Multinational and internationally focused businesses in the United States and elsewhere have stepped up their efforts to monitor and comply with data protection laws in recent years. Reasons for this trend include an increasing proliferation of new laws in this area, public attention, enforcement initiatives by European data protection authorities and the generally increased focus on compliance with laws, which used to be a self-evident requirement applicable to all employees but has become a separate professional discipline or even office in many organizations.
At the outset of implementing a global data privacy compliance program, businesses can categorize the various national regulatory regimes by dividing countries into three general categories: (1) countries that do not have any specific data protection laws and apply only general constitutional principles and tort laws; (2) countries that enact sector-specific data or threat-specific privacy laws, such as the United States with laws for the financial services sector, health information, data breach notification statutes and other specific laws, and (3) countries that opt for broad-scope data protection laws with default rules for the processing of most kinds of personal data, such as the European Economic Area Member States, Argentina, Canada, Russia and Switzerland. From this perspective, Mexico recently jumped from category 1 to 3, with the enactment of a European-style omnibus data protection law.
Businesses that have already implemented steps to comply with European data protection laws could simply port these measures to achieve compliance with the new Mexican law. This may be administratively convenient; however, it is not absolutely necessary, because some differences apply. For example, under the Mexican law, multinationals
have to implement specific data transfer agreements, and they can obtain consent through issuance of qualified privacy notices and tacit assent. Also, the new Mexican law does not specifically address topics such as Internet cookies,
or collection of personal data in connection with credit card transactions.
Overview
: On July 5, 2010, the Mexican Ministry of the Interior published the
, which came into force on July 6, 2010, with some provisions having delayed effective dates in 2011 and 2012. This data protection law is Mexico's first law of its type at the federal level and creates a new set of obligations and compliance challenges for companies that collect, process, store or manage personal data.
Scope
: The Mexican statute applies only to the private sector—not to government authorities. The EU Data Protection Directive is equally limited to the private sector because the EU does not have legislative jurisdiction to regulate the self-organization of the Member States’ national governments. But Germany, for example, applies similar rules to government authorities as it applies to businesses in the German Federal Data Protection Act. Individual persons processing data for private household purposes; i.e., not commercial purposes, are exempt from the requirements of the law. Credit reporting entities are also exempt because they are subject to different regulations.
From a jurisdictional perspective, the law applies to the processing of personal data by companies and persons on Mexican territory—regardless of where the data subjects reside. As a consequence, Mexican-based Internet companies have to comply with the Mexican law regarding any personal data they collect on non-Mexican users. Also, a Mexican parent company would have to comply with the law as to data collected from employees of its foreign subsidiaries. But, the statute does not expressly extend to the processing of personal data relating to Mexican residents by companies acting outside of Mexico. Thus, a U.S.-based Internet company does not seem to be required to comply with the Mexican law as to data submitted by Mexican Internet users via the World Wide Web, although such a situation could change due to current debate by administrative and judicial authorities in Mexico as to whether certain extra-territorial effects of the new law may be justified when the data is obtained as part of the provision of a value-added telecommunication service that is registered before Mexican telecommunications regulators under the provisions of the Mexican telecommunications legislation and the North American Free Trade Agreement, which allows for the cross-border provision of such types of services, which could include certain services provided over the Internet.
Substantive Coverage
: As under European Union law, the terms “processing” and “personal data” are defined broadly and cover “the procurement, use (including any access, management, transfer or disposal), disclosure or storage of personal data by any means” of any “information concerning an identified or identifiable individual.” Mexico also follows the European approach to generally prohibit the processing of personal data, as a default, by requiring consent, a necessity under contract or statute, superseding interests based on a balancing test of interest and emergency situations. (Articles 8 and 10.) But, with respect to data available from public sources, Mexico is more lenient than Europe and generally permits processing of such data without consent or other justification. (See Article 10(II).)
Interestingly, the new Mexican law refers to data subjects as “titulares;” i.e., the “owner,” but the statute itself does not create property rights in personal data for data subjects, except if the data consists in a photograph of the subject.
General Principles
: As a matter of principle, the Mexican law follows the
and addresses the following principles:
- Notice – Data subjects should be given notice when their personal data is being collected. (Art. 3.I)
- Purpose – Personal data should only be used for the stated purposes and not for any other purposes. (Art. 12)
- Consent – Personal data should not be disclosed without the data subject's consent. (Art. 8)
- Security – Personal data should be kept safeguarded from potential abuses (Art. 19).
- Disclosure – Data subjects should be informed about the identity of the data collector. (Art. 16)
- Access – Data subjects should be allowed to access their data and make corrections to any inaccurate data. (Art. 22)
- Accountability – Data subjects should have a method available to them to hold data collectors accountable for breaches of the above principles. (Arts. 28 and 45)
Notice
: Companies must deliver a privacy notice, on paper or in electronic form, to the data subjects, explaining all relevant aspects of the processing including the following:
- The identity and address of the data collector;
- The purposes for the collection of personal data;
- The options and means implemented by the data collector to limit the disclosure or use of the data;
- The mechanisms that the data subjects can follow to request access, correction, cancellation and opposition as provided by the data protection law, and
- The process through which the data collector will communicate to the data subjects the changes in the privacy notice.
Companies have to provide the notice at the time of collection from the data subject or as soon as possible thereafter, where data is not collected directly from the data subject, or when the purposes of processing and use change. In cases where it is impossible or impractical to notify the data subject; e.g., due to the number or age of data subjects, companies may be permitted to deviate from the notice requirement, but they need to obtain prior authorization from the Mexican data protection authority (in general regulations, to be issued in 2011, or specific approvals).
In the context of the new Mexican Data Protection Law, the privacy notice plays an important role because it can be used to solicit tacit consent.
Tacit Consent Can Be Valid
: Unlike under European laws, companies can obtain valid consent from data subjects in Mexico by providing the required notices if the data subjects do not object. Consent may be revoked at any time, however, without retroactive effect, and companies have to notify the data subjects on the mechanisms and procedures for revocation in the privacy notice.
Express consent, which generally may be granted verbally, in writing or by electronic, optic or other technological means, or by “unequivocal indication;” i.e., impliedly, is required with respect to processing of financial data and sensitive data.
Sensitive Data
: With respect to sensitive personal data, companies must obtain express written consent, granted with hand signature, electronic signature or another means of authentication established for such purpose. (Article 9.) Sensitive personal data is defined broader, as under European law, and includes any personal data that affects the data subject’s most intimate details or whose misuse may give rise to discrimination or carry a serious risk thereto; in particular, sensitive data includes, as under EU law, data that may reveal aspects such as racial or ethnic origin, current and future health status, genetic information, religious, philosophical and moral beliefs, union membership, political opinions and sexual preference. (Article 2 (VI).
Companies may not create databases containing sensitive personal data unless their creation is justified for legitimate and concrete purposes in accordance with the express activities or purposes of the respective person. (Article 9.)
Data Security Breaches
:
The Mexican law provides for much broader notification obligations as U.S. state laws and the laws currently considered or recently enacted in Europe: Breaches to the security of personal data that affect the patrimonial or moral rights of data subjects in a material manner must be immediately communicated to the data subjects.
Data transfers
: Companies may not transfer personal data within Mexico or abroad unless they notify such transfers in the applicable privacy notice to the data subjects. If so notified, transfers are permitted without consent of the data subjects in certain exceptional circumstances including, for example, when the transfer is made between companies of the same controlling group; otherwise, consent is required. (Article 37 (III). But, unlike under EU law, international transfers are not specifically restricted, and Mexican companies do not have to obtain government authorization or ensure “adequate safeguards” of data recipients outside Mexico.
Other Requirements
:
- All data controllers and processors have to appoint a person or group as being responsible for personal data-related requirements; e.g., a company privacy officer. (Article 30) Employers have to appoint a person or establish a personal data department in charge of handling employees' personal data and promoting the protection of the same.
- Personal data must be deleted if it is no longer required for the purposes indicated in the privacy notice provided to the data subjects. (Article 11)
- In line with European law and the general trend of evolving data security standards, all data processors must implement and maintain the administrative, technical and physical measures that protect personal data from damage, loss, alteration, destruction or unauthorized use, access or treatment. Security measures implemented must not be less than those used by data collectors to protect their own information and must also take into account the existing risk and the consequences derived from the sensitivity of the data and the prevalent technical development.
Data Protection Authorities
: Companies do not have to register databases or notify their data processing activities as in Argentina, Russia, some European jurisdictions and other countries.
But, data subjects have the right to enforce the protection of their personal data by complaining to the Mexican Institute for Access to Information and Personal Data (IFAI) when a data collector refuses, among others, to disclose the personal data of the requesting data subject that it holds or to rectify errors in the personal data. (Article 22.) Upon notice of a resolution from the IFAI, data collectors have 10 days to comply with the resolution. The IFAI may initiate an action to verify compliance with the data protection law by any data collector upon petition by an interested party or ex-officio. The IFAI may also initiate at any time a conciliatory process between a data subject and a data collector. Data subjects may further seek damages from data collectors when they consider that they have suffered harm or losses derived from a breach by the data collector of the new Mexican data protection law.
Failure to comply with the Mexican data protection law may be punished with monetary penalties up to USD$1.5 million and USD$3 million when sensitive personal data is involved.
Compromising the security of a database containing personal data with the intention to profit is a criminal offense, which can be punished with up to three years of imprisonment and up to six years when sensitive personal data is involved.
Furthermore, the act of collecting, using, disclosing or storing personal data through deceit and with the intention to profit is also considered a criminal offense punishable with up to five years of imprisonment, and up to 10 years when sensitive personal data is involved.
