After several years and an essential constitutional reform, finally Mexico has a new Federal Law on Data Protection for the Public Sector.
On Jan. 26, the General Law on Data Protection Held by Obligated Parties (in Spanish, Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados) was published in the Official Federal Gazette. The law entered into force the following day and requires that the Federal Law on Transparency and Access to Public Information as well as other federal and state laws be amended to align with the general law within six months.
Why a federal law on data protection for the public sector?
By issuing this law, after the amendment of Article 6 of the Constitution in 2014, Mexico has achieved two important goals: First, the level of protection is now similar for both for private and public sectors within its borders; and second, the law has followed current international standards as this may be a key step to sign or adhere, with reservations if applicable, to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) of the Council of Europe.
The publication of this law shall require as well an important action of harmonization at the state level in Mexico. Federal and state entities will need to update or amend their data protection laws to comply with the standards of the federal law to protect citizens with regard to the processing of their personal data.
Scope of the Law
The Federal Law on Data Protection for the Public Sector shall apply to “obligated parties,” both data controllers and data processors, in the federal sector — meaning the agencies and bodies of the federal government of Mexico. It applies to any processing by these agencies of personal data in physical or electronic media, regardless of the form or modality of its creation, type of support, processing, storage and organization.
For sensitive personal data, explicit consent is required, unless an exception to it applies, as provided in Article 22.
Data protection impact assessments
With this law, data protection impact assessments have been introduced for the public sector.
A DPIA is defined, in Article 3.XVI of the law, as a “document by which obligated parties who intend to put into operation or modify public policies, programs, systems or computer platforms, electronic applications or any other technology that involves the intensive or relevant processing of personal data, assess the real impacts with respect to a given processing of personal data, in order to identify and mitigate possible risks related to the principles, duties and rights of the data subjects, as well as the duties of the data controllers and processor, provided for in the applicable regulations.”
Regarding the DPIAs, one of the faculties of the National Institute for Transparency, Access to Information and Personal Data Protection (in Spanish, Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) or the guarantee bodies, as appropriate, is to issue within a period of 30 days non-binding recommendations regarding DPIAs submitted to them.
Furthermore, the National System of Transparency, Access to Public Information and Personal Data Protection shall issue administrative rules to evaluate the content submitted by obligated parties in determine the content of the DPIA.
Finally, if the data controller considers that the intended effects of the action (i.e., put into operation or modify public policies, programs, systems or computer platforms, etc.) may be compromised, a DPIA will not be required. The law does not explain whether such exception requires a written explanation or something similar from the data controller.
Cloud computing
The law dedicates three relevant provisions to cloud computing services in the public sector.
First, the law defines cloud computing, in Article 3.VI, as a “model of external provision of computing services on-demand, involving the provision of infrastructure, platform or software, flexible provisioned, through virtual procedures, in dynamically shared resources.”
This short definition should be applied considering other definitions of cloud computing in the regulation for the public sector, as, for example, the one provided in the agreement that set the Interoperability and Open Data Scheme of the Federal Public Administration (in Spanish, Acuerdo por el que se establece el Esquema de Interoperabilidad y de Datos Abiertos de la Administración Pública Federal) or in the Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties as well.
Second, Article 63 of the law states that data controllers may contract or adhere to services, applications and infrastructure of cloud computing and “other subjects.” Even though there is not an explanation of this last reference, it should be interpreted as the possibility to use other technologies or electronic services that allow the processing of personal data.
This article also establishes an important condition in order for data controllers of the public sector to use cloud computing. In particular, data controllers shall look for external cloud computing service providers that “guarantee data protection policies similar to the principles and duties” of this law and other applicable provisions on this subject.
With this provision, the law establishes the level of data protection required to contract or adhere to cloud computing services of any local or foreign cloud computing service provider, or even providers of other services, as the law adds the reference to “other subjects.” In this sense, it’s possible that obligated parties wanting to use big data services or cybersecurity services that require the processing of personal data would have to comply with the data protection guarantees set by this law.
And third, the law, following and copying Article 52 of the Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties, also includes a list of guarantees and requirements applicable to cloud computing services and their providers. These guarantees and requirements are:
- Complies at least with the following:
a) Has and uses policies to protect personal data similar to the applicable principles and duties set out in this Law and other applicable regulation;
b) Makes transparent subcontracting that involves information about the service which is provided;
c) Abstains from including conditions in providing the service that authorize or permits it to assume the ownership of the information about which the service is provided, and
d) Maintains confidentiality with respect to the personal data about which it provides the service; - Has mechanisms at least for:
a) Disclosing changes in its privacy policies or conditions of the service it provides;
b) Permitting the data controller to limit the type of processing of personal data about which it provides the service;
c) Establishing and maintaining adequate security measures to protect the personal data about which it provides the service;
d) Ensuring the suppression of personal data once the service has been provided to the data controller and that the latter may recover it, and
e) Impeding access to personal data by those who do not have proper access or in the event of a request duly made by a competent authority, so inform the data controller.”
Finally, the law insists again on the fact that data controllers of the federal administration can only adhere to services that protect personal data. In particular, the law forbids to adhere to services that do not guarantee the proper protection of personal data established by it and other applicable provisions.
Privacy officers in the federal government
The last relevant note is that the Law mentions privacy officers and provides that transparency units of each data controller may appoint a privacy or data protection officer who will be part of the unit and perform some functions as, for example, manage requests for the exercise or data subjects´ rights and provide advice on data protection to the data controller.