The Situation: Mexican law did not hold government agencies to the same standards of personal data protection expected from private parties.
The Action: Enacted in January 2017, Mexico's General Law on the Protection of Personal Data Held by Regulated Subjects established specific procedures to protect private information held by government entities.
Looking Ahead: Mexican citizens are now able to enforce their so-called "ARCO Rights," and companies engaged in business with Mexican authorities should make sure they understand the protections required when working with personal data.
On January 27, 2017, Mexico's General Law on the Protection of Personal Data Held by Regulated Subjects ("Law") became effective. The Law establishes procedures to protect personal data held by government agencies and other public institutions. Up until this year, only private individuals and companies were adequately bound to establish data protection procedures.
In 2010, Mexico enacted the Federal Law on the Protection of Personal Data Held By Private Parties to protect personal data processed by private individuals and entities. Government agencies and entities did not have the same level of data protection obligations, creating a great disparity between the private and public sector. The Law brings balance and transparency to government action by providing the basis, principles, and procedures to guarantee the right of any data owner to the protection of his or her personal data under governmental control. The Law reiterates the constitutional principle that private communications are inviolable and that their intervention can be authorized only by federal judicial authority.
Data controllers, or "Regulated Subjects" under the Law, include any federal, state, or municipal authority, entity, organ, or body of the executive, legislative, and judicial branch of the government; autonomous bodies; political parties; and public trusts and funds. While federal entities already have some level of protection in place, most states, municipalities, and other public institutions such as political parties lack proper controls.
Regulated Subjects' new obligations include, among others, establishing mechanisms, security measures, and procedures for the protection of personal data, including comprehensive compliance programs and training.
Citizens will now be able to enforce their so-called "ARCO Rights"rights to access, rectify, cancel, and oppose the processing of personal...