claim of the data subject;
- whether the action or omission was deliberate;
- the economic capacity of the data controller; and
- any reoccurrence of the breach.
Data controllers may challenge these sanctions or fines by means of a nullity claim before the Federal Court of Tax and Administrative Justice.
In addition, Profeco and Condusef are entitled to verify the adequate use of consumer information. If either of them finds that a corporation is engaging in unsolicited marketing to a customer enrolled in the Public Registry of Consumers or the Public Registry of Individual Users, or that it has used consumers' data for a purpose other than marketing, the following shall apply: as of 2017, Profeco may impose fines of up to 1.56 million Mexican pesos; or Condusef may impose fines of up to 2,000 times the UMA in force.3
In recent years, the INAI has fined, inter alia, financial institutions, telecom companies and healthcare providers. However, most of these fines have been challenged by the data controllers concerned and the proceedings are pending resolution.
Since the enactment of the Private Data Protection Law, the INAI has been actively advertising the importance of complying with this law and pursuing those cases in which there are important breaches and it has imposed fines on several companies to create awareness of the importance of complying with the law. The following are relevant cases in recent years that are worth mentioning.
A fine of 4.6 million Mexican pesos was imposed on Operadora de Hospitales Ángeles, SA de CV (the hospital) on the grounds that the hospital was negligent when processing and answering a claim filed by a data subject to request access to her clinical file. Given that the clinical file contained sensitive personal data of the data subject, the fine was doubled.
A fine of 32 million Mexican pesos was imposed on Banco Mercantil del Norte, SA, Institución de Banca Múltiple, Grupo Financiero Banorte (Banorte). Banorte collected sensitive personal data without the consent of the data subject and stored the data without a legal justification in breach of the principles of information, proportionality and legality, as it failed to deliver a privacy notice to the claimant and processed personal data of the husband of the claimant that was not necessary, adequate or relevant for the purpose of the data collection.
ii Recent enforcement cases
Considering that many of the resolutions issued by the INAI have been challenged by the data controllers and are pending resolution, most cases shown on the INAI's webpage for 2018 have been removed from the webpage, or the name of the parties involved have been erased. However, this year many of the proceedings initiated before the INAI involve cases against governmental entities or requests for the disclosure of public information.
A fine of 1.402 million Mexican pesos was imposed to a travel agency. The INAI's decision to fine the travel agency was based on the following arguments:
- the travel agency obstructed INAI's verification proceeding, by failing to answer the official requirements for information;
- the travel agency privacy notice did not comply with the Private Data Protection Law;
- the travel agency processed personal data, including financial information of the data subject, without the express consent of the data subject; and
- the travel agency processed personal data from the data subject in breach of the principles of information, responsibility and legality, since it failed to deliver its privacy notice to the data subject and processed personal data in contravention to the Private Data Protection Law.
A fine of 35,050 Mexican pesos was imposed on a fitness club. The INAI's decision to fine the fitness club was based on the following arguments:
- fingerprints are biometric data and constitute sensitive personal data, therefore the fitness club collected the data without the written consent of the data subject;
- the fitness club privacy notice did not comply with the Private Data Protection Law; and
- the fitness club processed personal data from the claimant in breach of the principles of information, responsibility and legality, since the fitness club failed to deliver its privacy notice to the claimant, did not adopt adequate security measures and processed personal data in contravention to the Private Data Protection Law.
iii Private litigation
The Private Data Protection Law makes no provisions regarding remedies or financial recovery for the data subject as a result of a breach of data protection rights; however, data subjects are entitled to file a claim before the civil courts to seek indemnification resulting from moral damage. We are not aware of any claims of this nature. The first chamber of the Mexican Supreme Court has issued certain ground breaking, non-binding court precedents resolving that, when awarding damages, courts and judges shall consider aggravating factors, such as the degree of responsibility, to determine a fair indemnification, thereby openly recognising concepts such as 'punitive damages', which were not developed in court precedents.
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
The Private Data Protection Law is applicable to:
- data processors not located in Mexico, but that process personal data on behalf of data controllers located in Mexico;
- data controllers that are not located in Mexico, but that are subject to Mexican laws as a result of an agreement or in terms of international laws; or
- data controllers using means located in Mexico (even if they are not established in Mexico), except if those means are merely for transit purposes, without involving the processing of personal data.
As a result of the above, foreign companies must always analyse whether their activities, or the activities of their affiliates, would result in the application of the Private Data Protection Law.
Foreign companies have also faced certain challenges considering that, under the premise that privacy notices should be simple and easy to understand, the INAI has been reluctant to accept privacy notices issued by multiple data controllers, even if they are part of the same corporate group.
The Private Data Protection Law does not impose any obligation against data controller on the location in which personal data should be stored or kept or even if whether such should remain in Mexico. As described in Section IV, under the Private Data Protection Law, an international communication of personal data originating from a data controller may be either a 'transfer' or a 'remittance'. It is important to note that any international data transfer will be subject to consent of the data subject and shall be evidenced by an agreement or any other document whereby the third party assumes the same data protection obligations undertaken by the data controller and the conditions for processing as consented to by the data subject and detailed in the corresponding privacy notice.
IX CYBERSECURITY AND DATA BREACHES
Cybersecurity is broadly addressed within the Private Data Protection Law and its Regulations, by establishing that all private entities processing personal data, and data controllers in particular, shall have adequate physical, technical and organisational measures to prevent any personal data breach. It should be noted that the Private Data Protection Law and its Regulations do not attempt to impose a catalogue of security measures to be adopted by those bound by them, but rather outlines general principles applicable to security measures that shall be implemented by those processing personal data. In that spirit, the INAI has issued certain documents in an attempt to simplify the implementation of security measures, such as:
- the Recommendations on Personal Data Security outlining the minimum actions needed to securely process personal data;
- the Methodology for Analysing Risk to assess the risks when processing personal data;
- the Guide to Implementing a Personal Data Security Management System to establish security measures based on the cyclic model of 'planning, doing, checking and acting'; and
- the Guide on Personal Data Security for Micro, Small and Medium-Sized Businesses, which guides such companies in compliance with the Private Data Protection Law and its Regulations with respect to security measures and the implementation of a personal data security management system.
A data controller must notify each data subject upon confirmation that a data breach has occurred, once it has taken any actions intended to assess the magnitude of the breach. The notice shall contain at least the nature of the incident, the personal data affected, advice on the actions that may be adopted by the data subject to protect his or her interests, the remedial actions that were immediately carried out and the means through which the data subject may obtain further information. In addition, the data controller would have to take corrective and preventive actions and improve its security measures to avoid the reoccurrence of the same breach.
The Private Data Protection Law and its Regulations do not oblige a data controller to notify the INAI upon the occurrence of a breach or of the measures taken by the data controller. However, failing to comply with any of the obligations mentioned above may constitute an infraction under the Private Data Protection Law that may result in the imposition of sanctions by the INAI.
Although this is a non-binding document, in an attempt to avoid further cyberattacks or threats, the Cybersecurity Study includes cybersecurity recommendations for the financial system in Mexico including:
- preparedness and governance: having one responsible body or corporate governance body to lead information security and fraud prevention using digital means;
- detection and analysis of digital security events: prioritising the development of capacities using emerging digital technologies, such as Big Data, artificial intelligence and related technologies;
- digital security incident management, response, recovery and reporting: investigating the source of an incident and guaranteeing the design and implementation of polices or processes for its containment, response and recovery;
- training and awareness: providing training plans and carrying out prevention campaigns; and
- financial system authorities and regulatory bodies: issuing guidelines, recommendations and instructions on digital security best practices and verifying the provision of reporting mechanisms.
We are not aware of any intended amendments to the Private Data Protection Law since the previous edition of this publication; however, we anticipate that a bill will be submitted in order to harmonise the Data Protection Laws with the Convention 108 and ETS 181.
Although the General Data Protection Regulations (GDPR) applicable in the European Union (EU) are not enforceable per se in Mexico, some provisions of the GDPR are intended to address processing beyond the borders of the EU, to the extent that it is with respect to the personal data of EU citizens or residents of EU Member States. As a result, it is foreseeable that those entities that intend to carry out any business operation in the EU (even through remote means), shall meet with these new standards imposed by the GDPR; and (2) those Mexican companies whose parent company is headquartered in the EU, or that process personal data on behalf of EU companies or subsidiaries, may be asked to meet with these new standards imposed by the GDPR.