Key statutes, regulations and adopted international standards
On 5 July 2010, the Federal Law on the Protection of Personal Data held by Private Parties (the Data Protection Law) was enacted in Mexico, following the amendment to the Federal Constitution recognising the right to the protection of personal data as a fundamental right and the success of several legislative efforts towards having a comprehensive personal data protection law.
Before the Data Protection Law’s publication, the Mexican regime did not have a body of law that specifically dealt with personal data protection and this was instead addressed through varying regulations, such as consumer protection and copyright laws, and by other bodies protecting confidential and proprietary information.
There were many catalysts leading to the creation of the Data Protection Law but, principally, continuous and inexorable developments in technology that have allowed for the easy management and transfer of personal data, and the combination of information from different sources, have resulted in the creation of profiles that were unknown even to the data subject to whom they referred. New innovations in technology continue to amaze; however, these developments may be used to harm individuals if not properly limited and regulated. It is clear that legislative and regulatory enforcement will never match the pace at which technology advances, but if there is a body of law that encompasses the internationally agreed principles of personal data processing and a clear understanding of the importance of the data subject’s rights, there could be a favourable scenario for privacy and personal data protection, which may of course be strengthened by the interpretation made by the authorities.
The Data Protection Law sets forth the minimum principles to achieve the legitimate, controlled and informed processing of personal data carried out by private parties, guaranteeing the individual’s rights to privacy and informative self-determination. It is important to mention that the Data Protection Law does not apply to credit bureaus, which are governed by other regulations, and individuals engaged in the collection and storage of personal data exclusively for personal use and with no purposes of disclosure or commercial use.
The authority in charge of the enforcement of the Data Protection Law is the National Institute for Transparency, Access to Information and Personal Data Protection (INAI). The INAI is an autonomous constitutional body that aims to guarantee the fundamental rights of access to public information and protection of personal data. For the former, it guarantees that any authority at the federal level, autonomous body, political party, trust, public fund or trade union, or any natural or corporate entity who receives and exercises public resources or acts as an authority, provides access to public information as requested by individuals. For the latter, it guarantees the proper use of personal data, as well as the exercise and protection of the rights of access, rectification, cancellation and objection that an individual has regarding his or her information.
Processes, concepts and figures are set forth by the Data Protection Law and further developed and explained in the Regulations to the Federal Law on the Protection of Personal Data held by Private Parties (the Regulations), as well as in other secondary regulations such as the Privacy Notice Guidelines (the Guidelines) and the Parameters for Self-Regulation Regarding Personal Data.
Other non-mandatory documents issued by the INAI provide guidelines and recommendations for the better understanding of the obligations contained in the Data Protection Law and how to comply with them, such as the ‘Guide to self-regulation schemes regarding personal data protection’, the ‘Suggested minimum criteria for contracting cloud computing services that involve the processing of personal data’, the ‘Recommendations for handling personal data security incidents’, etc.
Even though the Data Protection Law is the main legislative body addressing privacy and personal data protection, it provides for the consideration of specialised authorities and industries such as education, telecommunications, health, information security and others, which are expected to participate in the creation of specific guidelines and regulations per subject matter.
Core principles on personal data
It may be said that the Data Protection Law adopts the international accepted principles of personal data processing, since it expressly establishes that data controllers must observe in all phases of the processing (life cycle of the data) the principles of lawfulness, consent, information, quality, purpose, loyalty, proportionality and accountability. It is worth noting that the principles and rights under the Data Protection Law will have, as a limit, with regard to their observance and exercise, the protection of national security, public policy, health and safety, as well as the rights of third parties.
In adopting the aforementioned principles, data controllers must, among other things:
- obtain personal data through means that are not deceptive or fraudulent;
- allow a reasonable expectation of privacy in the processing of personal data;
- ensure that data processing is subject to the consent of the data subject except as otherwise provided by the Data Protection Law;
- ensure that personal data contained in databases is relevant, correct and up to date for the purposes for which it has been collected;
- limit processing to the fulfilment of the purposes set out in the privacy notice and as necessary, appropriate and relevant with relation to such purposes, for a legitimate and specific purpose and in accordance with what was informed in the privacy notice;
- make reasonable efforts to limit the period of time during which the data is processed to the minimum possible, especially when dealing with sensitive personal data.
The data controller must ensure compliance with the principles established by the Data Protection Law and adopt all necessary measures for their application, even when the data is processed by a third party at the request of the data controller.
The role of the data protection officer
All data controllers must designate a personal data protection officer or department who will process requests from data subjects for the exercise of the rights granted by the Data Protection Law and enhance within the organisation the protection of personal data. In this regard, the INAI issued some recommendations for the appointment of the personal data protection officer, which may be accessed on the INAI’s website (www.inai.org.mx).
The Data Protection Law provides for the definition of various concepts, which are important to cite for a better understanding, among them:
- ‘consent’ as the expression of the will of the data subject by which data processing is enabled;
- ‘data controller’ as the individual or private legal entity who decides on the processing of personal data;
- ‘data processor’ as the individual or legal entity who, alone or jointly with others, processes personal data on behalf of the data controller;
- ‘data subject’ as the individual to whom the personal data relates;
- ‘processing’ as the retrieval, use, disclosure or storage of personal data by any means. Use includes any action of access, management, exploitation, transfer or disposal of personal data;
- ‘personal data’ as any information relating to an identified or identifiable individual, which is any individual whose identity can be determined, directly or indirectly, by any information. An individual will not be deemed identifiable when to obtain the identification, disproportionate periods of time or activities are required;
- ‘sensitive personal data’ as information that may reveal personal aspects of an individual such as racial or ethnic origin, health condition, genetic information, religious, philosophical or moral beliefs, labour union membership, political opinions or sexual preferences; and
- ‘transfer’ as any data communication made to a person other than the data controller or data processor.
To legally process personal data, the Data Protection Law requires that the data subject is informed of and consents to the processing of his or her personal data, except if the processing falls within one of the exceptions for consent. Information on the characteristics of the processing and consent (when needed) are normally requested in the ‘privacy notice’, which is the document in physical, electronic or any other format, generated by the data controller and made available to the data subject prior to the processing of his or her personal data.
The Data Protection Law provides that a privacy notice must at least contain the following information and the Privacy Notice Guidelines further explain and develop the way in which it must be presented to data subjects:
- The identity and address of the data controller.
- The purposes of the data processing (separately stating primary and secondary purposes, that is, those that are needed for the relationship rather than those that are not, such as marketing purposes).
- The options and means offered by the data controller to the data subjects to limit the use or disclosure of their data.
- The means for exercising rights of access, rectification, cancellation or objection. Access refers to the fact that a data subject must know the characteristics of the data processing and the privacy notice to which such processing is subject to. Rectification refers to the ability of a data subject to request the update of his or her information or its correction. The right to cancel may be exercised by the data subject when the purposes for which the information was requested have been accomplished and there is no need for the data controller to keep such information. The data subject may object for legitimate cause to the processing of his or her personal data.
- Where appropriate, the data transfers to be made (ie, communications of data different than those made to data processors).
- The procedure and means by which the data controller will notify the data subjects of changes to the privacy notice, in accordance with the provisions of the Data Protection Law.
- Expressly mention when processing sensitive personal data.
The Data Protection Law establishes the possibility of using a short or simplified privacy notice, for example, when the data is collected through formats with limited space, electronic, visual or audio means or any other technology. In such cases, the privacy notice must inform: the identity and domicile of the data controller; the purposes of the data processing; and the means to access the complete text of the privacy notice.
Consent of the data subject will not be required for the processing when:
- a law so provides;
- data is contained in publicly available sources;
- data is subject to a prior ‘dissociation’ procedure (ie, when personal data can neither be associated with the data subject nor allow, by way of its structure, content or degree of disaggregation, identification thereof);
- processing has the purpose of fulfilling obligations under a legal relationship between the data subject and the data controller;
- there is an emergency situation that could potentially harm an individual or his or her property;
- it is essential for medical attention, prevention, diagnosis, healthcare delivery, medical treatment or health services management, where the data subject is unable to give consent in the terms established by the General Health Law and other applicable laws, and the processing of data is carried out by a person subject to a duty of professional secrecy or an equivalent obligation; or
- a resolution has been issued by a competent authority.
The exceptions above refer to consent only, which means that information on the processing must always be provided. In other words, whenever there is data processing, a privacy notice must be made available to the data subjects.
In connection with consent from the data subject, tacit or implicit consent is generally accepted, except when processing financial or sensitive personal data, where express consent and express written consent, respectively, will be requested. A data subject tacitly consents to the processing when the privacy notice is made available to him or her and he or she does not object. Consent will be express when it is communicated orally, in writing, by electronic or digital means or via any other technology, or by unmistakable indication. Express written consent will be given through the data subject’s signature, electronic signature or any authentication mechanism established for this purpose.
Considering that the burden of proof of having made available a privacy notice and requested consent (when necessary) always rests on the data controller, data controllers must adopt and implement all necessary measures to be able to prove this at request.
Communications and marketing
For data controllers to which the Data Protection Law is applicable and who normally engage in the communication of personal data within and outside of Mexico, it is important to consider that the Data Protection Law distinguishes between communications of data from a data controller to a data processor, which are known as ‘transmissions’; and communications of data from a data controller to a third party or data controller, which are known as ‘transfers’.
Data transmissions do not require notifying the data subject in the privacy notice, and do not need his or her consent to be carried out, since the data controller will be ultimately responsible for the data being processed even if processed by data processors, so long as the latter follows the instructions of the data controller and its obligations according to the Data Protection Law.
However, all data transfers must be informed to and consented by the data subject, except where one of the exceptions provided by the Data Protection Law is applicable. Domestic and international transfers of data (to individuals or entities different than those acting as data processors) are possible without consent of the data subject when such transfer is:
- pursuant to a law or treaty to which Mexico is party;
- necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
- made to holding companies, subsidiaries or affiliates under common control of the data controller, or to a parent company or any company of the same group as the data controller, operating under the same internal processes and policies;
- necessary by virtue of a contract executed or to be executed in the interest of the data subject between the data controller and a third party;
- necessary or legally required to safeguard public interest or for the administration of justice;
- necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
- necessary to maintain or fulfil a legal relationship between the data controller and the data subject.
When a transfer is among holding companies, subsidiaries or affiliates under the common control of the same group as that of the data controller, or to a parent company or any company belonging to the same group as that of the data controller, the mechanism to ensure that the recipient of the personal data complies with the provisions of the Data Protection Law, the Regulations to the Data Protection Law and other applicable laws and regulations, may be the existence of binding corporate rules. A data controller may use contracts and other legal instruments that contain at least the same obligations as those to which the transferring data controller is subject, and the conditions under which the data subject consented to the processing of his or her personal data.
Automated data processing
When personal data is used in decision-making without human intervention, the data controller must inform the data subject. The data subject may exercise his or her right of access in order to know which personal data was used as part of the decision-making process, and as the case may be, the right to rectify, when he or she considers that some of the personal data used are incorrect or incomplete, so that, in accordance with the mechanisms implemented by the data controller, he or she can request a reconsideration of the decision made.
Data protection breaches
Another obligation for the data controllers is to adopt and maintain physical, technical and administrative security measures designed to protect personal data from damage, loss, alteration, destruction or unauthorised use, access or processing. Security measures must not be inferior to those kept by the data controller to manage its own information, and there must be a consideration of the risks involved, potential consequences for the data subjects, sensitivity of the data and technological developments in order to establish these measures.
Although there is no separate law or regulation in connection with data breaches, the Data Protection Law and the Regulations provide that security breaches occurring at any stage of the data processing that significantly affect the economic or moral rights of data subjects will be reported immediately by the data controller to the data subject, so that the latter can take appropriate action to protect his or her rights. The data controller must inform the data subject of at least:
- the nature of the breach;
- the personal data that was compromised;
- recommendations to the data subject concerning measures that the latter can adopt to protect his or her interests;
- corrective actions implemented immediately; and
- the means by which he or she may obtain more information.
Violations and offences for the unlawful processing of personal data are provided in the Data Protection Law and the processes by which they may be initiated, determined and applied are further developed in the Regulations. Penalties may be doubled with regard to the unlawful processing of sensitive personal data.
Violations to the Data Protection Law may be punished by a warning instructing the data controller to carry out the actions requested by the data subject (eg, access, rectification, cancellation and objection) or a fine ranging from 100 to 320,000 days of the Mexico City minimum wage, now UMA (Unidad de Medida y Actualización), which at the time of writing is 84.49 Mexican pesos (ie, approximately US$4.20). In the case of repeated occurrences, an additional fine will be imposed from 100 to 320,000 days of the current Mexico City minimum wage, now UMA.
The following actions carried out by the data controller are considered violations to the Data Protection Law:
- failure to satisfy the data subject’s request for personal data access, rectification, cancellation or objection without good reason;
- acting negligently or fraudulently in processing and responding to personal data access, rectification, cancellation or objection requests filed by data subjects;
- fraudulently declaring the non-existence of personal data where such exists in whole or in part in the databases of the data controller;
- processing personal data in violation of the principles established in the Data Protection Law;
- maintaining inaccurate personal data when such action is attributable to the data controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected;
- breaching the duty of confidentiality;
- materially changing the original data processing purpose, without observing the provisions of the Data Protection Law;
- compromising the security of databases, sites, programmes or equipment, where attributable to the data controller;
- carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
- collecting or transferring personal data without the express consent of the data subject, in the cases where this is required;
- obstructing verification actions of the authority;
- collecting data in a deceptive and fraudulent manner;
- processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection; and
- any breach by the data controller of the obligations pertaining thereto as established in the provisions of the Data Protection Law.
The Data Protection Law also provides for two types of criminal offences. Three months to three years imprisonment will be imposed on any person who, being authorised to process personal data for profit, causes a security breach affecting the databases under his or her custody. Six months to five years imprisonment will be imposed on any person who, with the aim of achieving unlawful profit, processes personal data deceitfully, taking advantage of an error of the data subject or the person authorised to transmit such data. Penalties will be doubled when dealing with sensitive personal data.
The INAI has initiated several enforcement actions, some have ended up with a fine. The most common infringements have been due to:
- processing personal data in breach of the data processing principles (lawfulness, consent, information, quality, purpose, loyalty, proportionality and accountability);
- violating the duty of confidentiality;
- failure to comply with the data subject’s requests for access, rectification, cancellation or objection without good reason;
- obstructing INAI’s verification actions;
- collecting or transferring personal data without the express consent of the data subject (when required); and
- not including in the privacy notice made available to data subjects all requirements established by the Data Protection Law and the Regulations.
Some of the INAI’s resolutions can be found at http://inicio.ifai.org.mx/SitePages/ResolucionesPDP.aspx and may be searched by data controller, year, affected right, type of proceeding and result of claim.
From the above report, we may conclude that the personal data protection regime provided by the Data Protection Law is robust and promotes the internationally accepted principles of personal data protection, while enhancing the communications of personal data needed for the growth of the economy.
Even though sanctions resulting from the Data Protection Law may be minor when compared with fines in other jurisdictions, it is very important for data controllers to consider that the main damage that can be caused for any lack of compliance with the Data Protection Law is reputational. The risk of reputational damage may prevail in the memory of data subjects, resulting in the lack of interaction with the involved data controllers and, of course, of economic gain on such data controllers.