Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

Update on Mexico’s New Privacy Law: No Immediate Enforcement, But Companies Expected to Appoint Privacy Officer and Have Written Policies


Hogan Lovells has organized two programs over the past year to discuss developments in "NAFTA privacy" (privacy laws in Canada, the US and Mexico).  The most recent program was a panel at the IAPP Global Privacy Summit moderated by Hogan Lovells Privacy and Information Management Practice Director Chris Wolf, along with the Chief Privacy Leader at General Electric Nuala O’Connor Kelly.  Participating were FTC Commissioner Julie Brill, Ontario Privacy Commissioner Ann Cavoukian and Deputy Commissioner Ken Anderson, and Mexico’s Privacy (IFAI) President Commissioner Jacqueline Peschard Mariscal. 

Courtesy of BNA, here is a report on the update provided by Mexico’s Privacy (IFAI) President Commissioner Peschard Mariscal:

Data Protection

Mexico Will Not Rush to Compliance Review, Enforcement of New Law, DPA Chief Assures

Mexico’s data protection authority will not rush to carry out compliance inspections or take enforcement actions when rules implementing the country’s new data protection law begin taking effect in July, the head of the DPA, the Instituto Deral De Acceso a la Información Pública (IFAI), said March 10 at a conference.

As soon as the final rules are published in July, the government expects businesses and other covered entities to begin following the basic requirements that they appoint an individual to be in charge of data protection and establish written data security and privacy policies, IFAI President Commissioner Jacqueline Peschard Mariscal said.

But the government will not immediately begin verification activity, she said. Instead, the IFAI will focus on training and education of covered entities in the requirements of the rules, Mariscal said at a session of the International Association of Privacy Professionals Global Privacy Summit.

Mexico’s Federal Law Protecting Personal Data in Private Possession regulates for the first time on a federal level how businesses and individuals handle personal data. It technically took effect July 6, 2010 (9 PVLR 1016, 7/12/10), but the implementing rules are not expected before this July, according to the IFAI (10 PVLR 368, 3/7/11).

Enforcement of the new law is slated to begin in January 2012, Mariscal confirmed at the conference panel entitled "Privacy: What You Need to Consider When Doing Business in North America."

Sufficient DPA Funding for Enforcement?

In July, the Public Information Institute of the Federal District (InfoDF), the Mexico City agency that handles transparency and data protection for the city, warned in July 2010 that the IFAI needed a larger budget for the new data protection law to function properly (9 PVLR 1016, 7/12/10).

Panel moderator Christopher Wolf, director of Hogan Lovells LLP’s privacy and information management practice in Washington, asked Mariscal if the IFAI has sufficient funding and enforcement staff to carry out its data protection duties.

"The office has received the necessary budget to carry out its mission," Mariscal responded.

Mexico has a federal system of government with both a national government and regional government in the 31 states and the federal district in Mexico City, she said. But unlike the Canadian model, in which the provinces may pass laws to supplant the federal Personal Information Protection and Electronic Documents Act (PIPEDA) for all or some categories of data (see related report in this issue), the Mexico federal law will remain the primary law in the country. In that scenario, funding the national IFAI is built into the law, she said.

Preventative Approach Is Goal

Nevertheless, "our aim is to have a preventative approach,"in part to control costs, by using approaches such as privacy-by-design, rather than focus on adverse enforcement actions, Mariscal said.

Fellow panelists Ann Cavoukian and Ken Anderson, respectively the privacy commissioner and assistant privacy commissioner for the Canadian Province of Ontario, applauded Mexico’s focus on privacyby-design, a method that works to protect privacy at the front end of the design and implementation process for new information systems and technology rather than through after-the-fact enforcement.

Cavoukian has been a leader in developing privacy-by-design and sees it as a tool that every data protection authority should employ (see related report in this issue).

Mariscal also noted that under the new law, there are opportunities for covered entities to work toward a resolution of privacy concerns raised by the IFAI before the filing of any formal enforcement action through an administrative appeal process.

The law authorizes fines of up to 16 million ($1.3 million) for companies misusing personal data, and provides for doubling the fines to about 32 million ($2.6 million) when the personal data is deemed sensitive.

But Mariscal reminded the audience that implementing privacy law in Mexico will require a "cultural shift for a people that are not used to protecting personal data." In that environment, taking a preventative, educational approach is necessary before taking the next steps to implement stricter, more specific sectoral protection rules, and take enforcement action, she said.

Commissioner Julie Brill of the U.S. Federal Trade Commission agreed that educating and working with businesses towards privacy solutions is normally preferable to simply setting rules and then engaging in strict enforcement.

By Donald G. Aplin


Full text (in Spanish) of Mexico’s Federal Law Protecting Personal Data in Private Possession  

Reproduced with permission from Privacy & Security Law Report, 10 PVLR 455 (Mar. 21, 2011).

Copyright 2011 by The Bureau of National Affairs, Inc. (800-372-1033)