This country-specific Q&A provides an overview to technology laws and regulations that may occur in Mexico.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
In Mexico, the Telecommunications and Broadcasting Law (Ley Federal de Telecomunicaciones y Radiodifusión) of July 14, 2014, does not regulate the provision of telecommunications or IT services. The rules to provide such services arise from the provisions of such law related to the (i) the use, operation and exploitation of the radio spectrum, (ii) telecommunications networks, and (iii) orbital resources and satellite communications.
Due to the aforementioned, the Telecommunications and Broadcasting Law regulates a series of licenses required to establish a telecommunications network in order to be able to provide any type of telecommunications or broadcasting service. It is important to mention that under the Telecommunications and Broadcasting Law, telecommunications and broadcasting services are considered as public services of general interest.
The Telecommunications and Broadcasting Law regulates a new type of concession, named the Sole Concession (“Concesión Única”). The Sole Concession is granted to provide all kind of convergent services on telecommunications and broadcasting. For its purposes, the Sole Concession is classified in: (i) commercial use; (ii) public use; (iii) private use; (iv) social use; (v) communal social use; and (vi) indigenous social use.
In addition to the Sole Concession, these are the other type of concessions provided in the Telecommunications and Broadcasting Law:
Concession of radio spectrum, which is granted to use, develop and exploit frequency bands from the radio spectrum. For its purposes, the concession of radio spectrum is classified in the same categories as the Sole Concession.
Concession of orbital resources, which is granted to use and exploit orbital resources. For its purposes, this Concession is also classified in the same categories as the previous mentioned concessions.
In addition, there is another type of license called Authorization (“Autorización”) which allows the performance of any of the following activities: (i) to operate and exploit the resale of telecommunications services; (ii) to install, operate and exploit transmitting satellite earth stations; (iii) to install telecommunications equipment and transmission means, that cross the borders of Mexico; (iv) to exploit the rights to transmit and to receive signals and frequency bands associated to satellite constellations with coverage within Mexico, and which are capable of providing services in Mexico; and (v) to temporarily use frequency bands for diplomatic visits.
Of the aforementioned types of Authorization license, the one which is used more is the Authorization to resell telecommunications services (with this authorization licensees shall not own a public telecommunications network), this “reseller” Authorization allows: (i) to access wholesale services offered by concessionaires; (ii) the resale of services and capacity previously hired to a concessionaire of a public telecommunications network (i.e. Mobile Virtual Network Operators); and (iiii) having own numbering resources.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
In Mexico, the autonomous regulatory authority on telecommunications and broadcasting matters (including competition in such matters) is the Federal Telecommunications Institute (Instituto Federal de Telecomunicaciones, “IFT”, for its acronym in Spanish). The IFT was created as a constitutional autonomous entity, whose purpose is the efficient development of the broadcasting and telecommunications services, and the correct development of competence on these sectors. As an autonomous body, its characteristics are to be specialized, impartial, and a collegial entity created at the Federal level, with full technical and management autonomy and self-determination authority over its budget and internal organization. For such reasons, the IFT has full autonomy in relation to its operation and resolutions since September 10, 2013 when its Board of commissioners was appointed.
The Telecommunications and Broadcasting Law sets forth the authorities of the IFT. Within such regulatory authorities, we can mention the following as the most relevant: (i) the granting of Concessions and Authorizations; (ii) the implementation of procurement processes as well as the allocation of frequency bands of the radio spectrum; (iii) the overview of regulatory compliance on telecommunications and broadcasting matters; and (iv) the determination of economic agents with dominant power in relevant markets and preponderant economic agents in the telecommunications and broadcasting sectors.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
For the provision of telecommunications and satellite communication services, foreign investment is allowed up to 100%, and up to 49% for broadcasting services. However, in the broadcasting sector, it shall be necessary for reciprocity to exist with the country in which the investor is incorporated.
In order to request a Concession or Authorization, the company has to be of Mexican nationality, meaning that it has to be incorporated according to Mexican laws. The corporate domicile of a Mexican company is always located in Mexico.
Notwithstanding with the aforementioned, there are some IFT’s criterion in which for certain activities a corporate domicile is not mandatory (e.g. authorization to install, operate and exploit transmitting satellite earth stations). However, criteria are issued on a case-by-case basis.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power? What are the principal consumer protection regulations that apply specifically to telecoms services?
Concessionaires operating a public telecommunications network have the obligation to adopt open network architecture designs, in order to ensure interconnection and interoperability of their networks. For such purpose, concessionaries operating public telecommunications networks are obliged to interconnect their networks with other concessionaires’ networks on a non-discriminatory basis, transparently, based on objective criteria and in compliance with the regulations of IFT.
In addition, there is an Interconnection Electronic System (Sistema Electrónico de Interconexión) through which the concessionaires interested in interconnecting their networks, may process among each other subscription requests of the corresponding agreements.
Asymmetric obligations to the economic agents declared preponderant (different from economic agents with market power) are established in regard to access and interconnection. One of such obligations establishes that the preponderant agent shall not charge to the other concessionaires for the ending traffic in its network, and their interconnection agreements are considered Public Offers.
Regarding preponderant agents, the IFT has the authority to determine such economic agents that are preponderant in the sectors of telecommunications and broadcasting. The determination of the preponderant economic agents is based on having directly or indirectly more than fifty percent of national participation in the provision of broadcasting and telecommunications services. This percentage is measured by the number of users, subscribers, audience, traffic in their network or by the capacity used therein, based on the data and information that the IFT has.
The obligations of the preponderant economic agents, shall cease by an official declaration of the IFT, once there are conditions of effective competition in the relevant sector.
Telecommunications users and consumers, in addition to the general consumer protection rights provided in the Federal Consumer Protection Law (Ley Federal de Protección al Consumidor) are entitled to the consumer rights established in the Telecommunications and Broadcasting Law.
The followings rights, are the most important under the Telecommunications and Broadcasting Law: (i) to check at no charge mobile balance and without conditional purchases; (ii) protection of personal data; (iii) number portability; (iv) execute a standard-type agreement approved by the IFT and the consumer protection agency for the provision of the telecommunications services and receive communications related to its amendments; (v) non-discrimination in Internet access services; (vi) receive telecommunications services within the parameters of quality subscribed or established by the IFT; (vii) request the unlocking of the terminal equipment at the end of the term of the agreement or when the terminal equipment has been paid; (viii) reimbursement or discount in the event of service failures; (ix) roll over of credit balance; and (x) not to receive calls from the concessionaire or authorized entity regarding promotion of services and packages unless consent was expressly given through electronic means.
It is important to mention that all consumer rights arising from the provision of telecommunications services shall be communicated by the relevant service provider to the consumer, not only in the relevant agreement but in a separate document in which the consumer rights are clearly established.
What legal protections are offered in relation to the creators of computer software?
Computer software programs are protected under the Mexican Federal Copyright Law (Ley Federal del Derecho de Autor) as a literary copyright work. Meaning that moral and financial rights arise from the protection of software as copyright work.
It is important to mention that the Mexican Intellectual Property Law (Ley de la Propiedad Industrial) provides that computer software is not considered as an invention, meaning that software per-se cannot be patentable. However, there has been cases when software related inventions have been subject to a patent but not the software itself.
Are specific intellectual property rights in respect of data/databases recognised?
Yes, there are two types of levels for the protection of databases: (i) Databases or other machine-readable materials, which for reasons of selection and arrangement of their content constitute intellectual creations, shall be protected as compilations. Such protection will not extend to the data and materials themselves (compilations are protected as any other copyrightable material/work); and (ii) Non-original databases are, however, protected in their exclusive use by the developer, for a period of 5 years.
What key protections exist for personal data?
The protection of personal data is established in the Mexican Constitution (Constitución Política de los Estados Unidos Mexicanos) as a constitutional right, and the matter is regulated in a specific manner by the: (i) the Mexican Data Protection Law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares); (ii) The Regulations to the Law (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares); (iii) Guidelines and general criteria issued by the Ministry of Economy and the Mexican Data Protection Authority (“DPA”), including those related to the privacy notice, security measures to protect persona data, binding self-regulatory schemes and the implementation of compensatory measures; and (iv) the General Data Protection Law (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados).
The difference between the Mexican Data Protection Law and the General Data Protection Law is that the latter is applicable to the processing of personal data by authorities, entities, bodies and agencies of the Executive, Legislative and Judicial Branch, autonomous bodies, trusts and public funds and political parties on federal, state and municipal level, and the Mexican Data Protection Law is applicable for the processing of personal data by private parties (companies and individuals). Both laws regulate the protection of personal data of individuals (as opposed to entities).
The Mexican data protection agency is the National Institute for the Access of Information, Transparency and Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, “INAI” by its acronym in Spanish). The INAI is the authority in charge of promoting the rights to protect personal data throughout Mexico, and has authorities to enforce and supervise due compliance of the provisions set forth by the applicable laws.
Are there restrictions on the transfer of personal data overseas?
The Mexican Data Protection Law provides that when a data controller intends to transfer personal data to a domestic or foreign third party, other than the data processor (individual or entity who processes personal data on behalf of the data controller, individually or jointly with others), it must provide them with the privacy notice and the purposes for which the data subject has limited the processing of such data.
Any data transfer, whether national or international, is subject to: (i) the consent of the data subject, with the exceptions provided by the applicable law; (ii) the data subject must be informed of the transfer through the privacy notice; and (iii) the transfer shall be limited to the purposes disclosed to the data subject.
National and international transfers of personal data shall be formalized/documented. The formalization of national and international transfers may be done through clauses or agreements that establish: (i) that the data controller informs the importer of the conditions under which the data subject consented the processing of his/her personal data; and (ii) that the importer assumes the same obligations as those of the data controller.
It is important to note that data transfers are not subject to prior authorization of the DPA, in this case the INAI. Nevertheless, under certain circumstances, a data controller may request the opinion of the INAI to confirm that an international transfer complies with the Mexican data protection laws.
Under the Mexican Data Protection Law, there are no “third countries” as provided in the EU law (GDPR). No special or prior authorization is required to transfer data outside the Mexican territory. However, as mentioned before, data transfers, shall be documented/formalized in clauses or agreements between the data exporter and the data importer.
What is the maximum fine that can be applied for breach of data protection laws?
The sanctions would depend on the action carried out and could go from a warning to fines that go from 100 to 320,000 days of general current minimum salary in Mexico City.
In the event of repeated infractions, an additional fine will be applied, such fine goes from 100 to 320,000 days of general current minimum salary in Mexico City. In the event of infractions committed when processing sensitive Personal Data, the fines could be doubled.
Considering the amount of the general minimum salary in Mexico in force during 2017 and the currency exchange rate, fines could go from $421.00 USD to $1’348,042.00 USD approximately.
In addition, the Mexican Data Protection Law establishes crimes in matters of improper processing of personal data.
Are there any restrictions applicable to cloud-based services?
Regarding the use of cloud based services, the Regulations to the Mexican Data Protection Law establish certain specific requirements when processing personal data by cloud computing services.
The cloud based service provider must comply with the following requirements in order for the data controller to be able to use such services: (i) it shall have policies to protect personal data similar to the ones established in the Mexican Data Protection Laws; (ii) subcontracting must be disclosed to the relevant data controller; (iii) it will not be allowed to acquire title over the information processed in the cloud; and (iv) the personal data processed has to be preserved as confidential information.
Furthermore, it is also established that the cloud computing service provider must have mechanisms to: (i) notify changes of its applicable privacy notices and of its T&C; (ii) allow the data controller to limit the processing of personal data; (iii) establish and maintain proper security measures to protect the personal data; (iv) delete the personal data once the services are terminated; and (v) prevent unauthorized access to the personal data, or if properly requested by a competent authority, notify such circumstance to the data controller.
Are there specific requirements for the validity of an electronic signature?
Electronic signatures in Mexico shall mean, in accordance with the Code of Commerce (Código de Comercio), the electronic data contained in a data message, or attached or logically associated thereto by any technology, which is used to identify the signatory in relation to the data message and to indicate that the signatory approves the information contained in the data message, and produces the same legal effects as the written signature, being admissible as evidence in court
In this sense, written signatures can be replaced by a data message with electronic signature if the following conditions are met: (a) integrity of the information; (b) accessibility for further consultations; and (c) attributability to the parties.
However, the Code of Commerce distinguishes (a) “simple” electronic signatures, and (b) “advanced” electronic signatures. The Code of Commerce provides that if the followings requirements are met (in addition to the ones mentioned before), electronic signatures are to be considered “advanced” electronic signatures: (i) the creation data of the electronic signature, within the context in which they are used, relates exclusively to the signatory, (ii) the creation data of the electronic signature is, at the moment of the execution, under the sole control of the signatory; (iii) it is possible to detect any alteration to the electronic signature after the execution date; and (iv) it is possible to detect any alteration to the integrity of the data message after the signing.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
There are no automatic transfers or assignments of employees, assets or third-party contracts in the event of an outsourcing of IT services, unless an agreement on such matter has been consented by the relevant parties and formalities are met (for example in the event of employee transfers a dully notice shall be given to the employee).
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
Although liabilities regarding the use artificial intelligence have not been addressed in a specific manner in Mexico, it is important to mention that Mexico, under the Federal Civil Code, follows the general rule of “strict liability”. Meaning that if artificial intelligence is understood to be a mechanism or instrument that may be understood itself to be dangerous, the person using the artificial intelligence software program, is obliged to repair the damage caused by such software program, even if the person does not act in an unlawful manner, unless that person proves that the damage was a consequence of the inexcusable fault or gross negligence of any injured party.
What key laws exist in terms of obligations as to the maintenance of cybersecurity?
The most important laws on obligations related to the maintenance of cybersecurity are related to the processing and protection of personal data (as the Mexican Data Protection Law) and specific and specialized rules or regulations applicable to financial institutions (for example regulations applicable to electronic banking).
What key laws exist in terms of the criminality of hacking/DDOS attacks?
The Mexican Federal Criminal Code establishes a series of crimes related to the illegal access to systems of private parties, the government and the financial sector. However, illegal access is only considered a crime if the systems are considered to be protected by security measures (which are not defined). DDOS attacks are not considered a crime under the Federal Criminal Code.
What technology development will create the most legal change in the jurisdiction?
We believe that the Fintech industry growth in Mexico will create a new paradigm in the financial and technology legal framework in Mexico. In fact, Mexico is developing a Fintech Law which purpose will be to facilitate the access to financial products and services.
Companies shall be open to adopt new technologies and new business models in order to innovate on how thigs have been done in the past years.
Also, Internet of Things IoT will create new concerns regarding privacy and data protection, along with the technological development that will have to be created in order to support the whole IoT industry.
Finally, Smart Cities will be a disruptive matter that is supposed to update legal framework in Mexico as Smart cities involve diverse social, economic, structural, technological and regulatory contexts which are meant to meet the needs of citizens and create new opportunities to companies and operators.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
Regarding e-commerce and technology development, Mexican laws or provisions does not discourage their use or development. However, the main impediment may be the distrust of consumers in the use of new technologies to carry out day to day operations/transactions. The main concern of consumers is always on their privacy and related to cybercrimes.
Do you believe the legal system specifically encourages or hinders digital services?
Mexico is currently developing a National Digital Strategy which purpose is to build a digital country. Such National Digital Strategy has five main objectives: (i) innovation and citizen participation; (ii) universal and effective health; (iii) educational transformation; (iv) digital economy; and (v) government transformation.
It is important for the Mexican government to take advantage of the developments and potential of the TICs industry in order to help the development of the country. And, despite the fact Mexico is at the bottom of the countries in the Organization for Economic Co-operation and Development (OECD) on digitalization matters, Mexico is going through many changes and amendments on its legal framework in order to adopt a new digital strategy to develop almost all sectors in the country.
To what extent is the legal system ready to deal with the legal issues associated with artificial intelligence?
In the history of humankind, any legal or justice system has been developed by adapting itself to the reality of the occurrence of the facts. In this sense, we believe that despite the fact many of the “general” rules pertaining to liabilities, protection and regulation of artificial intelligence are already established, all the new issues related to problematics on artificial intelligence will shape the current and new legal framework on such matters.
In this sense, the more development and applications on artificial intelligence the better for the legal framework, as those developments and applications will encourage amendments to properly regulate artificial intelligence. However, a full-implemented digital ecosystem which allows the adoption of new technologies will be required.