Mexico’s Federal Data Privacy Law: How Safe is your Data South of the Border? featured image

Mexico’s Federal Data Privacy Law: How Safe is your Data South of the Border?

by John DiGiacomo

Partner

Business Law Revision Legal

 

The law, which was passed in 2010 and whose regulations went into effect in 2012, affects non-credit-storing entities that store, access, or otherwise use personal data for non-personal use. The law closely follows the guidelines set out in the APEC Privacy Framework.

What type of data is protected in Mexico, and how?

The easy answer is personal data, which includes any data that could lead to identifying a person. There are also heightened protections for sensitive data, which tends to be data concerning religious beliefs, health, genetics, politics or sexually explicit materials.

Like the APEC guidelines, a majority of the Mexican law applies to “data controllers.” Data controllers may only collect data if it is relevant to their commercial purpose, and they must stick to whatever policies they lay out in their privacy policies. Most importantly, data controllers must delete personal data when they no longer need or use it.

Controllers are also required to have the consent of the subject of the data before storing it, and for sensitive data, that consent must be in writing. The law also requires controllers to have policies and physical safeguards in place to prevent breaches of their personal data storage.

The law also requires transparency in a few ways: first, the consent requirements as already mentioned; second, controllers must inform data subjects if their data is being accessed (whether intentionally or not) by third parties; and finally, there are several notice requirements that instruct controllers to maintain a relationship with their data subjects, informing them of changes in policy and the state of their data security.

How does this affect the data of United States’ citizens living in the U.S.?

For data stored in Mexico to be transferred into the U.S., the law places the onus on the controller, not on the U.S. (or other third-party country) as seen in the EU data initiative, to ensure the recipient of the data is secure. In order to meet this burden, the controller must: (1) inform the data subjects of the proposed transfer, and get consent; (2) identify the purposes for which the data is transferred to the third party, and make that party aware of the controller’s privacy notice; and (3) the third party that receives the data must assume the same obligations as those that apply to the data controller.

What can you do about data violations under the law? 

If your data is being stored in Mexico under this law, there are several rights you need to be aware of. First, as discussed above, you have the right to consent to your data being stored and the right to notice when any of your stored data is changed, disclosed to a third party, or hacked. Second, you have the right to access your data whenever you like, and demand the data be repaired by the controller if modified or incomplete. Finally, you have the right to demand the controller “block” your data in its database, which all but destroys it.

If the controller fails to meet any of those demands, you may file a complaint with the IFAI. The process is quick (lasting up to a maximum of 65 days) and can result in serious fines to be paid by the controller (up to $1.2 million). There are even criminal violations that could land repeat offenders in prison.

Talk to an Internet Attorney

Mexico’s data laws are relatively strong, especially when compared to many of the other APEC countries. While the law differs somewhat from U.S. privacy laws, and the EU data initiative, if you have data stored in Mexico, or have plans to transfer data to Mexico, you should consult with an expert Internet Attorney to make sure you receive the full protection of Mexican laws. If you have any questions regarding data law south of the border, or anywhere else in the world, give Revision Legal a call at 855-473-8474.

Extra, Extra!
Recent Posts

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Copyright

The holders of copyrights for newspapers, magazines, books, and other publications are involved in numerous legal battles with owners of AI modules over alleged copyright infringement. The plaintiff copyright owners claim that the AI large language modules have been trained on huge quantities of copyrighted materials without permission and — most importantly — without payment. […]

Read more about Does the AI-Copyright Legal Fight Represent a National Security Threat?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Corporate

The owners of most small, closely-held businesses negotiate and sign some form of an “Owner’s Agreement.” An important part of such Agreements is the “Buy-Sell” provisions. These are often some of the most difficult to negotiate. The gist of the buy-sell part of the Owners’ Agreement is to establish the rules for what happens if […]

Read more about How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Status on Social Media Moderation Statutes and Cases

Status on Social Media Moderation Statutes and Cases

Internet Law

Social media content moderation by technology platforms was one of the “hot” legal topics in 2023-2024. Three States — California, Texas, and Florida — passed different statutes to either require more content moderation (California) or to limit such moderation (Texas and Florida). All the statutes, in one way or another, demanded more transparency and information […]

Read more about Status on Social Media Moderation Statutes and Cases

Put Revision Legal on your side