Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
On 28 Nov. 2024, the Mexican Senate approved the constitutional reform known as "organic simplification," which dissolves seven autonomous constitutional bodies, including the National Institute of Transparency, Access to Information and Protection of Personal Data. The INAI has played a key role in ensuring government transparency and personal data protection.
The constitutional reform was published in the Official Gazette of the Federation 20 Dec. 2024. It transfers responsibilities regarding access to information, transparency and personal data protection to a body within the federal public administration, which will assume responsibility for protecting personal data held by private and public entities.
In this regard, on 20 Feb., President Claudia Sheinbaum submitted to the Senate a bill titled "Decree for issuing the General Law on Transparency and Access to Public Information, the General Law on the Protection of Personal Data Held by Obligated Parties, and the Federal Law on the Protection of Personal Data Held by Private Parties, as well as amending various provisions of the Organic Law of the Federal Public Administration."
The proposed Federal Law on the Protection of Personal Data Held by Private Parties is essentially the same as the 2010 law by the same name, which is still in force. Principles, rights, procedures and sanctions, in general, remain unchanged except for certain specifications.
The Ministry of Anticorruption and Good Governance would become the sole competent authority to enforce the LFPDPPP and, therefore, to protect personal data held by private entities. It would replace the INAI, which was abolished following the constitutional reform approved in December 2024. Consequently, the functions, powers or references to the INAI in Mexican laws would be assumed by the ministry.
The bill also proposes that resolutions issued by the Ministry of Anticorruption and Good Governance may be challenged through an amparo lawsuit, which would be handled by "judges and specialized courts in the matter, as determined by the Federal Judiciary." It is worth noting that before this bill, there were no specialized judges or courts for this matter, making this a significant change. Accordingly, the federal judiciary will have 180 calendar days from the bill's entry into force to implement these changes.
It is important to recall the INAI was characterized by having significant powers at both the national and international levels to protect two fundamental human rights. It was a key authority in the field and a constitutionally autonomous body. Its existence and powers were established in the Mexican Constitution, and it had functional and financial autonomy, without subordination to any other branch of government, such as the executive or judiciary. It also had the authority to file constitutional controversies.
The new authority on data protection, the Ministry of Anticorruption and Good Governance, is a body under the organizational structure of the executive branch. Its existence is based on the Organic Law of the Federal Public Administration, and it lacks budgetary and functional autonomy. To provide legal certainty to individuals with pending administrative proceedings before the INAI, such proceedings will be handled by the Ministry of Anticorruption and Good Governance before the president's bill comes into effect.
Due to the constitutional reform, legislators are likely to introduce various bills to amend the legal framework for data protection applicable to private entities. For instance, a recent bill proposes new obligations, such as mandatory notification of security breaches to the ministry and the requirement to obtain its authorization for processing sensitive personal data, among other provisions.
However, all initiatives are subject to the legislative process and must be debated and approved by both chambers of the Mexican Congress before coming into force.
It will be essential to closely follow the legislative process of these initiatives. This may be the moment to substantially review personal data protection in Mexico, despite the fact that eliminating a national authority in the matter, with constitutional and autonomous status, is undoubtedly a setback.
Renata Bueron is a senior associate specializing in privacy, data protection and security and Iván García is an associate in the area of data protection and intellectual property at Basham, Ringe and Correa.
