Mexico's New Data Protection Law
Mexico has joined the ranks of more than 50 countries that have enacted omnibus data privacy laws covering the private sector. The new Federal Law on the Protection of Personal Data Held by Private Parties (Ley federal de protección de datos personales en posesión de los particulares) (the “Law”) was published on July 5, 2010 and took effect on July 6. IAPP has released an unofficial English translation. The Law will have an impact on the many US-based companies that operate or advertise in Mexico, as well as those that use Spanish-language call centers and other support services located in Mexico.
Like the EU Data Protection Directive and the Canadian federal PIPEDA legislation, Mexico’s data protection statute requires a lawful basis, such as consent or legal obligation, for collecting, processing, using, and disclosing personally identifiable information. There is no requirement to notify processing activities to a government body, as in many European countries, but companies handling personal data must furnish notice to the affected persons. Individuals have rights of access, correction, and objection (on “legitimate grounds”) to processing or disclosure. In the event of a security breach that would significantly affect individuals, those persons must be promptly notified. The Law also addresses data transfers, both within and outside Mexico.
A federal agency, the Institute for Access to Information and Data Protection (IFAI), will provide interpretive guidance and supervise compliance with the new law. IFAI will investigate complaints and inquiries and may launch investigations on its own initiative. In addition to administrative sanctions including warnings and fines, the law contemplates criminal prosecution of violators, with more substantial fines and the possibility of imprisonment for those responsible for a security breach or for fraudulent or deceptive collection and use of personal data.
The Law regulates private parties that “process” personally identified or identifiable data, with exceptions for credit reporting agencies (which are already covered by separate legislation) and individuals recording data exclusively for personal use. Definitions largely track those of the EU Data Protection Directive, including a very broad definition of “processing” that includes any collection, use, storage, or disclosure of data. The Law also uses the concepts of “data controller” and “data processor” as found in the EU Directive, respectively signifying entities that decide to process personal data and entities that carry out processing on their behalf.
The Law departs from the EU Directive, however, in reflecting the habeas data concept found in several Latin American constitutions and statutes: the individual to whom personal data relates is treated as the “data owner.” The individual’s legal rights derive largely from this concept of ownership and the associated right to control whether and how personal data is used.
“Sensitive data” gets some additional protections under the Law, as it does in Europe. As defined in the Law, sensitive data denotes information that touches on the most intimate aspects of a person’s life or involves a serious risk of discrimination. This includes but is not limited to “special categories” of data listed in the EU Directive: race or ethnicity, health, sexual preference, religious or philosophical beliefs, political views, and trade union membership. The Mexican law expressly adds genetic data to this list but does not include special treatment for criminal records as the EU Directive does.
The Law incorporates eight general principles that data controllers must follow in handling personal data: legality, consent, notice, quality, purpose limitation, fidelity, proportionality, and accountability. The Law also addresses data retention: personal data must be deleted when no longer necessary for the purposes set out in the privacy notice and applicable law.
Notice and Consent
Data controllers must furnish a privacy notice indicating what data is collected and for what purposes. If the data is collected directly from the individual, the privacy notice must be delivered at the same time (if not earlier) and in the same format. If the data is collected electronically, however, the data controller can choose to give only the identity and purposes of collection and a mechanism for obtaining the full privacy notice. Where the data has not been collected directly from the individual, the data controller must still provide a privacy notice and notification of changes in the privacy notice.
Data controllers can request authorization from IFAI to forego some or all of the notice requirements where, for example, the data collection is old or the cost of providing notice would be disproportionate.
The privacy notice must include the identity of the data controller, the purposes of processing, the individual’s options for limiting use or disclosure of the data, the procedures for access and correction by the individual, any contemplated transfers of the data, and procedures for notifying individuals about any subsequent changes in the privacy notice. The notice must expressly state if it concerns any sensitive data.
Consent usually can be tacit (opt-out) so long as there is sufficient notice. However, processing sensitive data or information about personal finances and assets requires express consent (opt-in); this must be recorded in writing (or electronically with authentication) in the case of sensitive data.
Consent is not required if
• the data controller is legally obliged to process the information
• the data is publicly available
• the data has been anonymized
• the data is necessary to fulfill obligations under a legal relationship between the data controller and the individual (such as employment or payment processing)
• there is an emergency that could harm the individual
• a health care professional needs the data to provide medical attention and the individual cannot give consent
• a competent government body issues a resolution waiving the consent requirement.
Security and Breach Notice
Data controllers are responsible for maintaining physical, technical, and administrative security measures to protect personal data from loss, alteration, and unauthorized disclosure or use. The measures must at least equal those taken to protect the data controller’s own information. Potential harm, the likelihood of security breaches, the sensitivity of the data, and technological developments are all to be taken into account in crafting appropriate security measures.
Security breaches that “materially” affect property or personal rights must be reported immediately to the affected individuals.
Transferring personal data to a third party (other than for processing on behalf of the data controller) will typically require an agreement that the transferee will assume the same obligations as found in the privacy notice provided by the transferor. A data transfer requires the consent of the individual except where the transfer
• is pursuant to a law or treaty
• is necessary for medical purposes
• is made to a parent company or affiliate “operating under the same internal processes and policies” (Art. 37 (III))
• is necessary to fulfill a contract in the interest of the individual
• is necessary or legally required to protect a public interest or in the administration of justice
• is necessary to exercise a judicial claim or defense
• is necessary to maintain a legal relationship between the data controller and the individual.
The Law does not establish a formal procedure for approval of foreign data transfers. It appears that data controllers should be able to move data within a corporate group without individual consent, inside and outside Mexico, so long as the parent or affiliate does not handle the data in a manner contrary to the privacy notice furnished by the affiliate in Mexico.
Impact on US Companies
Many US companies have subsidiaries or distributors in Mexico, and data concerning Mexican employees, customers, and business contacts is often transferred to the US company for recordkeeping, contract fulfillment, business planning, market analysis, and other management purposes. Privacy notices in Mexico should mention these purposes and transfers, and the Mexican company may need to obtain opt-in consent in the case of sensitive and financial information. The US company must then handle data consistently with the privacy notice delivered by the Mexican affiliate or distributor, to avoid creating problems for the Mexican firm. For unrelated companies, data transfers should be covered by contractual terms that specify the relevant restrictions and provide for notice to the individuals unless an exception applies.
US companies also often contract with Mexican firms for Spanish-language call centers, customer support services, or outsourced data processing. Once customer data is processed by the Mexican company, it is subject to the Law, regardless of the location of the customers. US companies using such services in Mexico may expect that their vendors will increasingly refer in contracts to their own obligations under the Law and may require cooperation from the US companies in responding to privacy-related complaints and security breaches in Mexico.
Corporate groups operating in Mexico or using data-centric services in Mexico will need to stay abreast of IFAI decisions and changing business practices resulting from the new Law.