The Privacy, Data Protection and Cybersecurity Law Review: Mexico
The right to privacy or intimacy is contemplated in Paragraphs 1 and 12 of Article 16 of the Mexican Constitution, and prohibits the intrusion of an individual's person, family, domicile, documents or belongings (including any wiretapping communication devices), except when ordered by a competent authority supported by the applicable law. The right to data protection is stipulated in Paragraph 2 of Article 16 of the Constitution, and seeks to set a standard for collecting, using, storing, disclosing or transferring (collectively, processing) of personal data (as defined below) to secure the right to privacy and self-determination. The right to privacy and data protection are closely related fundamental rights that seek to protect individuals' ability to guard a portion of their lives from the intrusion of third parties. Notwithstanding this, while a breach of privacy usually results in a breach of the right to personal data protection, a data protection breach does not always result in a breach of privacy.
The first formal effort to address personal data protection was introduced in 2002 when Mexican Congress approved the Federal Law for Transparency and Access to Public Governmental Information (the Former Transparency Law). Although the Former Transparency Law was mainly aimed at securing access to any public information in the possession of the branches of government and any other federal governmental body, it also incorporated certain principles and standards for the protection of personal data being handled by those government agencies. This effort was followed by similar legislation at the state level.
After several attempts to address data protection rights more decisively, in 2009 Congress finally approved a crucial amendment to the Constitution that recognised the protection of personal data as a fundamental right. Consequently, Congress enacted the Federal Law for the Protection of Personal Data in Possession of Private Parties (the Private Data Protection Law), which came into effect on 6 July 2010 and was followed by the Regulations of the Private Data Protection Law on 22 December 2011.
In January 2014, Congress approved an amendment to the Constitution to create an autonomous entity to be in charge of enforcing the Private Data Protection Law and to take on the duties of the former Federal Institute for Access to Information and Protection of Data (the former IFAI), which was originally created as a semi-autonomous agency separate from the federal public administration. However, in a rather controversial move, the former IFAI amended its internal regulations so that it could assume the necessary characteristics and role of the proposed autonomous entity. Consequently – and as a result of the new General Law for Transparency and Access to Public Governmental Information, which annulled the effect of the former Transparency Law – all matters previously dealt with by the former IFAI are now being handled by the 'new IFAI' as an autonomous entity; and it has adopted the title National Institute of Transparency, Access to Information and Protection of Personal Data (INAI).
The Private Data Protection Law is an omnibus data protection law that sets the principles and minimum standards that shall be followed by all private parties when processing any personal data. However, the Private Data Protection Law also recognises that standards for implementing data protection may vary depending on the industry or sector. Accordingly, the Private Data Protection Law can certainly be complemented by sectoral laws and self-imposed regulatory schemes, which focus on particular industry standards and requirements, to the extent that those standards and requirements comply with the data protection principles in the Private Data Protection Law. There have been efforts to promote such sector-specific rules among those processing any personal data within the same industry.
On 13 December 2016, Congress approved the General Law for the Protection of Personal Data in Possession of Governmental Entities (the Governmental Data Protection Law, and collectively with the Private Data Protection Law, the Data Protection Laws), which was enacted on 27 January 2017, to set forth a legal framework for the protection of personal data by any authority, entity or organ of the executive, legislative and judicial branches, political parties and trust and public funds operating at federal, state and municipal level. Provided that this particular publication is intended to address issues arising from data protection in the private sector, we will not address the governmental Data Protection Law in detail, unless it is necessary to add context.
The INAI is in charge of promoting the rights to protection of personal data and enforcing and supervising compliance with the Data Protection Laws and those secondary provisions deriving from those Laws. To this end, with respect to the private sector, the INAI has been authorised to supervise and verify compliance with the Private Data Protection Law; interpret administrative aspects of the Data Protection Laws; and resolve claims and, inter alia, impose fines and penalties. The INAI has been actively working through media campaigns to raise awareness among corporations and individuals of the relevance of adequate protection of personal data. Although the INAI has the authority to initiate enforcement activities, most fines and penalties imposed have resulted from claims filed by data subjects. We are aware that companies that have been fined by the INAI for breaching the Private Data Protection Law have challenged the decisions by means of nullity claims and amparo lawsuits; however, the relevant files are not publicly available.
The year in review
During 2021, the INAI has continued to enforce the Private Data Protection Law and, at the same time has issued non-binding guidelines and bulletins related to the protection of personal data.
The INAI has published many non-binding guidelines and bulletins; some of the most relevant referred to:
- the implementation of technological means and other practical suggestions to prevent cybercrimes while using any kind of technology, as well as upon a broader implementation of home office mode during the pandemic of covid-19; and
- the processing of personal data of patients diagnosed with covid-19.
On 10 January 2021, the INAI published a bulletin stating that in 2020 fines imposed for failure to comply with the Private Data Protection Law amounted to 39,324,000 pesos. The more frequent infractions were for processing personal data in contravention of the principles established in the Private Data Protection Law, namely the process or transfer personal data without the consent of the data subjects, the misuse of sensitive personal data and deficient privacy notice.
On 18 February 2021, the INAI published a bulletin stating that it worked with the different governmental agencies in charge of covid-19 vaccination efforts to define protocols to protect and guarantee the security of the personal data collected.
On 26 February 2021, the INAI published a bulletin requesting data subjects to report any misuse of their personal data during the covid-19 vaccination process, considering that it was reported that many states and municipalities were requesting copies of official identification, which has been deemed a practice contrary to the proportionality principle and not justified for the purposes of the vaccination.
On 16 April 2021, a Decree was published in the Official Gazette of the Federation that amended certain articles of the Federal Telecommunications and Broadcasting Law in order to create a new National Registry of Mobile Telephone Users (PANUT) under the responsibility of the Federal Telecommunications Institute (IFT), which will be a database with information from customers of mobile service providers. PANUT will collect information such as: (1) user identifiers, such as name, company name, nationality and official identification; and, most importantly, (2) biometric data, which will be determined by the general administrative provisions subsequently issued by the IFT. In the event that user does not provide this information, his or her mobile telephone line will be suspended.
On 27 April 2021, the INAI informed that the amendment to the Federal Telecommunications and Broadcasting Law infringes data protection rights by violating those established in Articles 6 and 16 of the Mexican Constitution. The INAI will exercise a unconstitutionality action against such amendment.
i Privacy and data protection legislation and standards
The most relevant pieces of legislation addressing personal data protection in Mexico are the following:
- the Constitution;
- the Private Data Protection Law;
- the Governmental Data Protection Law;
- the Regulations of the Private Data Protection Law;
- the Guidelines for Privacy Notices; and
- the Self-Regulation Parameters on Data Protection, which are applicable to the private sector.
The Private Data Protection Law identifies data protection principles governing all processing of personal data, as well as the obligations imposed on any private person, whether an individual or entity, that has control over the processing of personal data (a data controller), data processors (as defined below), third parties and any others engaged in the processing of personal data. As set forth in the Private Data Protection Law, the Mexican executive branch issued the Regulations of the Private Data Protection Law with the intention to clarify the scope of those principles and obligations provided by the Private Data Protection Law. The Regulations also set forth the rules applicable to the exercise by data subjects of their rights in relation to data controllers and those proceedings arising from claims before the INAI filed by data subjects in the event of a breach of the Private Data Protection Law by a data controller. Finally, the Guidelines for Privacy Notices (the Guidelines), issued by the Ministry of the Economy, set the standard of detail that should be met by data controllers when drafting their own privacy notices and the scope of the language in privacy notices. The Self-Regulation Parameters on Data Protection set forth the rules, criteria and procedures for the development and implementation of self-regulatory schemes on data protection, which were also issued by the Ministry of the Economy.
Both the Federal Consumer Protection Law and Federal Consumer Protection Law for the Users of Financial Services also contain stipulations protecting consumers, whether individuals or entities, from any processing of their information for marketing purposes. Corporations or financial entities that wish to market products must first review the list of consumers who do not wish to receive marketing information and record it in the Consumer Public Registry held by the Federal Consumers Attorney's Office (Profeco), or the Public Registry of Individual Users, which is managed by the National Commission for the Protection of Financial Services Users (Condusef). Any marketing activity with any consumers enrolled in the registries may result in fines by Profeco or Condusef, as applicable.
In addition to any other terms defined herein, the following terms should be taken into consideration for a better understanding of Mexican law on the subject:
- data processor: any natural person or entity that individually or jointly with others carries out the processing of personal data on behalf of the data controller.
- data subject: the natural person whom the personal data concerns.
- personal data: any information related to an identified or identifiable individual. The following information would not be subject to the Private Data Protection Law:
- information collected and stored for personal use and not intended for disclosure or distribution;
- information collected by the credit bureaux;
- information about entities;
- information about any individual when acting as a merchant or professional practitioner; and
- information about any individual when rendering services to a legal entity or to a merchant or professional practitioner, provided that information is limited to the subject's name, duties or position, business address, business email, business telephone and business facsimile, and the information is processed when representing the merchant or professional practitioner;
- public access source: a database that may be accessed by anyone without complying with any requirement, except for the payment of a fee;
- sensitive personal data: personal data affecting the most intimate sphere of the data subject, or of which the misuse may be a cause for discrimination or great risk for the data subject, such as information regarding racial or ethnic origins, political opinions, religious beliefs, trade union membership, physical or mental health and sex life;
- transfer: any kind of communication of personal data made to a person other than the controller, data processor or data subject; and
- remittance: any kind of communication of personal data between the data controller and the data processor, within or outside Mexican territory.
Data protection principles
In consideration of the fact that the Private Data Protection Law is inspired by the European model provided in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on free movement of such data, the Private Data Protection Law is based on the principles each data controller must abide by to protect the personal data being processed. These principles are summarised as follows:
- Legality: all personal data shall be lawfully collected and processed.
- Consent: all processing of personal data shall be subject to the consent (whether express or implied) of the data subject, with certain exemptions set out in the Private Data Protection Law. If it is not exempted, when a data controller is processing any sensitive personal data, the data controller must obtain the express consent of the data subject to process this data, which must be evidenced in writing or through an electronic signature or any other authentication mechanism developed for that purpose. Exemptions to the requirement to obtain consent exist when:
- processing is permitted by law;
- the personal data is publicly available;
- processing prevents association between the personal data and the data subject or his or her identification because of the structure, content or grade of disaggregation of the personal data;
- processing is intended to comply with obligations resulting from a legal relationship between the data controller and the data subject;
- there is an emergency situation that may injure an individual or damage his or her assets;
- processing is essential for the purposes of rendering healthcare services or assistance, the application of preventive medicine, determination of medical diagnosis or the management of healthcare services, as long as the data subject is unable, in terms provided by the General Health Law, to grant his or her consent for the applicable procedure; and
- a competent authority orders the processing.
- Quality: the data controller shall cause personal data in a database to be relevant, accurate and up to date for the purpose for which it is meant to be used and shall only retain personal data for as long as is necessary to fulfil the specified purpose or purposes. Regarding sensitive personal data, reasonable efforts shall be made to keep the period of processing to a minimum.
- Purpose: processing of personal data shall be limited to the purpose or purposes specified in the privacy notice. No database containing sensitive personal data shall be created without justifying that the purpose for its collection is legitimate, concrete and in compliance with those activities or explicit purposes sought by the data controller. Any processing of personal data for a purpose that is not compatible or analogous to what is set forth in the privacy notice shall require a new consent from the data subject.
- Proportionality: processing of personal data must be necessary, adequate and relevant for the purpose or purposes set forth in the privacy notice.
- Loyalty: processing of personal data shall favour the interests of the data subject and a reasonable expectation of privacy, which shall be understood as the level of confidence that any person deposits in another where the personal data exchange between them shall be processed as agreed between them in compliance with the Private Data Protection Law. Its collection shall not be made through fraudulent or deceitful means.
- Transparency: data controllers shall inform data subjects, by means of a privacy notice, about the personal data that will be subject to processing, and the purpose or purposes for the processing. With respect to sensitive personal data. the privacy notice shall expressly state that the information is of a sensitive nature.
- Responsibility: data controllers shall adopt the necessary measures to comply with all data protection principles during the processing of personal data, even if the processing is carried out by data processors or third parties. Therefore, a data controller shall ensure full compliance with the privacy notice delivered to the data subject by that data controller or by third parties with whom it has a legal relationship.
In addition to the aforementioned principles, all data controllers shall comply with the duties of security and confidence, which are also applicable to data processors and third parties receiving any personal data from a data controller, in which case the latter must verify that these duties are observed by the third parties concerned.
Data controllers shall implement appropriate organisational, technical and physical security measures to protect personal data against unauthorised damage, loss, modification, destruction, access or processing. These measures shall be at least equivalent to those implemented for their own confidential information.
Further, all personal data shall be kept confidential, even upon the termination of any relationship with the data subject.
INAI has ex officio authority to supervise compliance with the Private Data Protection Law. Currently, many proceedings to verify compliance have resulted from claims filed by data subjects; however, the INAI determined to initiate ex officio proceedings when appropriate.
ii General obligations for data handlers
Although data controllers must comply with each and all of the principles described above (see Section III.i), the most basic obligations imposed on data controllers are mainly the drafting of privacy notices and making these available to data subjects, as well as obtaining consent with the processing of personal data, unless exempted under the Private Data Protection Law.
The drafting and delivery of the privacy notice to a data subject constitutes a key factor in complying with the principle of transparency described above and, therefore, there are no exemptions to the same. As a result, the privacy notice must be drafted complying with strict standards and requirements stipulated in the Private Data Protection Law, its Regulations and, particularly, the Guidelines. There are three types of privacy notices whose general characteristics, terms and conditions are as follows:
- full: a full privacy notice must be used when the personal data is personally collected from a data subject and must include all elements contained in the corresponding provisions of the Private Data Protection Law, the Regulations and the Guidelines;
- simplified: a simplified privacy notice may be used when the personal data is collected directly but using remote means from the data subject and must contain all elements contained in the corresponding provisions of the Private Data Protection Law, the Regulations and the Guidelines; and
- abbreviated: an abbreviated privacy notice may be used when personal data is directly obtained from a data subject by printed means and when the personal data collected is minimal. It must be drafted in accordance with Article 28 of the Regulations and Guideline 38 of the Guidelines.
When drafting the privacy notice, data controllers must identify the different uses intended for the personal data, and also distinguish those uses required for the legal relationship between the data controller and data subject (necessary purposes) from those that are not (secondary purposes). This requirement is important considering that a data subject may choose to reject (or in the future withdraw consent for) processing those secondary purposes without affecting his or her relationship with the data controller.
When required, consent for processing any personal data must be obtained upon the collection of the personal data if the collection is made personally or directly from the data subject, or before any processing, if personal data was not collected by the data controller directly from the data subject.
The data controller shall describe the means available to the data subject to exercise their right to access, rectify, cancel or oppose the processing of their personal data (ARCO rights), as well as to withdraw consent (withdrawal), either in whole or in part, with respect to the processing of personal data, and to limit the use or disclosure of personal data (data limitation), collectively with the ARCO rights and the right of withdrawal (data claims). Data claims shall be exercised free of charge, unless the data subject exercises the same claim to access personal data within a period of 12 months, in which case the data controller may charge a fee that shall not exceed three times the unit for measure and update (UMA) in force. Unfortunately, awareness in Mexico regarding the protection of personal data is still a major challenge, considering the lack of knowledge (and, in some cases, interest) together with the degree of specialisation of this matter, which may be delaying proper compliance with the Private Data Protection Law. Many data controllers are still gaining interest and experience in these matters, which has caused inadequate implementation of privacy notices, since this requires adequately mapping all data being processed to assess all implications. It is still common to see data controllers drafting their privacy notices without considering whether they are in fact processing any personal data and to what extent.
iii Data subject rights
Data subjects have the following rights which are intended to secure protection of personal data (the ARCO rights):
- access: a data subject is entitled to access his or her personal data held by a data controller, as well as to know the privacy notice to which processing is subject;
- rectification: a data subject is entitled to rectify his or her personal data when it is inaccurate or incomplete;
- cancellation: a data subject shall always be entitled to cancel his or her personal data. The cancellation of personal data implies that the information shall be kept by the data controller as long as required under the applicable legal relationship or once that time has elapsed, the data controller shall delete the corresponding personal data, unless otherwise required by an applicable statute; and
- opposition: a data subject shall always be entitled, with legal cause, to oppose the processing of his or her data. If a data subject does so, the data controller shall not be entitled to process the data concerning that data subject.
Notwithstanding the above, and in addition to the ARCO rights, the data subject shall also be entitled to withdraw consent, either in whole or in part, with respect to the processing of personal data and may limit the use or disclosure of personal data collectively with the ARCO rights and the right of withdrawal. Additionally, a data subject has the right to opt out or join lists of those unwilling to receive marketing communications or materials kept by the data controller, Profeco or Condusef.
In addition, data subjects have the right to file claims before the INAI if that data controller fails to address a claim concerning the data subject's ARCO rights or when the resolution of the data controller does not satisfy the data subject. If, because of that claim, the INAI becomes aware of a breach of the Private Data Protection Law, it may impose penalties on a data controller. However, the Private Data Protection Law makes no provision for remedies or financial recovery for the data subject as a result of a breach of its data protection rights. Notwithstanding this, data subjects have the right to file a claim before civil courts to seek indemnification resulting from moral damage.
iv Specific regulatory areas
Despite the fact that the Private Data Protection Law is applicable to all private parties processing personal data, with certain exceptions, and that the Governmental Data Protection Law is enforceable in respect to any processing carried out by public agencies, Mexican Official Standard NOM-004-SSA3-2012 regarding medical records is currently the only extant industry- or sector-specific legal framework – despite the idea fostered by the Private Data Protection Law that laws or regulations applicable to specific sectors or industries should be enacted. Among other relevant provisions made by this standard, it defines the concept of 'clinical records' and imposes obligations of confidentiality in respect to these records; health providers and establishments that gather, manage and store clinical records are required to implement all measures necessary to maintain this confidentiality (e.g., password-protected firewalls).
v Technological innovation and privacy law
Technological innovations pose a challenge under the Private Data Protection Law as this area is broadly and scarcely regulated with no specific rules applicable to processing affected by such developments. Concepts such as 'big-data analytics' and the 'internet of things' have not yet been defined under the Private Data Protection Law or other applicable data protection legislation. However, processing of personal data using any technological innovation (including the use of remote or local communications media or any other technology) is governed by the Private Data Protection Law, therefore the challenge lies in determining the degree of applicability of that Law, given that the data subject must be informed of the processing. When using remote or local communications media or any other technology, notification must be given to the data subject through a visible communication or warning about the use of those technologies to process his or her personal data, and about the manner in which the technological mechanism may be disabled (unless its use is fundamental for technical reasons). This information must be also included in the full privacy notice, clearly identifying the personal data being collected by that means, as well as the purpose of the collection. In addition, notwithstanding that the concept of biometric data is not defined under the Private Data Protection Law or other applicable data protection legislation, the non-binding guideline issued by INAI defines biometric data and reaffirms that biometric data is deemed 'personal data' or 'sensitive personal data'.
International data transfer and data localisation
Mexico is party to several international organisations (such as APEC – the Asia-Pacific Economic Cooperation – and the Organization of American States) that aim to protect personal data being transferred within their respective regions, whether domestically or internationally. Convention 108 and ETS 181 establishes that the parties shall adopt provisions and restrictions for the transfer of personal data between the parties subject to such convention and non-party countries.
Under the Private Data Protection Law, an international communication of personal data originating from a data controller, subject to the Private Data Protection Law, may be deemed either a 'transfer' or a 'remittance', depending on the purpose for communicating the data and the recipient of the same. Each of these communications must meet specific requirements, which are described below.
i Transfer of personal data
A transfer is any communication of personal data by a data controller to any private or public entity different from the data subject or the data processor. In this regard. any transfer of personal data must be consented to by the data subject concerned, except where exempted pursuant to Article 37 of the Private Data Protection Law. the transfer must be notified to the data subject by means of a privacy notice and limited to those purposes justifying the transfer.
A data controller would be able to transfer personal data without the consent of a data subject if the transfer is:
- stipulated by a law or treaty to which Mexico is party;
- needed for prevention of illness or medical diagnosis, healthcare assistance, medical treatment or management of health services;
- made to holding companies, subsidiaries or affiliates under common control of the data controller who operate under the same processes and internal policies;
- required by an agreement entered into or to be entered into between the data controller and a third party in the interest of the data subject;
- necessary or legally required to protect the public interest or the prosecution or enforcement of justice;
- required for the acknowledgment, exercise or defence of a right in a judicial proceeding; or
- necessary for the preservation of, or compliance with, a legal relationship between the data controller and the data subject.
Any international data transfer shall be evidenced by an agreement or any other document whereby the third party assumes the same data protection obligations undertaken by the data controller and the conditions for processing, as consented to by the data subject as detailed in the corresponding privacy notice. International data transfers do not require the approval of the INAI or any other Mexican regulatory agency to be completed and there is no need to submit standard contractual clauses or comparable instruments to any of them. however, a data controller may seek, at its sole discretion, the opinion of the INAI on whether an international transfer complies with these applicable requirements before completing such transfer.
ii Remittance of personal data
A remittance is any communication of personal data made by a data controller to an individual or legal entity that is unrelated to the data controller, with the purpose of conducting any processing on behalf of the data controller.
A remittance does not require to be notified to a data subject by means of a privacy notice, nor does it require the consent of the data subject. However, to carry out the remittance, a data controller and data processor shall enter into a certain agreement with the purpose of evidencing the existence, scope and content of the relationship, which should be consistent with the privacy notice delivered by the data controller to the relevant data subject.
Under the GDPR, certain restrictions or requirements may have to be fulfilled prior to completion of an international transfer of personal data to data controllers or data processors located in Mexico. Notwithstanding the approval of the Convention 108 and ETS 181, as of the date of our review, Mexico has not been recognised by the European Commission as a third country providing adequate data protection to facilitate personal data transfers to countries within the EU.
Company policies and practices
Data controllers must, inter alia:
- carry out data mapping to identify the personal data that is subject to processing and the procedures involving in the processing;
- establish the posts and roles of those officers involved in the processing of the personal data;
- identify risk and carry out a risk assessment when processing personal data;
- implement security measures;
- carry out a gap analysis to verify those security measures for which implementation is still pending;
- develop a plan to implement those security measures that are still pending;
- implement audits;
- conduct training for those officers involved in the processing;
- have a record of the means used to store personal data; and
- put in place a procedure to anticipate and mitigate any risks arising from the implementation of new products, services, technologies and business plans when processing personal data.
Data controllers have the obligation to include in their privacy notice a mechanism for data subjects to exercise their ARCO rights or withdraw consent, either in whole or in part, with respect to the processing of personal data and to limit the use or disclosure of personal data. Additionally, data controllers should make opt-out mechanisms or lists for those unwilling to receive marketing communications available to data subjects. These lists are kept by the data controller, Profeco or Condusef.
In terms of the Private Data Protection Law, while processing personal data, a data controller must distinguish such processing based on the following:
- those purposes that, based on a contractual relationship between data controller and data subject, require the processing of personal data, in which case consent for such processing is not required and the opt-out option would not be available; and
- those secondary purposes where compliance with any commitments is not required under any relationship between the data controller and data subject, in which case the data subject is entitled to opt out and the data controller must provide mechanisms allowing the data subject to opt out prior to such processing.
Discovery and disclosure
Data controllers are obliged to disclose personal data in the event that there is a binding and non-appealable resolution from a competent Mexican authority. A data subject's consent for the processing of personal data shall not be required to the extent that the processing is meant to comply with a resolution from a competent Mexican authority. The Constitution grants all individuals the fundamental right to protect their personal data, as well as the right to access, rectify, cancel and oppose any processing of the same. It should be noted that the Constitution recognises that this right is not without limit; therefore, those principles protecting personal data are subject to certain exceptions for national security, public policy, public security and health, or to protect third-party rights.
Transfers of personal data for legal proceedings or investigations in other countries shall always be carried out in compliance with the Private Data Protection Law and through a letter rogatory following the adequate diplomatic or judicial channels. Data controllers should always analyse whether the privacy notice was disclosed to the data subject, whether the consent is required or exempted and was properly granted, and whether the transfer is limited to those purposes used to justify it. Additionally, the data controller and the relevant authority should enter into an agreement or any other document, as described in Section IV.
Public and private enforcement
i Enforcement agencies
Initiation of proceedings
The INAI is in charge of data protection proceedings (DPPs) and of compliance-verification proceedings (VPs).
DPPs are intended to resolve claims filed by a data subject or his or her legal representative alleging that a data controller has failed to attend to a claim exercising the data subject's ARCO rights or when the resolution of the data controller does not satisfy the data subject.
VPs may be commenced ex officio by the INAI or at the request of a party. An ex officio VP will take place following a breach of a resolution issued in connection with a DPP, or if a breach of the Private Data Protection Law is alleged to be founded and substantiated by the INAI. During a VP, the INAI shall have access to the information and documentation deemed necessary, in accordance with the resolution originating the verification.
In the event that, during a DPP or VP, the INAI becomes aware of an alleged breach of the Private Data Protection Law, a proceeding to impose penalties will commence assessing the infringement. The available penalties include the following:
- a warning issued by the INAI urging a data controller to comply with the data subject's demands. Note that this course of action is limited to certain types of infringement;
- fines representing an amount of between 100 and 320,000 times the UMA,2 which is published by the National Institute of Statistics and Geography, which will be determined based on the nature of the infringement; and
- imprisonment for up to three years in certain cases, such as when someone authorised to process any personal data causes a security breach in relation to the data under his or her control with the purpose of obtaining a gain; or imprisonment for up to five years when someone processes personal data with the intention of obtaining a gain by deceiving, or taking advantage of the error of, a data subject or the person authorised to transfer any personal data.
The penalties set out in item (b) above may be doubled if the infringement involves sensitive personal data. Although the Private Data Protection Law does not entitle a data subject to receive any indemnification, in light of damages suffered because of a data controller's breach, it does acknowledge that any of the fines or penalties indicated above would be imposed against a data controller without prejudice to any liability that the data controller may have in civil and criminal law.
When assessing the fine or penalty to be imposed, the INAI would consider:
- the nature of the personal data;
- the inappropriateness of the failure to comply with the claim of the data subject;
- whether the action or omission was deliberate;
- the economic capacity of the data controller; and
- any reoccurrence of the breach.
Data controllers may challenge these sanctions or fines by means of a nullity claim before the Federal Court of Tax and Administrative Justice.
In addition, Profeco and Condusef are entitled to verify the adequate use of consumer information. If either of them finds that a corporation is engaging in unsolicited marketing to a customer enrolled in the Public Registry of Consumers or the Public Registry of Individual Users, or that it has used consumers' data for a purpose other than marketing, the following shall apply: as of 2017, Profeco may impose fines of up to 1.56 million Mexican pesos; or Condusef may impose fines of up to 2,000 times the UMA in force.3
In recent years, the INAI has fined, inter alia, financial institutions, telecom companies and healthcare providers. However, most of these fines have been challenged by the data controllers concerned and the proceedings are pending resolution. In 2020 most of the fines imposed were aimed to companies engaged in: (1) waste management and remediation services; (2) construction companies; (3) professional, scientific and technical services; and (4) financial and insurance services.
Since the enactment of the Private Data Protection Law, the INAI has been actively advertising the importance of complying with this law and pursuing those cases in which there are important breaches and it has imposed fines on several companies. The following are relevant cases in recent years that are worth mentioning.
A fine of 4.6 million Mexican pesos was imposed on Operadora de Hospitales Ángeles, SA de CV (the hospital) on the grounds that the hospital was negligent when processing and answering a claim filed by a data subject to request access to her clinical file. Given that the clinical file contained sensitive personal data of the data subject, the fine was doubled.
A fine of 32 million Mexican pesos was imposed on Banco Mercantil del Norte, SA, Institución de Banca Múltiple, Grupo Financiero Banorte (Banorte). Banorte collected sensitive personal data without the consent of the data subject and stored the data without a legal justification in breach of the principles of information, proportionality and legality, as it failed to deliver a privacy notice to the claimant and processed personal data of the husband of the claimant that was not necessary, adequate or relevant for the purpose of the data collection.
ii Recent enforcement cases
Considering that many of the resolutions issued by the INAI have been challenged by the data controllers and are pending resolution, most cases shown on the INAI's webpage for 2019 have been removed from the webpage, or the name of the parties involved have been erased.
- Several fines that amount to approximately 1.09 million pesos were imposed on Teraba Construcciones, SA de CV. The INAI's decision to fine the data controller was based on the following arguments:
- Teraba Construcciones, SA de CV failed to comply with the information, responsibility and legality principle, since it did not implement and disclose a privacy notice prior to the collection of personal data; and
- Teraba Construcciones, SA de CV did not gather express consent to transfer the financial information of the data subjects; and it obstructed the process, considering that the data controller did not provide the information requested by the INAI.
Several fines that amount to approximately 145,680 pesos were imposed to Excel Technical Services de México, SA de CV. The INAI's decision to fine the data controller was based on the following arguments:
- Excel Technical Services de México, SA de CV failed to comply with the information, responsibility and legality principle, since it did not implement and disclose a privacy notice prior to the collection of personal data; and
- Excel Technical Services de México, SA de CV did not gather express consent to transfer the financial information of the data subjects.
Several fines that amount approximately 967,200 pesos were imposed on Sure Economía Global, SA de CV. The INAI's decision to fine the data controller was based on the following arguments:
- Sure Economía Global, SA de CV failed to comply with the information, responsibility and legality principle, since it did not implement and disclose a privacy notice prior to the collection of personal data; and
- Sure Economía Global, SA de CV did not gather express consent to transfer the financial information of the data subjects.
iii Private litigation
The Private Data Protection Law makes no provisions regarding remedies or financial recovery for the data subject as a result of a breach of data protection rights. However, data subjects are entitled to file a claim before the civil courts to seek indemnification resulting from moral damage. We are not aware of any claims of this nature. The first chamber of the Mexican Supreme Court has issued certain ground breaking, non-binding court precedents resolving that, when awarding damages, courts and judges shall consider aggravating factors such as the degree of responsibility, to determine a fair indemnification, thereby openly recognising concepts such as 'punitive damages', which were not developed in court precedents.
Considerations for foreign organisations
The Private Data Protection Law is applicable to:
- data processors not located in Mexico, but that process personal data on behalf of data controllers located in Mexico;
- data controllers that are not located in Mexico, but that are subject to Mexican laws as a result of an agreement or in terms of international laws; or
- data controllers using means located in Mexico (even if they are not established in Mexico), except if those means are merely for transit purposes, without involving the processing of personal data.
As a result of the above, foreign companies must always analyse whether their activities, or the activities of their affiliates, would result in the application of the Private Data Protection Law.
Foreign companies have also faced certain challenges considering that, under the premise that privacy notices should be simple and easy to understand, the INAI has been reluctant to accept privacy notices issued by multiple data controllers, even if they are part of the same corporate group.
The Private Data Protection Law does not impose any obligation against data controller on the location in which personal data should be stored or kept or even if whether such should remain in Mexico. As described in Section IV, under the Private Data Protection Law, an international communication of personal data originating from a data controller may be either a 'transfer' or a 'remittance'. It is important to note that any international data transfer will be subject to consent of the data subject and shall be evidenced by an agreement or any other document whereby the third party assumes the same data protection obligations undertaken by the data controller and the conditions for processing as consented to by the data subject and detailed in the corresponding privacy notice.
Cybersecurity and data breaches
Cybersecurity is broadly addressed within the Private Data Protection Law and its Regulations, by establishing that all private entities processing personal data, and data controllers in particular, shall have adequate physical, technical and organisational measures to prevent any personal data breach. It should be noted that the Private Data Protection Law and its Regulations do not attempt to impose a catalogue of security measures to be adopted by those bound by them, but rather outlines general principles applicable to security measures that shall be implemented by those processing personal data. In that spirit, the INAI has issued certain documents in an effort to simplify the implementation of security measures, such as:
- the Recommendations on Personal Data Security outlining the minimum actions needed to securely process personal data;
- the Methodology for Analysing Risk to assess the risks when processing personal data;
- the Guide to Implementing a Personal Data Security Management System to establish security measures based on the cyclic model of 'planning, doing, checking and acting'; and
- the Guide on Personal Data Security for Micro, Small and Medium-Sized Businesses, which guides such companies in compliance with the Private Data Protection Law and its Regulations with respect to security measures and the implementation of a personal data security management system.
A data controller must notify each data subject upon confirmation that a data breach has occurred, once it has taken any actions intended to assess the magnitude of the breach. The notice shall contain at least the nature of the incident, the personal data affected, advice on the actions that may be adopted by the data subject to protect his or her interests, the remedial actions that were immediately carried out and the means through which the data subject may obtain further information. In addition, the data controller would have to take corrective and preventive actions and improve its security measures to avoid the reoccurrence of the same breach.
The Private Data Protection Law and its Regulations do not oblige a data controller to notify the INAI upon the occurrence of a breach or of the measures taken by the data controller. However, failing to comply with any of the obligations mentioned above may constitute an infraction under the Private Data Protection Law that may result in the imposition of sanctions by the INAI.
Although this is a non-binding document, in an attempt to avoid further cyberattacks or threats, the Cybersecurity Study includes cybersecurity recommendations for the financial system in Mexico including:
- preparedness and governance: having one responsible body or corporate governance body to lead information security and fraud prevention using digital means;
- detection and analysis of digital security events: prioritising the development of capacities using emerging digital technologies, such as Big Data, artificial intelligence and related technologies;
- digital security incident management, response, recovery and reporting: investigating the source of an incident and guaranteeing the design and implementation of polices or processes for its containment, response and recovery;
- training and awareness: providing training plans and carrying out prevention campaigns; and
- financial system authorities and regulatory bodies: issuing guidelines, recommendations and instructions on digital security best practices and verifying the provision of reporting mechanisms.
We are still expecting the respective bills to any intended amendments to the Private Data Protection Law since the previous edition of this publication; however, we anticipate that a bill will be submitted in order to harmonise the Data Protection Laws with Convention 108 and ETS 181.
Although the GDPR applicable in the European Union are not enforceable per se in Mexico, some provisions of the GDPR are intended to address processing beyond the borders of the EU, to the extent of the personal data of EU citizens or residents of EU Member States. As a result of the effectiveness of the GDPR, we foresee more interest in entities that intend to carry out any business operations in the EU (even through remote means), to comply with the standards imposed by the GDPR; and in Mexican companies whose parent company is headquartered in the EU, or that process personal data on behalf of EU companies or subsidiaries.