Privacy and data security
What is your jurisdiction’s regulatory stance on net neutrality?
The telecoms operators that provide internet access services should follow the general guidelines issued by the Federal Institute of Telecommunications (IFT):
- Freedom of choice – users of internet access services must be able to access any content, application or service offered by operators, within the applicable legal framework, without limiting, degrading or restricting access to them. Operators may not limit users’ right to access services or incorporate or use any devices that can connect to the network, as long as such devices are standardised.
- Non-discrimination – operators and those authorised to market internet access service cannot obstruct, interfere, inspect, filter or discriminate against content, applications or services.
- Privacy – operators must preserve the privacy of users and the security of the network.
- Transparency and information – operators must publish information on their websites regarding the characteristics of the service offered, including the traffic management and network management policies authorised by the IFT, as well as the speed, quality, nature and guarantee of the service.
- Traffic management – operators may take necessary actions to manage traffic management and network administration in accordance with the policies authorised by the IFT in order to guarantee the quality or speed of service contracted by the user, provided that this does not constitute a practice contrary to healthy and free competition.
- Quality – operators must preserve the minimum levels of quality established for this purpose in the respective guidelines.
- Sustained infrastructure development – in the respective guidelines, the IFT promotes the sustained growth of telecoms infrastructure.
Are there regulations or restrictions on encryption of communications?
No regulations or restrictions relate to the encryption of communications. Based on the constitutional principle of confidentiality of private communications, it follows that encryption is permitted.
Are telecoms operators bound by any rules or requirements on the retention of consumer communications data? If so, for how long must data be retained?
Telecoms concessionaires and, where applicable, authorised telecoms operators (resellers or mobile virtual network operators) must record and control all communication made via owned or leased numbering which allow the following information to be identified:
- the name or corporate name and address of the subscriber;
- the type of communication service (eg, voice transmission, voice mailbox, conference or data), supplementary services (including call forwarding or transfer) or messaging or multimedia services (including short message services, multimedia and advanced services);
- data necessary to trace and identify the original and destination of mobile telephone communications, including the destination number and whether the line is the subject of a contract or tariff plan or is prepaid;
- data necessary to determine the date, time and duration of the communication, as well as the messaging or multimedia service;
- the date and time of the first activation of the service and the location label (cell identifier) since the service was activated;
- identification and technical characteristics of the devices, including the international equipment and subscriber identity codes (where applicable); and
- the digital location of the geographical positioning of telephone lines.
The obligation to retain data will begin from the date on which the communication occurred.
For such purposes, the operator must keep the above data for the first 12 months in systems that allow consultation and delivery in real time to the competent authorities through electronic means. At the end of the 12-month period, the operator must keep the data for an additional 12 months in electronic storage systems, during which time the delivery of information to the competent authorities must be carried out within 48 hours.
All processing and storage systems used by operators and authorised people in this regard must be located exclusively in Mexico.
What rules and procedures govern the authorities’ interception of communications and access to consumer communications data?
In general, interception of metadata is constitutionally protected and access requires a court order.
Rules regarding requests for data are not clearly defined. However, there is an express obligation for service providers to comply with any request from the competent authority or a prosecutor. Administrative authorities request contractual information, IP numbers and information relating to the origin, time and duration of a call. Administrative authorities have, thus far, not requested information relating to metadata. That said, extrajudicial requests should be assessed on a case-by-case basis.
Data security obligations
What are telecoms operators’ general data security obligations to consumers?
Telecoms carriers (including licence holders) must take all necessary technical measures to ensure the conservation, protection, non-manipulation, destruction, alteration or cancellation of data that must be preserved. These obligations are also imposed on personnel authorised to handle and control data. Without prejudice to the Federal Telecommunications and Broadcasting Law, regarding the protection, treatment and control of personal data held by operators or those so authorised, the Federal Law for the Protection of Personal Data held by Individuals applies.
According to this law, anyone responsible for processing personal data must establish and maintain administrative, technical and physical security measures to protect personal data against damage, loss, alteration, destruction or unauthorised use, access or treatment. Those responsible cannot adopt security measures that are less than those they maintain for the handling of their own information.
Further, according to the Collaboration Guidelines on Security and Justice, operators and authorised companies are responsible for ensuring that:
- the protocols that are or will be used for the acquisition, development or implementation of electronic platforms guarantee the integrity and security of the information transmitted, managed and protected; and
- the protocols operate based on international standards, particularly those relating to safeguarding and protecting users’ personal data, as well as the cancellation and safe suppression of information (eg, ISO/IEC 27000 – information security management systems and National Institute of Standards and Technology Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organisations).
The operators and licensed companies must submit to the Federal Institute of Telecommunications (IFT) an annual report relating to the protocols referred to in the previous paragraph, identifying the international standard to which these protocols adhere. The report must include:
- the protocol for access control to information on real-time geographic locations of the communication equipment;
- the data recorded and authorised by the operators; and
- a risk analysis relating to the transmission, handling and storage of such information.
The IFT may make observations and require the necessary adjustments when, in its opinion, the integrity, security, cancellation and deletion protocols for the information must be modified, without prejudice to the fact that the IFT may require additional information when appropriate.
Operators and licensed companies are responsible for the possession, protection, treatment and control of the personal data of the users. The use of the retained data is prohibited for purposes other than those provided for the Federal Telecommunications and Broadcasting Law and the Collaboration Guidelines on Security and Justice.
Finally, operators and licensed companies must submit to the IFT, in January and July of each year, an electronic report through the mechanism established by the IFT regarding compliance with the Collaboration Guidelines on Security and Justice.
Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.