News - Fresh Data Archive Article

Return to Fresh Data Blog
Return to Fresh Data Archive

Comprehensive Guide to Data Protection in Mexico

Date: December, 2014 --

Comprehensive Guide to Data Protection in Mexico 1994, the North American Free Trade Agreement came into force. Today, the United States trades more in goods and services with Mexico and Canada than it does with Japan, South Korea, and all the BRICs combined. According to the Office of the US Trade Representative, US goods and private services trade with Mexico totaled an estimated $536 billion in 2012 (latest data available). Last year, Mexico was the second largest export market for US goods, with US exports to Mexico totaling $243 billion.  

In short, Mexico is one of the United States’ largest markets and trading partners and should be an attractive market for American businesses.  With a population of over 120 million people, 78 percent of whom live in urban areas, the market is easily reached.

Ten percent of the population is considered wealthy and about 45 percent of the population is considered middle class, resulting in a “marketable” population of a bit over 60 million. It’s a “young country” with a median age of 27; it’s pretty “middle” class with a per capita income of $15,600. 

According to the Mexican Confederation of the Industry for Marketing Communication (CICOM), in 2012 19% of the marketing spend was on direct, and of that total 59% was telemarketing and 19% was direct mail. Internet was just beginning to “sprout” at 16%. It is not clear if telemarketing includes mobile 


Confederation of Confederation of the Industry for Marketing Communication (CICOM)

All of which is by way of introducing the data protection regime that is now in force because the core of direct marketing is and always will be information about people, which is what data protection is about.

Departure from the European Model

We can begin with two major conclusions by way of contrasting Mexico with Europe.  First, there is little here to surprise anyone who has been doing business in Europe. Much of the structure of the law, and the duties and rights of the data controller and the individual are very similar to Europe.   Second, there is some common sense adaptation of a new standard for the transfer of personal data from Mexico to other countries which arises from extended discussions in the Pacific region. 

No Registration Required

To begin, there is a Data Protection Authority in Mexico, as in Europe. The Federal Institute for Access to Information and Data Protection (IFAI) has been organized to issue regulations and enforce the law, which came into force in January 2012.  However, unlike the European system there is no obligation on a data controller to register with the authority, a massive inconvenience for companies in Europe, although a funding source for the authorities.    

What Action Makes a Company Subject to the Law?

The law applies to all processing of personal data when:

i. It is carried out in an establishment located in Mexico

ii. It is carried out by a data processor, regardless of location, on behalf of a data controller established in Mexico

iii. The data controller is not established in Mexico but is subject to Mexican law pursuant to international law or as a consequence of entering into a contract

iv. The data controller is not established in Mexico but uses media located in Mexico, unless such media are used only for transit purposes that do not involve processing.

A US company that mails into Mexico would appear to be made subject to the law by item iv.  A US company using a call center in Mexico to make sales calls would be made subject by item 1. And if you use a call center in Mexico not for outbound but for order intake or customer service, application would seem logical under i. and possibly iv.   But, you’ll want to discuss that with qualified counsel.


Notice & Consent

The data controller, which is to say the company acquiring data from individuals, must still provide notice of its intended use of the information and advise data subjects where they can see what information is maintained and check its accuracy. As is usual, consent of the individual to data processing is required, and in most cases this consent will be implied by the giving of a notice of the purposes and uses of the information at the beginning of a transaction. 

As in Europe, the notice must set out the individual’s right of access, rectification, cancellation, or opposition to processing. (These are colloquially known in Mexico as “ARCO” rights, from the first letters of the four terms.) The consent is implied by the individual proceeding to provide the personal data. All as it is in Europe. However, unlike the European law’s reference to “deletion” of data, the Mexican law refers to “blocking” its use. This is a worthwhile difference, as this enables the controller to assure that an individual’s data does not “creep back” into the database. The “prospects we can’t use” can remain in your file for suppression purposes.  

Also similar to Europe, express consent is needed to collect and maintain “sensitive personal data” which includes ethnicity, health, genetic information, religion, philosophical and moral beliefs, union membership, political opinions and sexual preference. In addition, although personal financial and economic data are not specifically included in the definition of “sensitive data” in Europe, a fact which has now puzzled two generations of American lawyers and business people, under the Mexican law the processing of this information also requires the express consent of the individual.

Preservation & Safeguards

The data controller must protect the information with systems and procedures at least as stringent as those it employs to protect its own information.  It must notify individuals if there is a breach of security that may impact the individual’s economic or moral rights.  However, the data controller is not required to inform any other government authority, including IFAI. Having to notify authorities is a significant and potentially costly burden for companies given that the authorities are inclined to observe these as opportunities to extend their jurisdiction and to demonstrate to the public their resolve to control, and punish if necessary, companies who deal with personal data.   

Accountability & International Data Transfers

This law incorporates much of the guidance of the APEC (Asia Pacific Economic Co-operation) Privacy Framework which emerged in 2005 from a lengthy multi-national consultation. This is evidenced by the inclusion in the Mexican law of provisions that address “accountability,” and the acknowledgement that it was quite likely that personal data would travel internationally. Under the European law, there was puzzlement as to what obligations and rights existed as personal data moved among data “controllers” and “data processors”, and what documentation was needed to assure fulfillment of legal responsibilities.  The APEC solution was to make the original data collector legally “responsible” for the data no matter where it went, as well as transferees in proportion to the use to which they put the data.  

This is a dramatic departure from the European prohibition of data transfers to countries that do not offer an “adequate” level of privacy protection, unless this protection can be provided in some other way.  In the case of the US this involved the creation of the Safe Harbor system.  In this system US companies register and confirm that they have a compliance system and will submit to dispute resolution procedures managed by acknowledged experts in the event of a complaint.

Instead, for cross border data transfers, the Mexican Law requires notice to and consent of the data subjects, which may be obtained in the case of non-sensitive data by merely providing notice of the likelihood of transfer. In addition, the law makes the data controller responsible for ensuring that the data receivers, those to whom it transfers the data abroad, observe the same principles as those set forth in the sender’s privacy policy. In essence, the law makes the first data controller accountable for the data wherever it goes and whatever happens to it. He remains accountable, together with anyone he transfers it to. This was not the case in Europe.

Self-Regulation & Compliance

The law provides that companies may work together to develop self-regulatory codes of conduct regarding the obligations of the law. These codes would set standards for protection schemes and treat/set the consequences and penalties/remedies for rule violations. The codes should set rules for processing and penalties and remedies for violations. These should also provide for the exercise of individuals’ rights under the law. 

This is a worthwhile recognition of the valuable role which self-regulation within different industries can play in assuring effective data protection implementation and meaningful and speedy recourse for injured data subjects. 

When All Goes Wrong

Penalties for violations are not insubstantial. An individual who complains to a company and is not satisfied with the reply may lodge a complaint with the IFAI which will inform the company and request comment.  It lies with the company to prove it has not violated the law.

Fines may be assessed up to the amount of $1.2 million.  The major fines are for violations such as collecting or transferring personal data without consent of the data subject where such consent is required, or collecting data in a misleading or fraudulent manner. If “sensitive” data are involved, the penalties will be doubled. Since in most cases “consent” is obtained by providing proper notice of one’s collection and use of data and no action of the individual is required, it thus is incumbent on all companies to have clear and concise notices at their point of data capture.

Finally, there are also potential penalties of imprisonment for data controllers who permit breaches of their security and unauthorized access to data, tricking a data subject or other person responsible for data into disclosure, causing a security breach resulting in unauthorized access to data, and similar intentional criminal acts.  

For serious companies with substantial consumer databases, whatever their industry, compliance with data protection and data security rules has always been top-of-mind. After all, the company’s reputation and its database are among the most valuable of the company’s assets.  Fortunately, our neighbor Mexico has adopted a law which has minimal impact on most American companies’ marketing practices, unlike, for example, our northern neighbor’s law on email. 

To stay abreast of changes that may impact your company, continue to monitor Fresh Data, and look to Data Services, Inc. to provide you the data management services you need to legally reach as many as possible of those global prospects and customers you depend on.