Public and private enforcementi Enforcement agenciesInitiation of proceedings
The INAI is in charge of data protection proceedings (DPPs) and of compliance-verification proceedings (VPs).
DPPs are intended to resolve claims filed by a data subject or his or her legal representative alleging that a data controller has failed to attend to a claim exercising the data subject's ARCO rights or when the resolution of the data controller does not satisfy the data subject.
VPs may be commenced ex officio by the INAI or at the request of a party. An ex officio VP will take place following a breach of a resolution issued in connection with a DPP, or if a breach of the Private Data Protection Law is alleged to be founded and substantiated by the INAI. During a VP, the INAI shall have access to the information and documentation deemed necessary, in accordance with the resolution originating the verification.Penalties
In the event that, during a DPP or VP, the INAI becomes aware of an alleged breach of the Private Data Protection Law, a proceeding to impose penalties will commence assessing the infringement. The available penalties include the following:
- a warning issued by the INAI urging a data controller to comply with the data subject's demands. Note that this course of action is limited to certain types of infringement;
- fines representing an amount of between 100 and 320,000 times the UMA,2 which is published by the National Institute of Statistics and Geography, which will be determined based on the nature of the infringement; and
- imprisonment for up to three years in certain cases, such as when someone authorised to process any personal data causes a security breach in relation to the data under his or her control with the purpose of obtaining a gain; or imprisonment for up to five years when someone processes personal data with the intention of obtaining a gain by deceiving, or taking advantage of the error of, a data subject or the person authorised to transfer any personal data.
The penalties set out in item (b) above may be doubled if the infringement involves sensitive personal data. Although the Private Data Protection Law does not entitle a data subject to receive any indemnification, in light of damages suffered because of a data controller's breach, it does acknowledge that any of the fines or penalties indicated above would be imposed against a data controller without prejudice to any liability that the data controller may have in civil and criminal law.
When assessing the fine or penalty to be imposed, the INAI would consider:
- the nature of the personal data;
- the inappropriateness of the failure to comply with the claim of the data subject;
- whether the action or omission was deliberate;
- the economic capacity of the data controller; and
- any reoccurrence of the breach.
Data controllers may challenge these sanctions or fines by means of a nullity claim before the Federal Court of Tax and Administrative Justice.
In addition, Profeco and Condusef are entitled to verify the adequate use of consumer information. If either of them finds that a corporation is engaging in unsolicited marketing to a customer enrolled in the Public Registry of Consumers or the Public Registry of Individual Users, or that it has used consumers' data for a purpose other than marketing, the following shall apply: Profeco may impose fines of up to 1.56 million Mexican pesos; or Condusef may impose fines of up to 2,000 times the UMA in force.3
In recent years, the INAI has fined, inter alia, financial institutions, telecom companies and healthcare providers. However, most of these fines have been challenged by the data controllers concerned and the proceedings are pending resolution. In 2021 most of the fines imposed were to companies engaged in financial and insurance services.
Since the enactment of the Private Data Protection Law, the INAI has been actively advertising the importance of complying with this law and pursuing those cases in which there are important breaches and it has imposed fines on several companies. The following are relevant cases in recent years that are worth mentioning.Hospital
A fine of 4.6 million Mexican pesos was imposed on Operadora de Hospitales Ángeles, SA de CV (the hospital) on the grounds that the hospital was negligent when processing and answering a claim filed by a data subject to request access to her clinical file. Given that the clinical file contained sensitive personal data of the data subject, the fine was doubled.Banorte
A fine of 32 million Mexican pesos was imposed on Banco Mercantil del Norte, SA, Institución de Banca Múltiple, Grupo Financiero Banorte (Banorte). Banorte collected sensitive personal data without the consent of the data subject and stored the data without a legal justification in breach of the principles of information, proportionality and legality, as it failed to deliver a privacy notice to the claimant and processed personal data of the husband of the claimant that was not necessary, adequate or relevant for the purpose of the data collection.ii Recent enforcement cases
Considering that many of the resolutions issued by the INAI have been challenged by the data controllers and are pending resolution, and therefore these files have not yet been finalised, the cases shown at the INAI's public webpage for recent years have not been updated or have been removed from the webpage, or the name of the parties involved have been erased.
Several fines that amount to approximately 1.09 million pesos were imposed on Teraba Construcciones, SA de CV. The INAI's decision to fine the data controller was based on the following arguments:
- Teraba Construcciones, SA de CV failed to comply with the information, responsibility and legality principle, as it did not implement and disclose a privacy notice prior to the collection of personal data; and
- Teraba Construcciones, SA de CV did not gather express consent to transfer the financial information of the data subjects; and it obstructed the process, considering that the data controller did not provide the information requested by the INAI.
Several fines that amount to approximately 145,680 pesos were imposed to Excel Technical Services de México, SA de CV. The INAI's decision to fine the data controller was based on the following arguments:
- Excel Technical Services de México, SA de CV failed to comply with the information, responsibility and legality principle, as it did not implement and disclose a privacy notice prior to the collection of personal data; and
- Excel Technical Services de México, SA de CV did not gather express consent to transfer the financial information of the data subjects.
Several fines that amount approximately 972,194 pesos were imposed on Sure Economía Global, SA de CV. The INAI's decision to fine the data controller was based on the following arguments:
- Sure Economía Global, SA de CV failed to comply with the information, responsibility and legality principle, as it did not implement and disclose a privacy notice prior to the collection of personal data; and
- Sure Economía Global, SA de CV did not gather express consent to transfer the financial information of the data subjects.
The Private Data Protection Law makes no provisions regarding remedies or financial recovery for the data subject as a result of a breach of data protection rights. However, data subjects are entitled to file a claim before the civil courts to seek indemnification resulting from moral damage. We are not aware of any claims of this nature. The first chamber of the Mexican Supreme Court has issued certain groundbreaking, non-binding court precedents resolving that, when awarding damages, courts and judges shall consider aggravating factors such as the degree of responsibility, to determine a fair indemnification, thereby openly recognising concepts such as 'punitive damages', which were not developed in court precedents.