On April 27, 2010, the Mexican Senate passed Ley Federal de Protección de Datos Personales en Posesión de los Particulares (the Federal Law for Protection of Personal Data (FLPPA)). President Felipe Calderon is expected to sign the FLPPA into law soon, and thereafter, the FLPPA will be published and its regulatory provisions enacted. The objective of the FLPPA is to provide regulatory mechanisms for the newly established replacement agency, Instituto Federal de Acceso a la Información y Protección de Datos (the Federal Institute of Information Access and Data Protection (FIIADP), to enforce the FLPPA in relation to any individual or entity engaging in the collection, storage and/or transfer of personal data.
- Broad Definition of Personal Data. The definition of "personal data" is very broad and includes any information concerning a physical person that identifies such person, or from which such person may be identified.
- Special Treatment of Sensitive Personal Data. Similar to the approach in the European Union under the European Union Data Directive, the treatment of "sensitive personal data," the definition of which focuses on information that may be used for discriminatory purposes, such as information about a person's race, ethnicity, sex, medical condition, religion, philosophies and morals, political opinions, and sexual preferences, is afforded special protection status.
- Provision of Privacy Notice Required. Notice must give individuals a clear understanding of how their personal data is being used and/or transferred, and provide a means for correcting submitted personal data and revoking consent for proposed uses and transfers. Also, in the event of a transfer, the transferee must assume and abide by this same privacy notice.
- Express Consent Required for Processing Sensitive Personal Data. The collector of sensitive personal data must obtain the express consent (signature, electronic signature or other form of verifiable consent) of the individual to process and/or transfer such individual's sensitive personal data prior to the processing and/or transfer of such information.
- Notification and Re-Consent Required if Use Changes. The entity holding personal data of an individual must notify such individual and have such individual re-consent to new treatment, if the scope of use changes after such individual's initial consent.
- Regulates Both National and International Transfers. The FIIADP has the authority to enforce the FLPPA in relation to both national and international transfers of personal data.
- Requires Establishment of Safeguards. The entity collecting, storing and/or transferring personal data must establish administrative processes and procedures, and physical and technological safeguards, to protect personal data. Further guidance on standards may be forthcoming.
- Potential Penalties and Sanctions are Severe. Financial penalties are not clearly established, but may be up to approximately US$3 million. It also provides a criminal penalty of up to five years imprisonment, up to three years for general violations of the FLPPA, and up to five years for violations for unauthorized transfer of sensitive personal data.
The FLPPA does not apply to credit institutions and individuals that collect information solely for personal and non-commercial purposes. There are also certain exemptions where the treatment and transfer of personal data would not be subject to the FLPPA statutory consent requirements, such as (i) where the transfer is between affiliates; (ii) in the case of medical emergencies; (iii) where the transfer is necessary pursuant to a contract between the data controller and the transferee, provided that the transfer is in the best interest of the individual; (iv) where there is a judicial decree involving the subject data; or (v) where the transfer of the subject data is necessary for the protection of public health and/or safety.