The law, which was passed in 2010 and whose regulations went into effect in 2012, affects non-credit-storing entities that store, access, or otherwise use personal data for non-personal use. The law closely follows the guidelines set out in the APEC Privacy Framework.
What type of data is protected in Mexico, and how?
The easy answer is personal data, which includes any data that could lead to identifying a person. There are also heightened protections for sensitive data, which tends to be data concerning religious beliefs, health, genetics, politics or sexually explicit materials.
Like the APEC guidelines, a majority of the Mexican law applies to “data controllers.” Data controllers may only collect data if it is relevant to their commercial purpose, and they must stick to whatever policies they lay out in their privacy policies. Most importantly, data controllers must delete personal data when they no longer need or use it.
Controllers are also required to have the consent of the subject of the data before storing it, and for sensitive data, that consent must be in writing. The law also requires controllers to have policies and physical safeguards in place to prevent breaches of their personal data storage.
The law also requires transparency in a few ways: first, the consent requirements as already mentioned; second, controllers must inform data subjects if their data is being accessed (whether intentionally or not) by third parties; and finally, there are several notice requirements that instruct controllers to maintain a relationship with their data subjects, informing them of changes in policy and the state of their data security.
How does this affect the data of United States’ citizens living in the U.S.?
For data stored in Mexico to be transferred into the U.S., the law places the onus on the controller, not on the U.S. (or other third-party country) as seen in the EU data initiative, to ensure the recipient of the data is secure. In order to meet this burden, the controller must: (1) inform the data subjects of the proposed transfer, and get consent; (2) identify the purposes for which the data is transferred to the third party, and make that party aware of the controller’s privacy notice; and (3) the third party that receives the data must assume the same obligations as those that apply to the data controller.
What can you do about data violations under the law?
If your data is being stored in Mexico under this law, there are several rights you need to be aware of. First, as discussed above, you have the right to consent to your data being stored and the right to notice when any of your stored data is changed, disclosed to a third party, or hacked. Second, you have the right to access your data whenever you like, and demand the data be repaired by the controller if modified or incomplete. Finally, you have the right to demand the controller “block” your data in its database, which all but destroys it.
If the controller fails to meet any of those demands, you may file a complaint with the IFAI. The process is quick (lasting up to a maximum of 65 days) and can result in serious fines to be paid by the controller (up to $1.2 million). There are even criminal violations that could land repeat offenders in prison.
Talk to an Internet Attorney
Mexico’s data laws are relatively strong, especially when compared to many of the other APEC countries. While the law differs somewhat from U.S. privacy laws, and the EU data initiative, if you have data stored in Mexico, or have plans to transfer data to Mexico, you should consult with an expert Internet Attorney to make sure you receive the full protection of Mexican laws. If you have any questions regarding data law south of the border, or anywhere else in the world, give Revision Legal a call at 855-473-8474.