In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Miguel Recio, LLM in Data Protection, Transparency and Access to Public Information, compares key provisions of the Federal Data Protection Law Held by Private Parties and its Regulations with the EU GDPR.
Mexico, as the European Union, is living a vibrant moment in data protection. Mexico is close to adhering to Convention 108 of the European Council while the European Commission, as announced in its COM(2017) 7, will push for the finalization of the review of such convention, the EU being a party of it and the accession of third countries. While we await the news on this, we focus our attention on four similarities and one difference between the Mexican data protection regulation and the EU GDPR.
Accountability and data governance
With the passing of the GDPR, accountability is now an expressed principle in the EU, and the data controller is responsible and must to be able to demonstrate compliance with this principle. In Mexico, accountability is a well-known principle that was included and developed in the Regulations to the Federal Data Protection Law.
In both cases, accountability means that the data controller must, proactively, adopt and implement measures to comply with the applicable data protection law. For example, the Regulations to the Federal Data Protection Law includes measures such as “establish an internal supervision and monitoring system, as well as external inspections or audits to verify compliance with privacy policies” (Article 44.III) and “implement a procedure to deal with the risk to the protection of personal data by the implementation of new products, services, technologies and business models, as well as to mitigate them” (Article 44.V).
Accountability is key for robust and effective data governance and data controllers in Mexico and the EU share now this principle. However, one could make the argument that the approach of the EU GDPR is more pragmatic as it does not include even an open list of measures to comply with this principle. This means accountability can be achieved through any adequate technical and organizational measures considering any risk, specifically any relevant risks to the protection of natural persons regarding to the processing of their personal data.
Data Protection Impact Assessment
Although the Mexican data protection law and its regulations do not expressly mention privacy impact assessments, Article 44.V of the Regulations to the Federal Data Protection Law Held by Private Parties refers to the implementation of “a procedure to deal with the risk to the protection of personal data by the implementation of new products, services, technologies and business models, as well as to mitigate them.” In practice, this procedure means a PIA or a Data Protection Impact Assessment.
In fact, both, the Mexican Regulations to the Federal Data Protection Law Held by Private Parties and the EU GDPR, focus on when using new technologies is likely to result in a (high) risk to the privacy or to the rights and freedoms of natural persons. It means that in both Mexico and the EU DPIAs are essential tools to assess whether the processing of personal data can result in a high risk for the data subject and consequently adopt measures to minimize it.
Security measures
There is not data protection without security. Both the Mexican data protection regulation and the EU GDPR include the obligation of the data controller and processor to adopt and implement technical and organizational measures to protect personal data, among others, against damage, loss, alteration, destruction or unauthorized use, access or processing.
While security measures are an obligation for data controllers and processors in Mexico and the EU, the Mexican regulation goes into detail of some of them while the EU GDPR focuses on the goal and only mentions some examples.
For example, the Mexican regulation requires a security document setting out security measures whereas the EU GDPR lists some examples of security measures and provides that adherence to an approved code of conduct or certification mechanism can be used to demonstrate compliance with this obligation.
Self-regulation and certification on data protection
One big area of opportunity is self-regulation and certification on data protection. The GDPR is encouraging codes of conduct and certification on data protection and Mexico has a relevant experience as Parameters of Self-Regulation for the Protection of Personal Data were published in 2013 and later improved and updated in 2014.
The National Institute of Transparency, Access to the Information and Personal Data Protection (in Spanish Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, INAI) manages a public registry of accreditation bodies, certification bodies, schemes of self-regulation and certifications grated to both, data controllers and processors.
Even when the Mexican and the European data protection certification and seals and marks mechanisms are independent, in both cases the goal is that data controllers and processors adopt and implement good practices on data protection beyond compliance.
Therefore, all involved parties and in particular data controllers and processors, may benefit from this opportunity if data protection authorities at both sides of the Atlantic cooperate to create awareness and encourage certifications, codes of conduct, marks and seals on data protection. At the same time, these are relevant mechanisms to generate trust and confidence on accountable and proactive data controllers and processors.
Legitimate interest for the processing of personal data
One of the biggest differences between the Mexican data protection regulation and the EU GDPR is legitimate interest as an acceptable condition for the processing of personal data.
Whereas the EU GDPR includes the legitimate interest of the data controller as one of the conditions for the legitimate processing of personal data, following Article 7(f) of the Directive 95/46/EC, the Mexican law does not include any such provision for the processing or the transfer of personal data to third parties.
On the other hand, tacit consent is valid in Mexico, except for the processing of sensitive personal data, such as those related to racial or ethnic origin, present and future health status, genetic information, religious, philosophical and financial asset data.
In any case, legitimate interest is still a developing concept that requires focusing on the balance in cases when it is overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data (art. 6(1)(f) of the EU GDPR), especially when data subjects are children.
GDPR readiness for Mexican companies under the scope of the EU GDPR
Mexican data controllers or processors not established in the EU who process personal data of individuals covered by the EU GDPR as provided under its territorial scope. It means that these data controllers and processors need to work on some EU technical and organizational measures to be compliant in less than a year. For other data controllers and processor, the EU GDPR may be a benchmark to consider as good practices.
photo credit: icexmaker México Lindo via photopin (license)