Mexico's Data Protection Legal Framework. It's Real And It's Serious. - Mondaq Mexico - Blogs - VLEX 706289421

Mexico's Data Protection Legal Framework. It's Real And It's Serious.


Almost 8 years years ago, the Mexican Federal Law on the Protection of Personal Data held by Private Parties (the Federal Law on Data Protection) was enacted. Almost 8 years ago, things started to change in Mexico.

At that time, when companies faced the question "Do you comply?" it was not unusual to hear this kind of answers:

This is a fad! Who REALLY cares about personal data? My company doesn't need to comply with THAT law, I only process client's information. My IT department is in charge. My American/European parent company is in charge of THAT stuff. Nowadays, things are different and data protection is here to stay in Mexico.

It doesn't matter if your company is 100% Mexican or if it is a subsidiary of a foreign company, chances are that you must have to comply and that you really need to review your compliance level (certain companies only comply with one of eight Data Protection Principles).

How unique is the Mexican Data Protection Law?

In a broad sense, the Federal Law on Data Protection is unique in its own way, but it is impossible not to find European, American and APEC-region influences on it. Simply, Mexico was behind a global trend and its new Federal Law was feed with the experience of several countries.

Many times, I have said that the Mexican Data Protection Law has an 80% European DNA, mostly because of the Data Protection Principles that were introduced into the Mexican legal system (and the "ARCO rights") by reference to the then-in-force Data Protection Directive and the then-forthcoming GDPR.

Because of that, it is easier for European organizations to understand the Mexican data protection requirements; but any DPO with knowledge about the requirements of the European GDPR will find that some Mexican principles are quite similar to those that soon will be enforceable in the EU.

My parent company has a "Privacy Policy" and they told us to use it in Mexico

Over the last years, we have heard a lot of Mexican Legal Counsels and/or CIOs to assert that because they use their parent company's Privacy Policy they are quite confident that their (Mexican) companies comply with the Mexican Data Protection Law.

However, it is a fact that a number of companies that relied on their parent company's privacy policy have found themselves on fault when the Mexican Data Protection Authority (INAI) investigates and prosecutes breaches of the Mexican law, because... you know... a Privacy Notice (or a Global Privacy Policy) is not enough...

To continue reading