Mexico’s data protection legal framework implements the principle of accountability in Articles 6, 14 and 19 of the Federal Law on Protection of Personal Data in Possession of Private Parties (FLPPDPPP) and Articles 47 and 48 of its regulation, respectively.
On May 29, the Ministry of Economy published Self-Regulation Parameters for Data Protection. These parameters are complementary measures to the current national legal framework for data protection that establish specific rules, criteria and procedures for the development and implementation of self-regulatory binding schemes on data protection as referred to in article 44 of the FLPPDPPP and articles 79 to 86 of its regulation.
Private organizations and entities seeking to comply with data protection obligations may voluntarily adhere to a self-regulatory scheme that could further show their commitment to protect the personal information of data subjects. Self-regulation schemes are binding upon those entities and organizations that have freely chosen adhering to them; however, the adhesion to a self-regulatory mechanism works on a purely voluntarily basis.
Pursuant to Article 80 of the regulation of the FLPPDPPP, self-regulation schemes may take the form of codes of conduct, codes of best professional practices, trust seals, privacy policies, corporate privacy rules and any other mechanism that includes specific rules and data protection standards that facilitate the compliance with the accountability principle.
According to section 8 of the parameters, binding self-regulation on data protection is governed and should function based on five core principles: (i) voluntariness; (ii) obliging; (iii) transparency; (iv) accountability, and (v) impartiality.
Pursuant to section number 6 of the parameters, binding self-regulatory schemes may include sector-specific principles, standards and procedures in order to address particular problems or situations that were not initially foreseen by the general rules and make the protection of personal data in the self-regulated activities work more efficiently.
One of the novelties of the Self-Regulation Parameters for Data Protection is that data controllers and data processors—regardless of their size—may be able to obtain a certification from an acknowledged accredited entity that would certify whether they generally comply with the legal framework on data protection, international standards and best practices on the subject.
The conditions and criteria for obtaining certifications on data protection are contained in sections 14 and 53 to 83 of the parameters. It is important to point out that there is not yet a national accreditation entity on data protection for businesses, but it is very likely that NYCE—the accredited entity in charge of the general compliance with standards and national official norms for the information technology and telecommunications sectors in Mexico—might be the first entity to offer certifications on data protection for businesses and private organizations since it already has the infrastructure and the trajectory in offering national certifications pursuant to the Federal Law on Metrology and Standardization.
Transitory Articles Third and Fourth of the Self-Regulation Parameters for Data Protection sets forth a term of nine months for the data protection agency (IFAI) to publish the final Rules of Functioning and Operation of the Registry and one additional month for such registry to commence formal activities and start receiving subscription requests to register self-regulatory mechanisms from the private sector. The Final Rules and Functioning of the Registry are expected to be in full operation by April 2015.
Undoubtedly, the certification on data protection for businesses is the next big step in the evolution of legal compliance with the complex legal framework on data protection in Mexico.
A recognized and valid certification on data protection will surely bring a number of advantages and benefits for businesses. First, businesses could demonstrate how they care about privacy and that their practices on the collection and processing of personal information may be certified by an accredited entity following strict international standards. Second, businesses might rely on the certification as an additional compliance tool on data protection before IFAI, and thus, avoid or diminish the possibility of being subject to administrative investigations or sanctions. It is important to mention that only a very small percentage of businesses in Mexico are aware of the importance of complying with data protection rules and yet, a large number of data controllers and data processors have not fully implemented the required technical, administrative and security measures as mandated in the FLPPDPPP and its regulation.
The self-regulation parameters are an important development and clearly demonstrate a concrete example of the implementation of the principle of accountability at the national level.
Since accreditation agencies on data protection and the registry of self-regulation parameters have not yet been fully implemented, it is very early to assess its general acceptance and functioning at this point. However, the increased adoption and success of self-regulation parameters, and in particular of certification schemes on data protection for businesses would not only possibly raise the number of national businesses and private entities seeking to comply with the national rules on data protection, but they might also allow interoperability with other emerging regional accountability frameworks like APEC’s Cross-Border Privacy Rules, which Mexico endorsed in February 2013.
Privacy professionals have an important role to play in facilitating the diffusion and adoption of self-regulation parameters, which would increase the full implementation of fair information principles, privacy and security policies, certification schemes and binding corporate rules and best practices for national and international transfer of personal information in Mexico. The endorsement of certifications on data protection practices by data controllers and data processors offer the promise to demonstrate that businesses take privacy and the protection of personal information seriously and could generate an atmosphere of trust among consumers, data protection agencies and regulatory entities as whole.