LAW AND THE REGULATORY AUTHORITY
1 Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?
The legal framework for PII protection is found in article 6 of the Mexican Constitution; and in the Federal Law for the Protection of Personal Information Held by Private Entities, published in July 2010, its Regulations, published in December 2011, the Privacy Notice Rules, published in January 2013, the Binding Self-Regulation Parameters, also published in January 2013 and May 2014, and the General Law for the Protection of Personal Data Held by Public Governmental Entities, published in January 2017. Mexican PII protection law is not based exclusively on an international instrument on data protection, but instead follows international correlative laws, directives and statutes, and thus has similar principles, regulation scope and provisions.
The Federal Law for the Protection of Personal Data (the Law) regulates the collection, storage, use and transfer of PII and protects individual data subjects (individuals); it is a federal law of public order, which makes its provisions applicable and enforceable at a federal level across the country and is not waivable under any agreement or covenant between parties, since it is considered to be a human right. This Law regulates the use and processing given to the PII by PII data controllers (PII controllers) and PII processors, thus providing several rights to individuals and obligations to PII controllers and PII processors, in order to ensure the privacy and confidentiality of such information. The Privacy Notice Rules comprise the requirements for such notices, whereas the Binding Self-Regulation Parameters contain the requirements and eligibility parameters to be considered by the authority for approval, supervision and control of self-regulation schemes, and authorisation and revocation of certifying entities as approved certifiers.
Data protection authority
2 Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.
The National Institute of Transparency, Access to Information and Personal Data Protection (INAI) is the authority responsible for overseeing the Law. Its main purpose is the...