Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

The Federal Law for the Protection of Personal Information in Possession of Private Entities is one of the most advanced laws in Mexico and Latin America. This legislation is ahead of the international curve and aims to comply with standards such as those under the General Data Protection Regulation and the various privacy regulations in the United States.

Are any changes to existing data protection legislation proposed or expected in the near future?

Although some deputies submitted bills to Congress in 2017, none of them have been approved by any commission of the Chamber of Deputies or by the Senate. Therefore, no short-term legislative amendments are expected. As there are presidential elections in 2018, the legislative process is likely to be slow.

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

The collection, storage and use of personal information is regulated by the Federal Law for the Protection of Personal Information in Possession of Private Entities, its regulations and the guidelines for the privacy notice.

Scope and jurisdiction

Who falls within the scope of the legislation?

This law regulates the collection and processing of any personal data by any private entity acting as a data controller or data processor.

The collection of personal information by government entities is regulated by the Federal Law for the Protection of Personal Information in Possession of Obliged Subjects.

What kind of data falls within the scope of the legislation?

Only the collection and processing of personal data is regulated by the above laws. Non-personal data is excluded from the scope of protection.

Mexican data privacy legislation applies to personal data stored in any accessible physical or electronic media.

Are data owners required to register with the relevant authority before processing data?

No.

Is information regarding registered data owners publicly available?

N/A.

Is there a requirement to appoint a data protection officer?

No, it is not mandatory to appoint a data protection officer, it is only necessary to mention the following information in the company privacy notice:

  • the name and domicile of the data owner; and
  • the person responsible for the collection, use and storage of the personal information.

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

In Mexico, the National Institute for Information Access (INAI) is responsible for enforcing data protection legislation.

It is entitled to audit any data owner to verify its compliance with data protection legislation and to impose administrative penalties, including fines of up to Ps25 million (approximately $1.4 million).

The INAI is also entitled to prosecute any complaint filed by a data subject willing to enforce its rights of access, rectification, cancellation and opposition.

As an authority, the INAI is also entitled to regulate the collection of personal information by government entities and public access to that information.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Generally, personal data can be collected only with the prior, informed and written consent of the data subject.

Consent is not requried in the following cases:

  • when expressly allowed by law;
  • when the personal data is available in public access sources;
  • when personal data has been dissociated;
  • when the collection of personal data is needed for the compliance of obligations derived from a legal relationship between the data subject and the data owner;
  • when there is an emergency situation that jeopardises the individual or the commodities of the data subject; and
  • when the collection of personal data is necessary for medical attention or diagnosis or for rendering sanitary assistance, medical treatment or sanitary services, provided that the data subject is unable to consent and provided that the data is collected by a person subject to legal professional privilege.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

There is a general rule regarding the period for which an organisation must retain records, which states that records containing personal data must be retained only for the period necessary for the completion of the purpose for which the data was collected.

Article 37 of the regulations of the Federal Law for the Protection of Personal Information in Possession of Private Entities provides that the period for retaining records must not exceed the period necessary for completion of the purpose for which the data was collected, and in order to determine the applicable period, data owners must pay attention to any legal provisions applicable to the sort of data collected and also consider the administrative, tax, legal and historical aspects of the data.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, the legislation concerning personal information recognises and protects the rights of access, rectification, cancellation and opposition.

Do individuals have a right to request deletion of their data?

Yes, the legislation concerning personal information recognises and protects the rights of access, rectification, cancellation and opposition.

Consent obligations

Is consent required before processing personal data?

Yes, the legislation concerning personal information requires prior, informed and express consent, either in writing or through electronic means.

If consent is not provided, are there other circumstances in which data processing is permitted?

Consent is not required in the following cases:

  • when expressly allowed by law;
  • when personal data is available in public access sources;
  • when personal data has been dissociated;
  • when the collection of personal data is needed for the compliance of obligations derived from a legal relationship between the data subject and the data owner;
  • when there is an emergency situation that jeopardises the individual or the commodities of the data subject; and
  • when the collection of personal data is necessary for medical attention or diagnosis or for rendering sanitary assistance, medical treatment or sanitary services, provided that the data subject is unable to consent and provided that the data is collected by a person subject to legal professional privilege.

What information must be provided to individuals when personal data is collected?

The legislation concerning personal information requires data owners to provide the following information in a privacy notice:

  • the identity and place of domicile of the data owner;
  • the purpose of the data collection;
  • the options and means offered by the data owner to the data subject, to limit the access, use, sharing and transfer of his or her data;
  • the means by which the data subject can enforce his or her rights of access, rectification, cancellation and opposition;
  • detailed information as to the data transfers that the data owner is willing to make, involving personal information, expressly indicating the name of the data processor and the type and category of activity sector of the latter and expressly indicating the purpose of such transfer. Also, when required, a clause indicating whether the data subject consents to the data transfer;
  • the options and means offered by the data owner to the data subject to revoke his or her consent for the collection of personal information;
  • data owners must make an express mention that appropriate personal information is being collected, at the time of collecting such information;
  • information regarding the administrative, physical and technological measures implemented by the data owner, in order to protect the information collected;
  • information regarding the use of cookies, web beacons and any other technology that allows the collection of personal information from the data subject, as well as information regarding how to deactivate such data collection; and
  • information regarding any proceedings set forth by the data owner, in order to inform data subjects as to any changes to the privacy notice.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Article 19 of the Federal Law for the Protection of Personal Information in Possession of Private Entities requires every data owner to implement and maintain administrative, technical and physical security measures to prevent the loss, alteration, destruction or unauthorised access and use of any collected and stored personal information.

Such measures must be equivalent to those used by the data owner to protect its own information. When implementing such measures the data owner must consider:

  • the existing risk and possible consequences for the data subjects;
  • how sensitive the data is; and
  • the technological development.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Yes, Article 20 of the Federal Law for the Protection of Personal Information requires data owners to immediately notify individuals about any security breach that occurs during any phase of data collection, storage or use, which may significantly affect the individual’s patrimonial or moral rights.

Similarly, Article 64 of the law requires data owners to notify individuals without delay of any breach that significantly affects their moral or patrimonial rights, as soon as the data owner confirms that a breach has occurred and when the data owner takes action to determine the magnitude of the breach.

The data owner must include information regarding:

  • the nature of the incident;
  • the details of the personal information that has been compromised;
  • the recommended actions data subjects can take to protect their interests;
  • the corrective measures that have been implemented by the data owner; and
  • the means for getting more information regarding the breach.

Are data owners/processors required to notify the regulator in the event of a breach?

No.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

Mexico has no specific regulation dealing with unsolicited text messages or spam emails.

The Federal Bureau for Consumer Protection operates a call blocking registry covering both landlines and mobile phone numbers, which gives suppliers 30 days to stop making marketing calls or sending marketing messages to a registered consumer.

However, there are no regulations relating to spam emails.

Cookies

Are there rules governing the use of cookies?

Yes, the guidelines for the privacy notice require that individuals are informed as to any technology that allows the automatic collection of personal information simultaneously to contact with said individual. The guidelines require data owners to request individuals’ consent through an opt-in mechanism and to inform them as to how to deactivate said technology, unless it is required for technical reasons.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

Data owners must provide detailed information in the privacy notice regarding the data transfers that the data owner is willing to make, including personal information about the data subject, expressly indicating:

  • the name of the data processor(s);
  • the type and category of activity sector of the processor; and
  • the purpose of the transfer.

When required, a clause must be added indicating whether the data subject consents to the data transfer.

The same terms that apply to the data owner also apply to the third party receiving the transferred data.

Article 37 of the Federal Law for the Protection of Personal Information states that national and international data transfers can be performed without the consent of the data subject when:

  • the transfer is provided for in a law or treaty signed by the Mexican government;
  • the transfer is necessary for medical prevention or diagnosis, as well as for sanitary assistance, medical treatment or for the rendering of sanitary services;
  • the transfer is made to holding, subsidiary or affiliated companies under the control of the data owner or any company of the same corporate group, operating under the same processes and internal policies;
  • the transfer is necessary in virtue of an agreement executed or to be executed in the interest of the data subject, between the data owner and a third party;
  • the transfer is necessary or legally required to safeguard public interest or obtain justice;
  • the transfer is necessary for the recognition, enforcement or defense of a right in a judicial process; and
  • the transfer is necessary for the maintenance or compliance of a legal relationship between the data owner and the data subject.

Are there restrictions on the geographic transfer of data?

Aside from the above, there are no restrictions for the transfer of personal information.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

No.

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

The National Institute for Information Access (INAI) is entitled to impose administrative penalties, including fines of up to Ps25 million (approximately $1.4 million).

In addition, the following activities are deemed to be felonies relating to the improper use of personal information:

  • When a data owner that is authorised to collect, store and use personal information with the aim of profiting, causes a security breach in the database containing the information under its custody. This is punishable by imprisonment of between three months to three years.
  • To collect, use or store personal information, with the aim of profiting, through error or deceit of the data subject or error or deceit of the person who can authorise the transfer. This is punishable by imprisonment of between six months to five years.

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Not automatically. Since the INAI is not entitled to declare damages or loses, in order to collect any damages or loses derived from the unauthorised use, storage or collection of personal information, an independent civil action would be required.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

There is no dedicated law in Mexico regulating cybercrime and cybersecurity.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

No international standards relating to cybersecurity have been adopted in Mexico. In recent years the government has become more aware of the need to specifically regulate cybersecurity and to enhance legal proceedings to fight cybercrime activities. The Mexican government is in the process of implementing various actions detailed in its National Digital Strategy and its National Cybersecurity Plan, which should result in the consolidation of a cybersecurity legal framework.

In March 2018 the Law for Regulating the Financing Technology was introduced – known as the Mexican Fintech Law – which, among others, regulates operations regarding ‘virtual assets’ (cryptocurrencies) and introduced regulation for:

  • fintech institutions (FTIs);
  • collective financing institutions (crowdfunding institutions); and
  • electronic payment funds institutions.

Which cyber activities are criminalised in your jurisdiction?

The only activity that is currently expressly regulated as a felony and punishable as such by the Federal Criminal Code of Mexico is child pornography and any sexual content involving an underage individual or someone considered incapable of understanding or resisting such an act.

However, the Mexican Fintech Law regulates the following, which are punishable by imprisonment:

  • To use, obtain, transfer or in any other way dispose of the resources, electronic payment funds or virtual assets, that is the property of clients of any FTI; or to use, obtain, transfer or in any other way dispose of the resources, electronic payment funds or virtual assets that are the property of any FTI. This is punishable by imprisonment of between three and nine years. If the person conducting the above criminal offence is a shareholder, counsel, officer, director, administrator, employee or supplier of an FTI, he or she is liable to imprisonment of between six and 18 years.
  • To operate as an FTI without having the proper authorisation or to conduct activities or operations reserved to FTIs without having proper authorisation. This is punishable by imprisonment of between seven and 15 years.
  • To provide false information to obtain the authorisation to act as an FTI. This is punishable by imprisonment of between seven and 15 years.
  • To publish or divulge false information relating to FTIs and their operation. This is punishable by imprisonment of between two and 10 years.
  • To totally or partially destroy or modify the accountability systems or records of an FTI. This is punishable by imprisonment of between two and 10 years.
  • The identity theft of any financing authority, its administrative units or public officers or the identity theft of an FTI. This is punishable by imprisonment of between three and nine years.
  • The unauthorised access to equipment, electronic, optic, informatics or any other technology means of an FTI or of any financing entity. This is punishable by imprisonment of between three and nine years.

Which authorities are responsible for enforcing cybersecurity rules?

The Bank of Mexico and its various commissions are responsible for enforcing the cybersecurity rules set forth in the Mexican Fintech Law.

When dealing with illegal activities considered as criminal offences, the Attorney’s General Office is the authority responsible for investigating and pursuing them. If, as a result of the investigations conducted by the Attorney’s General Office, it is deemed that there is evidence of criminal activity, the office will formally request a criminal court to initiate criminal proceedings.

However, there are no specialist courts for cybersecurity and cybercrimes in Mexico.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes, it is possible to obtain insurance for cybersecurity breaches and data protection, although it is uncommon for companies to obtain this sort of insurance. However, as awareness of threats to cybersecurity increases, it is expected that this kind of insurance will become more popular.

Are companies required to keep records of cybercrime threats, attacks and breaches?

No.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

No.

Are companies required to report cybercrime threats, attacks and breaches publicly?

No.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

Please see above regarding the criminalisation of cyber activities.

What penalties may be imposed for failure to comply with cybersecurity regulations?

If the failure to comply with cybersecurity regulation involves any personal information, under the Federal Law for the Protection of Personal Information in Possession of Private Entities penalty fines will apply, as outlined above.

There are no other cybersecurity regulations in Mexico.