Mexico's data protection authority, the Federal Institute of Access to Information and Data Protection (IFAI) is charged with enforcing Mexico's data protection statute, Federal Law on the Protection of Personal Data in the Possession of Private Parties, fully implemented in December 2011. The IFAI's authority includes the issuance of financial penalties up to 1.5 million dollars as well as criminal penalties in severe cases. Recent actions reveal that the IFAI is serious about enforcing Mexico's privacy law. In the first quarter of 2013, the IFAI issued 1.7 million dollars in penalties. The largest action was brought against Banamax, Mexico's second largest Bank. The IFAI fined Banamax 1.3 million dollars for negligently handling a data subject's request to have personal data removed. Despite both the data subject and the IFAI's requests, the bank continued to use the data subject's personal data. Banamex has appealed the fine claiming that it is disproportionate. The IFAI enforcement actions appear poised to continue. IFAI Data Protection Secretary announced that the financial sector, telecoms and healthcare are under the greatest scrutiny given the sensitive nature of data handled and that pending investigations may result in at least eight more fines this year.
TIP: Local data privacy offices are often given the power to issue substantial financial penalties for breach of domestic protection laws. Companies that operate in multiple foreign jurisdictions should be aware of their applicable local legal obligations, especially in the privacy area. These cases suggest that Mexico is taking seriously its ability to issue significant fines for privacy violations.