Francoise Gilbert
Mexico’s new Ley Federal de Protección de Datos Personales en Posesión de los Particulares (Federal Law on the Protection of Personal Data Possessed by Private Persons) became effective on July 6, 2010. The Law is “of public order,” which means that contract provisions that conflict with it are unenforceable.
The Federal Institute for Access to Information and Data Protection (IFAI) is charged with issuing regulations and enforcing the Law. The regulations are expected to be issued within one year, and the Law will not be enforced until January 2012.
While the Law incorporates many principles found in the major privacy drivers such as the OECD Privacy Guidelines and the 1995 EU Data Protection Directive, it clearly opts to follow the guidance in the APEC Privacy Framework. This choice is especially evident with the provisions that address “accountability,” and the departure from the prohibition from data transfers to countries that do not offer an adequate level of privacy protection, which has been the hallmark of 1995 EU Data Protection Directive. Instead, for crossborder data transfers, the Mexican Law requires notice and consent of the data subjects, and makes the data controller responsible for ensuring that the recipient of the data abide by the same principles as those that are set forth in the sender’s privacy policy.
Scope of the Data Protection Law
The entities that are subject to the Law are individuals or legal persons that process personal data, other than credit information companies. In addition, like most other countries’ data protection laws, Mexico’s Law excludes from its scope individuals who collect, store, and use personal data for personal purposes.
The Law regulates the processing of personal data. The definition of the term “processing” encompasses a broad range of activities that include collection, use, disclosure, storage, access, management, transfer and disposal of personal data.
Protected Information
The Law applies to personal data that are processed, transferred, or disposed by private persons or entities. “Personal data” includes any information pertaining to an identified or identifiable natural person.
More stringent provisions apply to the handling of sensitive data, that is, those data that pertain to the race or ethnicity, health, genetic information, religion, philosophical and moral beliefs, union membership, political opinions and sexual preference of an individual. Further, even though financial and economic data are not included in the definition of “sensitive data,” their processing requires the express consent of the data subject.
Obligations of the Data Controller
The Law identifies restrictions to the collection and use of personal data. Most provisions apply to “data controllers,” the individuals or private corporations that determine how and by whom, personal data are processed.
Data controllers must collect and process personal data in a lawful manner. The data must be relevant, necessary, accurate, and updated for the purposes for which they were collected.
Data controllers may process personal data only for the purposes stated in their privacy notice unless the data subject consents to a new use of the data for a purpose that is not compatible with or analogous to the purpose that is set out in the privacy notice. Data controllers may keep the data only as long as necessary in order to fulfill the purposes for which the data were collected, and must delete any data that are no longer necessary for these purposes.
Conditions to the Collection and Processing
The general rule is that data controllers must obtain the consent of the data subjects in order to process their personal data. The consent may be expressed or implied. In the case of sensitive data, or financial and economic data, the expressed and written consent of the data subject is required.
There are several cases where the data subject’s consent is not required for the processing of personal data to be lawful. For example, consent is not required when the collection and processing of the data is provided by law or is necessary to comply with obligations derived from a legal relationship between the data subject and the data controller. There are other exceptions for data that have been anonymized, are included in publicly available sources, or are needed for medical care, prevention, diagnosis, or medical treatment while the data subject is unable to provide his consent.
Security and Breach of Security
Data controllers must have in place appropriate administrative, technical, and physical safeguards in order to ensure that personal data are protected from loss, damage, alteration, destruction, and unauthorized access or use. The safeguards must be at least as secure as those that the data controller uses to manage its own data. Further, data controllers must keep data in a manner that allows the prompt exercise of the data subjects’ rights.
In the case of a breach of security, the Data Protection Law requires that the data subjects be notified of the breach if the breach significantly affects the concerned data subjects’ economic or moral rights. The Law does not require that other entities or government agencies be notified as well.
Obligation to Inform the Data Subjects
Data controllers are required to give data subjects a privacy notice that identifies among other things, the entity that collects the data, what personal data are collected from them, the purposes of the collection and processing of their personal data and the proposed transfers of personal data. In addition, the notice must indicate the options and means that data subjects may use in order to control the use and disclosure of their personal data and the means by which they can exercise their rights of access, rectification, cancellation, or opposition.
The notice must be provided to the data subject when the data are collected, unless the data were not collected directly from the data subject. The notice can be in printed form, electronic form, or other format. Special provisions apply when personal data are collected through mobile phones or text messages.
Accountability
In keeping with the APEC Privacy Framework, the Mexican Data Protection Law stresses accountability. Data controllers are held accountable for the personal that data they hold, even if a third party processes the data. They must ensure that the third party complies with all data protection provisions stated in the Law.
Data controllers, subcontractors, and any other parties that have access to personal data must ensure the protection of the confidentiality and security of the personal data, even after their relationship with the data subject is terminated, or in the case of subcontractors and third parties, after the relationship with the data controller is terminated.
Crossborder Transfer of Personal Data
On the issue of crossborder transfers of personal data, the Mexican Law significantly diverges from the principles set forth in the 1995 EU Data Protection Directive. Instead of requiring data controllers to ensure that, when data are transferred to a third country, the receiving country provide an adequate level of protection, the Mexican Law makes the data exporter responsible for ensuring the protection of the data.
Specifically, the transfer of personal data to a third country requires several components:
- The data controller must inform the data subjects of the proposed transfer, and the data subject must consent to the transfer;
- A data controller that intends to transfer personal data to a third country, other than to a subcontractor, must identify the purposes for which the data are transferred to the third party, and must inform the third party of the restrictions that are set forth in the data controller’s privacy notice; and
- The third party that receives the data must assume the same obligations as those that apply to the data controller.
There are several exceptions were consent is not required. These exceptions include where the transfer is made to a subsidiary or affiliate, or to a parent company or an associated company that operates under the same processes and internal policies; and where the transfer is in the interest of the data subject in connection with a contract that has been, or is to be concluded between the data controller and a third party. Another exception allows for the crossborder transfer of personal data when necessary for the maintenance or fulfillment of a legal relationship between the data subject and data controller.
Rights of the Data Subjects
Data subjects have the right to consent to the processing of their personal data (unless an exception applies), and to be informed of how and by whom their personal data will be processed.
In addition, data subjects have the rights of “access, rectification, cancellation, and opposition” or ARCO rights. The right of access and rectification grants them the ability to access their personal data in the hands of data controllers, and have inaccurate or incomplete data pertaining to them rectified.
The right of cancellation allows individuals to require that their data be blocked in the database, which has the same effect as if the data were erased from the data controller’s database. If the data have been transmitted to a third party, the data controller must bring the correction or cancellation request to the third party’s attention.
The right of opposition entitles individuals to object to the processing of their personal data, with a valid reason.
Data Protection Official Required
The Law requires data controllers to designate a data protection official within their organization. The data protection official will be responsible for processing data subject requests for access, and for promoting the personal data protection within the organization.
Self-Regulation Schemes
Organizations are allowed to use binding self-regulation schemes or codes of conduct. These schemes need to measure the effectiveness of the protection that the organization provides to personal data and address the consequences and remedies for violations of the rules. The self-regulation schemes should also contain rules and standards that harmonize the data processing performed by the parties and facilitate the exercise of data subjects’ rights.
Penalties
If a data controller does not solve a matter after receiving a complaint from an individual, the individual can submit his complaint to the IFAI for the dispute to be resolved. If the IFAI identifies a violation of the Data Protection Law, it will notify the data controller of its findings. The data controller has 15 days to respond and provide evidence proving that it has not breached the Law. The IFAI will make a decision within 50 days after the date on which the process began.
The Law provides for significant fines (up to $1.2 million) for violations such as collecting or transferring personal data without the consent of the data subject where such consent is required, or collecting data in a misleading or fraudulent manner. If sensitive data are involved, the penalties will be doubled. In the case of continued violations, an additional fine will be imposed.
In addition, the Law provides for imprisonment from three months to three years for data controllers who, for profit, cause a security breach of the database in their custody. The processing of personal data by deception or by taking advantage of a data subject’s mistake or the mistake of an authorized person may be sanctioned by six months to five year prison terms if done for profit.
Violators may also be liable for the payment of damages to the affected individual to compensate for harms or damages to the individual’s property or rights that result from the lack of compliance with the obligations of the data controller or its subcontractors.
Action Items
The new Data Protection Law of Mexico finds its roots and inspiration in many of the seminal documents that are the foundation of the global privacy and data protection framework. Thus, companies that have global operations and a global privacy program in place should be able to find numerous common elements with their existing structures. However, idiosyncrasies in the Law will also need to be addressed.
While the Law will not be enforced until January 2012, it is time for companies doing business in Mexico or with Mexico-based entities to begin evaluating their new obligations and start planning accordingly. The first step should be to conduct a survey of the personal data that the company collects or processes in Mexico, and of the purposes for which these data are collected. In addition, companies should start evaluating whether the collection or processing of these data meet the adequacy and relevancy requirements of the new Law, so that unneeded data can be weeded out from existing database. Companies should also start planning how they will respond to their obligation to provide individuals with access to their personal data, and the ability to have their data corrected or blocked.
Further, caution will be needed when trying to make the Mexican Law requirements fit within a global privacy program where they have to coexist with other laws that might be more restrictive. This is in particular the case for cross-border data transfers, where the Mexican law does not clearly and fully meet the restrictions and requirement for “adequate protection” that are set forth in the national laws that follow the principles of the 1995 EU Data Protection Directive. Thus, the processing of personal data that originate from EU and other countries that follow the Directive will continue to meet the hurdles of establishing the existence of the adequate protection.