News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Mexico's new public-sector data protection law Related reading: US House subcommittee kicks off draft American Privacy Rights Act consideration

rss_feed

After several years and an essential constitutional reform, finally Mexico has a new Federal Law on Data Protection for the Public Sector.

On Jan. 26, the General Law on Data Protection Held by Obligated Parties (in Spanish, Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados) was published in the Official Federal Gazette. The law entered into force the following day and requires that the Federal Law on Transparency and Access to Public Information as well as other federal and state laws be amended to align with the general law within six months.

Why a federal law on data protection for the public sector?

By issuing this law, after the amendment of Article 6 of the Constitution in 2014, Mexico has achieved two important goals: First, the level of protection is now similar for both for private and public sectors within its borders; and second, the law has followed current international standards as this may be a key step to sign or adhere, with reservations if applicable, to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) of the Council of Europe.

The publication of this law shall require as well an important action of harmonization at the state level in Mexico. Federal and state entities will need to update or amend their data protection laws to comply with the standards of the federal law to protect citizens with regard to the processing of their personal data.

Scope of the Law

The Federal Law on Data Protection for the Public Sector shall apply to “obligated parties,” both data controllers and data processors, in the federal sector — meaning the agencies and bodies of the federal government of Mexico. It applies to any processing by these agencies of personal data in physical or electronic media, regardless of the form or modality of its creation, type of support, processing, storage and organization.

For sensitive personal data, explicit consent is required, unless an exception to it applies, as provided in Article 22.

Data protection impact assessments

With this law, data protection impact assessments have been introduced for the public sector.

A DPIA is defined, in Article 3.XVI of the law, as a “document by which obligated parties who intend to put into operation or modify public policies, programs, systems or computer platforms, electronic applications or any other technology that involves the intensive or relevant processing of personal data, assess the real impacts with respect to a given processing of personal data, in order to identify and mitigate possible risks related to the principles, duties and rights of the data subjects, as well as the duties of the data controllers and processor, provided for in the applicable regulations.”

Regarding the DPIAs, one of the faculties of the National Institute for Transparency, Access to Information and Personal Data Protection (in Spanish, Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) or the guarantee bodies, as appropriate, is to issue within a period of 30 days non-binding recommendations regarding DPIAs submitted to them.

Furthermore, the National System of Transparency, Access to Public Information and Personal Data Protection shall issue administrative rules to evaluate the content submitted by obligated parties in determine the content of the DPIA.

Finally, if the data controller considers that the intended effects of the action (i.e., put into operation or modify public policies, programs, systems or computer platforms, etc.) may be compromised, a DPIA will not be required. The law does not explain whether such exception requires a written explanation or something similar from the data controller.

Cloud computing

The law dedicates three relevant provisions to cloud computing services in the public sector.

First, the law defines cloud computing, in Article 3.VI, as a “model of external provision of computing services on-demand, involving the provision of infrastructure, platform or software, flexible provisioned, through virtual procedures, in dynamically shared resources.”

This short definition should be applied considering other definitions of cloud computing in the regulation for the public sector, as, for example, the one provided in the agreement that set the Interoperability and Open Data Scheme of the Federal Public Administration (in Spanish, Acuerdo por el que se establece el Esquema de Interoperabilidad y de Datos Abiertos de la Administración Pública Federal) or in the Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties as well.

Second, Article 63 of the law states that data controllers may contract or adhere to services, applications and infrastructure of cloud computing and “other subjects.” Even though there is not an explanation of this last reference, it should be interpreted as the possibility to use other technologies or electronic services that allow the processing of personal data.

This article also establishes an important condition in order for data controllers of the public sector to use cloud computing. In particular, data controllers shall look for external cloud computing service providers that “guarantee data protection policies similar to the principles and duties” of this law and other applicable provisions on this subject.

With this provision, the law establishes the level of data protection required to contract or adhere to cloud computing services of any local or foreign cloud computing service provider, or even providers of other services, as the law adds the reference to “other subjects.” In this sense, it’s possible that obligated parties wanting to use big data services or cybersecurity services that require the processing of personal data would have to comply with the data protection guarantees set by this law.

And third, the law, following and copying Article 52 of the Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties, also includes a list of guarantees and requirements applicable to cloud computing services and their providers. These guarantees and requirements are: 

  1. Complies at least with the following:
    a) Has and uses policies to protect personal data similar to the applicable principles and duties set out in this Law and other applicable regulation;
    b) Makes transparent subcontracting that involves information about the service which is provided;
    c) Abstains from including conditions in providing the service that authorize or permits it to assume the ownership of the information about which the service is provided, and
    d) Maintains confidentiality with respect to the personal data about which it provides the service;
  2. Has mechanisms at least for:
    a) Disclosing changes in its privacy policies or conditions of the service it provides;
    b) Permitting the data controller to limit the type of processing of personal data about which it provides the service;
    c) Establishing and maintaining adequate security measures to protect the personal data about which it provides the service;
    d) Ensuring the suppression of personal data once the service has been provided to the data controller and that the latter may recover it, and
    e) Impeding access to personal data by those who do not have proper access or in the event of a request duly made by a competent authority, so inform the data controller.”

Finally, the law insists again on the fact that data controllers of the federal administration can only adhere to services that protect personal data. In particular, the law forbids to adhere to services that do not guarantee the proper protection of personal data established by it and other applicable provisions.

Privacy officers in the federal government

 The last relevant note is that the Law mentions privacy officers and provides that transparency units of each data controller may appoint a privacy or data protection officer who will be part of the unit and perform some functions as, for example, manage requests for the exercise or data subjects´ rights and provide advice on data protection to the data controller.

photo credit: icexmaker México Lindo via photopin (license)

Author
Headshot Miguel Recio Nonmember Contributor
Tags
Government
Latin America
Privacy Law
Comments

If you want to comment on this post, you need to login.

Related Stories
Corrected text of EU AI Act released
The corrigendum of the EU Artificial Intelligence Act has been released. The document corrects and clarifies language in the act and is required before it can fully come into effect. Editor's note: Explore the IAPP AI Governance Center and subscribe to the AI Governance Dashboard. Full story...
Read More queue Save This
Related Stories
Tags
Government
Latin America
Privacy Law
Recent Comments