The Mexican Congress has approved the New Federal Law on the Protection of Personal Data Held by Private Parties (hereinafter, the “Law”), which establishes an updated regulatory framework for data processing in the private sector. This reform brings significant changes for businesses, introducing new obligations and stricter penalties for non-compliance. Below are the key aspects of the Law:
- Purposes and principles of the Law: The main purpose of the Law is the protection of personal data in the possession of private parties, aiming to ensure that its processing is legitimate, controlled, and informed, and that privacy and the right to informational self-determination of individuals are guaranteed. It establishes fundamental principles such as lawfulness, purpose limitation, fairness, consent, quality, proportionality, information, and accountability in the processing of personal data.
- Obligations of Data Controllers: Individuals or legal entities in the private sector that process personal data are responsible for complying with the Law. They must ensure transparency in the processing of these data and implement security measures to protect them from potential risks, such as unauthorized access or misuse.
- Data subjects’ rights: The Law ensures that data subjects can exercise their ARCO rights (Access, Rectification, Cancellation, and Opposition) over their personal data. Data controllers must provide simple and accessible mechanisms for data subjects to exercise these rights, ensuring that personal information is processed in compliance with regulations and safeguarding data subject’s privacy rights.
- Modification in the definition of Personal Data: The new Law eliminates the explicit reference to the natural person in the definition of personal data. Thus, according to the new definition, personal data means any information concerning an identified or identifiable person. It also establishes that a person is identifiable when their identity can be determined, directly or indirectly, through any type of information.
- Modifications in Privacy Notices: The Law introduces important modifications to the requirements for Privacy Notices. Among the main changes, it establishes the obligation to indicate which personal data will be processed. In addition, a simplified privacy notice must be made available to data subjects when personal data is collected by any electronic, optical, sound o visual means or by any other technology used by the data controller or regulated parties.
- Modifications to consent: The Law reaffirms that the consent of data subjects must be free, specific and informed and indicates, as a general rule, that tacit consent will be valid. In addition, it modifies the exceptions for not requiring consent. Previously, consent could be waived if established by law. Under the new regulations, an exception to the consent requirement will be valid as long as it is set forth in any legally valid norm, such as a regulation, executive order, or other legislative or administrative provision.
- Revocation of the INAI and the new supervisory authority: One of the most significant changes is the termination of the National Institute for Transparency, Access to Information, and Personal Data Protection (INAI, for its Spanish acronym). The responsibility for monitoring compliance and imposing sanctions will now fall under the Secretariat of Anti-Corruption and Good Governance, which will serve as the new authority for personal data protection in the private sector.
