Mexico: closer to GDPR than you think

BGBG is one of the few Mexican law firms with a practice exclusively dedicated to data protection and privacy matters. How is it that you came to this?
Héctor: Back in 2011, when we started this practice, there was little knowledge and interest in Mexico in data protection. Some colleagues even said to me that this was just a momentary eccentricity that would only last two or three years.

My first knowledge and practice on data protection came from Spain. Well before GDPR; I was familiar with this kind of comment and thinking. I knew that this practice deserved its own time, resources, and professionals, but of course it was difficult when we took our first steps. Nowadays having this specialised practice sounds logical, but 11 years ago data protection compliance was not the rule.

Now in 2022, compliance is not an option, but a duty and a business philosophy. Also, international data protection compliance projects happen all the time. We work with European, American, and Asian law firms and clients to provide ‘Mexican data protection requirements’, and this is only the beginning.

Do you agree that the GDPR has become an international standard regarding data protection? If so, how far from this standard do you think Mexico stands right now?
Héctor: GDPR has definitely become a standard that international companies cannot avoid and that should be followed in order to maintain business relationships with their group companies, clients and vendors. Even when Mexican companies do not directly offer their goods or services to individuals in the European Union, intra-group data transfers agreements and services agreement with European vendors require companies to review their own data protection compliance status, as well as to seek advice on what they are accepting when a EU data controller or data processor requires them to enter into a data processing agreement regulated by GDPR.

The European data protection principles have a big influence on the Mexican data protection legal framework, and it is important to note that since October 2018 Mexico has been part of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) as a non-member of the Council of Europe.

So even though our first data protection law has not been updated since it was issued on 2010, Mexico started following the provisions of then-in-force Directive 95/46/EC and GDPR is surely the path our laws and regulations will follow when the time to update our framework finally arrives.

How is personal data protection regulated in Mexico?
Héctor: Mexico chose a particular way to regulate the right to data protection, issuing (at different times) a law to regulate ‘private parties’ and a law to regulate public authorities. This has resulted in two systems regulating the same right but with different rules depending on who the data controller is.

Mariana: Mexico has two main laws on personal data protection. (i) The Federal Law on the Protection of Personal Data Held by Private Parties (and its Regulations), and (ii) The General Law on the Protection of Personal Data Held by Mandated Parties. The General Law acts as the national reference for 32 local data protection laws (one for each Mexican State).

In summary, we can say that the Federal Law on the Protection of Personal Data Held by Private Parties and its Regulations regulate data processing carried out by companies and individuals (private parties), and the General Law on the Protection of Personal Data Held by Mandated Parties applies to the processing of personal data carried out by any federal authority, entity, body, agency of the executive, legislative, and judicial branches, autonomous bodies, political parties, trusts, and public funds. The 32 local laws apply to state and municipal entities.

Is there any regulation on cybersecurity in Mexico?
Mariana: As of today, there are no laws on cybersecurity in Mexico. The latest legislative proposal was presented to the Senate on March 2021, but no progress has been made. However, the Federal Criminal Code regulates information security and the use of technology in other crimes.

Héctor: This is true. Mexico lacks a solid cybersecurity legal framework. This does not mean that no cybersecurity strategy, activities, and programmes exist, but understanding cybersecurity as a legal obligation and an operational requirement is something that as a country Mexico has not fully achieved.

Currently, we are raising awareness about cybersecurity when advising our clients to comply with security measures, legal requirements and, in a few cases, when they want to implement best practices or international standards on information security management systems.

Who is the supervisory authority on these matters?

Mariana: The Mexican supervisory authority is the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI, by its acronym in Spanish). The INAI has competence to enforce the Federal and the General Data Protection Laws, as well as to carry out inspections, issue guidelines and recommendations on data protection and to assist data controllers and data subjects on legal and technical inquiries to comply with data protection principles and obligations.

What are the areas of opportunity regarding data protection and cybersecurity in your country?
Mariana: There is a need for a law on cybersecurity to regulate cyberspace risks in accordance with current technologies and international laws. I think Mexico is falling behind in this aspect and not keeping up with the development of technology nor international trends. Mexico must issue cybersecurity laws and guidelines and regulate cybercrimes affecting private parties and critical infrastructures.

How do you expect that these matters will be regulated in a five-year span?
Héctor: Mexico will have a GDPR-style law. Ideally, this law will regulate both private parties and public authorities under the same rules. This change may not come soon, but in the next five years there is a very good chance that we will reach this level since opinions about the need for this improvement in our data protection legal framework have become more and more important. The fact that Mexico will be part of Convention 108+ is also a sign of the level of protection that the country will seek to establish in our national laws, and that pretty much leads to a new, GDPR-style law for Mexico.

Are there any sanctions for non-compliance with data protection or cybersecurity laws?
Mariana: Data protection laws consider sanctions for non-compliant data controllers. The fines consist of any of the following:

  • A warning to comply with a data subject’s rights request;
  • a fine from MX$8,962 (US$445; €405) and up to MX$14,339,200 (US$712,876; €649,074) for serious infringements; and
  • A fine from MX$17,924,00 (US$890; €810) and up to MX$28,678,400 (US$1,425,753,54; €1,298,148) for very serious infringements.

Furthermore, if a controller persists on its unlawful conduct, it can be subjected to a fine from MX$17,924,00 to MX$28,678,400. Persistence in an unlawful conduct which involves sensitive data may be twice as much.

Besides monetary penalties, are there any criminal sanctions for noncompliance with data protection or cybersecurity laws?
Mariana: In addition to fines relating data protection matters, anyone who breaches security measures, collaborates on a data breach to a database under their custody or unlawfully profits from processing personal data by exploiting an error of the data subject may be subject to imprisonment. The prison sentence ranges from three months to five years.