You Are Viewing International

Mexico’s New Federal Law on the Protection of Personal Data

Posted by fgilbert on August 17th, 2010


Mexico’s New Federal Law on the Protection of Personal Data

Mexico’s new Ley Federal de Protección de Datos Personales en Posesión de los Particulares (Federal Law on the Protection of Personal Data Possessed by Private Persons) became effective on July 6, 2010. The Law is “of public order,” which means that contract provisions that conflict with it are unenforceable.

The Federal Institute for Access to Information and Data Protection (IFAI) is charged with issuing regulations and enforcing the Law. The regulations are expected to be issued within one year, and the Law will not be enforced until January 2012.

While the Law incorporates many principles found in the major privacy drivers such as the OECD Privacy Guidelines and the 1995 EU Data Protection Directive, it clearly opts to follow the guidance in the APEC Privacy Framework. This choice is especially evident with the provisions that address “accountability,” and the departure from the prohibition from data transfers to countries that do not offer an adequate level of privacy protection, which has been the hallmark of 1995 EU Data Protection Directive. Instead, for crossborder data transfers, the Mexican Law requires notice and consent of the data subjects, and makes the data controller responsible for ensuring that the recipient of the data abide by the same principles as those that are set forth in the sender’s privacy policy.

Scope of the Data Protection Law

The entities that are subject to the Law are individuals or legal persons that process personal data, other than credit information companies. In addition, like most other countries’ data protection laws, Mexico’s Law excludes from its scope individuals who collect, store, and use personal data for personal purposes.

The Law regulates the processing of personal data. The definition of the term “processing” encompasses a broad range of activities that include collection, use, disclosure, storage, access, management, transfer and disposal of personal data.

Protected Information

The Law applies to personal data that are processed, transferred, or disposed by private persons or entities. “Personal data” includes any information pertaining to an identified or identifiable natural person.

More stringent provisions apply to the handling of sensitive data, that is, those data that pertain to the race or ethnicity, health, genetic information, religion, philosophical and moral beliefs, union membership, political opinions and sexual preference of an individual. Further, even though financial and economic data are not included in the definition of “sensitive data,” their processing requires the express consent of the data subject.

Obligations of the Data Controller

The Law identifies restrictions to the collection and use of personal data. Most provisions apply to “data controllers,” the individuals or private corporations that determine how and by whom, personal data are processed.

Data controllers must collect and process personal data in a lawful manner. The data must be relevant, necessary, accurate, and updated for the purposes for which they were collected.

Data controllers may process personal data only for the purposes stated in their privacy notice unless the data subject consents to a new use of the data for a purpose that is not compatible with or analogous to the purpose that is set out in the privacy notice. Data controllers may keep the data only as long as necessary in order to fulfill the purposes for which the data were collected, and must delete any data that are no longer necessary for these purposes.

Conditions to the Collection and Processing

The general rule is that data controllers must obtain the consent of the data subjects in order to process their personal data. The consent may be expressed or implied. In the case of sensitive data, or financial and economic data, the expressed and written consent of the data subject is required.

There are several cases where the data subject’s consent is not required for the processing of personal data to be lawful. For example, consent is not required when the collection and processing of the data is provided by law or is necessary to comply with obligations derived from a legal relationship between the data subject and the data controller. There are other exceptions for data that have been anonymized, are included in publicly available sources, or are needed for medical care, prevention, diagnosis, or medical treatment while the data subject is unable to provide his consent.

Security and Breach of Security

Data controllers must have in place appropriate administrative, technical, and physical safeguards in order to ensure that personal data are protected from loss, damage, alteration, destruction, and unauthorized access or use. The safeguards must be at least as secure as those that the data controller uses to manage its own data. Further, data controllers must keep data in a manner that allows the prompt exercise of the data subjects’ rights.

In the case of a breach of security, the Data Protection Law requires that the data subjects be notified of the breach if the breach significantly affects the concerned data subjects’ economic or moral rights. The Law does not require that other entities or government agencies be notified as well.

Obligation to Inform the Data Subjects

Data controllers are required to give data subjects a privacy notice that identifies among other things, the entity that collects the data, what personal data are collected from them, the purposes of the collection and processing of their personal data and the proposed transfers of personal data. In addition, the notice must indicate the options and means that data subjects may use in order to control the use and disclosure of their personal data and the means by which they can exercise their rights of access, rectification, cancellation, or opposition.

The notice must be provided to the data subject when the data are collected, unless the data were not collected directly from the data subject. The notice can be in printed form, electronic form, or other format. Special provisions apply when personal data are collected through mobile phones or text messages.


In keeping with the APEC Privacy Framework, the Mexican Data Protection Law stresses accountability. Data controllers are held accountable for the personal that data they hold, even if a third party processes the data. They must ensure that the third party complies with all data protection provisions stated in the Law.

Data controllers, subcontractors, and any other parties that have access to personal data must ensure the protection of the confidentiality and security of the personal data, even after their relationship with the data subject is terminated, or in the case of subcontractors and third parties, after the relationship with the data controller is terminated.

Crossborder Transfer of Personal Data

On the issue of crossborder transfers of personal data, the Mexican Law significantly diverges from the principles set forth in the 1995 EU Data Protection Directive. Instead of requiring data controllers to ensure that, when data are transferred to a third country, the receiving country provide an adequate level of protection, the Mexican Law makes the data exporter responsible for ensuring the protection of the data.

Specifically, the transfer of personal data to a third country requires several components:

  • The data controller must inform the data subjects of the proposed transfer, and the data subject must consent to the transfer;
  • A data controller that intends to transfer personal data to a third country, other than to a subcontractor, must identify the purposes for which the data are transferred to the third party, and must inform the third party of the restrictions that are set forth in the data controller’s privacy notice; and
  • The third party that receives the data must assume the same obligations as those that apply to the data controller.

There are several exceptions were consent is not required. These exceptions include where the transfer is made to a subsidiary or affiliate, or to a parent company or an associated company that operates under the same processes and internal policies; and where the transfer is in the interest of the data subject in connection with a contract that has been, or is to be concluded between the data controller and a third party. Another exception allows for the crossborder transfer of personal data when necessary for the maintenance or fulfillment of a legal relationship between the data subject and data controller.

Rights of the Data Subjects

Data subjects have the right to consent to the processing of their personal data (unless an exception applies), and to be informed of how and by whom their personal data will be processed.

In addition, data subjects have the rights of “access, rectification, cancellation, and opposition” or ARCO rights. The right of access and rectification grants them the ability to access their personal data in the hands of data controllers, and have inaccurate or incomplete data pertaining to them rectified.

The right of cancellation allows individuals to require that their data be blocked in the database, which has the same effect as if the data were erased from the data controller’s database. If the data have been transmitted to a third party, the data controller must bring the correction or cancellation request to the third party’s attention.

The right of opposition entitles individuals to object to the processing of their personal data, with a valid reason.

Data Protection Official Required

The Law requires data controllers to designate a data protection official within their organization. The data protection official will be responsible for processing data subject requests for access, and for promoting the personal data protection within the organization.

Self-Regulation Schemes

Organizations are allowed to use binding self-regulation schemes or codes of conduct. These schemes need to measure the effectiveness of the protection that the organization provides to personal data and address the consequences and remedies for violations of the rules. The self-regulation schemes should also contain rules and standards that harmonize the data processing performed by the parties and facilitate the exercise of data subjects’ rights.


If a data controller does not solve a matter after receiving a complaint from an individual, the individual can submit his complaint to the IFAI for the dispute to be resolved. If the IFAI identifies a violation of the Data Protection Law, it will notify the data controller of its findings. The data controller has 15 days to respond and provide evidence proving that it has not breached the Law. The IFAI will make a decision within 50 days after the date on which the process began.

The Law provides for significant fines (up to $1.2 million) for violations such as collecting or transferring personal data without the consent of the data subject where such consent is required, or collecting data in a misleading or fraudulent manner. If sensitive data are involved, the penalties will be doubled. In the case of continued violations, an additional fine will be imposed.

In addition, the Law provides for imprisonment from three months to three years for data controllers who, for profit, cause a security breach of the database in their custody. The processing of personal data by deception or by taking advantage of a data subject’s mistake or the mistake of an authorized person may be sanctioned by six months to five year prison terms if done for profit.

Violators may also be liable for the payment of damages to the affected individual to compensate for harms or damages to the individual’s property or rights that result from the lack of compliance with the obligations of the data controller or its subcontractors.

Action Items

The new Data Protection Law of Mexico finds its roots and inspiration in many of the seminal documents that are the foundation of the global privacy and data protection framework. Thus, companies that have global operations and a global privacy program in place should be able to find numerous common elements with their existing structures. However, idiosyncrasies in the Law will also need to be addressed.

While the Law will not be enforced until January 2012, it is time for companies doing business in Mexico or with Mexico-based entities to begin evaluating their new obligations and start planning accordingly. The first step should be to conduct a survey of the personal data that the company collects or processes in Mexico, and of the purposes for which these data are collected. In addition, companies should start evaluating whether the collection or processing of these data meet the adequacy and relevancy requirements of the new Law, so that unneeded data can be weeded out from existing database. Companies should also start planning how they will respond to their obligation to provide individuals with access to their personal data, and the ability to have their data corrected or blocked.

Further, caution will be needed when trying to make the Mexican Law requirements fit within a global privacy program where they have to coexist with other laws that might be more restrictive. This is in particular the case for cross-border data transfers, where the Mexican law does not clearly and fully meet the restrictions and requirement for “adequate protection” that are set forth in the national laws that follow the principles of the 1995 EU Data Protection Directive. Thus, the processing of personal data that originate from EU and other countries that follow the Directive will continue to meet the hurdles of establishing the existence of the adequate protection.

Remaining in Safe Waters

Posted by fgilbert on June 7th, 2010

How to Ensure Continued Compliance with The Safe Harbor Requirements

The Safe Harbor created by the US Department of Commerce and the European Commission provides a convenient way for US companies with limited global transactions to address the “adequacy” requirement under the national laws of the European Union Member States. Being self-certified under the US Department of Commerce Safe Harbor allows them to reduce the amount of red tape that usually accompanies the transfer of personal data to the United States and from a European Union Member State, and EEA Member State or Switzerland.

However, the initial self-certification filing is only one of many obligations. In order for the self-certification to remain valid, the company must re-certify each year of its compliance with the Safe Harbor Principles and pay the related fee to the Department of Commerce. When a company wishes to renew its self-certification, it must go through the same due diligence as for the initial filing, and… much more.

Initial Self-Certification

Self-certification of a company’s compliance with the Safe Harbor Principles is a multiple step process. In order to prepare for the filing of the required documents with the US Department of Commerce, the company must go through a comprehensive analysis and evaluation that is necessary and appropriate to self-certify that its privacy policies and procedure comply with the Safe Harbor Principles

In its self-certification papers, the company represents that it does have the policies and procedures described in these documents. An “omission” or a misrepresentation exposes the entity to severe penalties for breach of Section 5 of the FTC Act, which prohibits unfair or deceptive practices.

Re-certification Process

Many companies are unaware of the extensive requirements and commitments that attach to the filing of the re-certification documents. These documents must be signed and approved by a corporate officer of the company (typically the CEO or the General Counsel), and must attest and verify that the company is complying with specific requirements. Thus, it is very important to pay attention to the many legal requirements that are associated with the recertification process.

Like for the initial filing, an error in the re-certification documents exposes the entity to enforcement action and severe penalties. The “error” could be found a “misrepresentation” and the company might be sued under Section 5 of the FTC Act for unfair or deceptive practices.

Annual Verification

The documents that are to be filed with the US Department of Commerce as part of the renewal of the certification must verify the following:

  • The published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented, and accessible;
  • The privacy policy conforms to the Safe Harbor Principles;
  • Individuals are informed of how complaints are handled, and the independent mechanisms through which they may pursue complaints;
  • The organization has in place procedures for training employees in its implementation, and disciplining them for failure to follow it;
  • The organization has in place internal procedures for periodically conducting objective reviews of compliance with the above.

Audit or Assessment

In order to be comfortable signing this statement, it is prudent that an “audit” or “privacy assessment” or “compliance review” be conducted. This audit should allow to verify and be satisfied that the statements and commitments made in the privacy policy are accurate, that appropriate training is conducted, and that a dispute resolution procedure in place.

Companies may elect to conduct this audit internally. Law firms and consulting firms that focus on information privacy and security matters also conduct these audits.

Companies should not wait until the last minute to conduct or have conducted this audit. They must plan sufficient time to address any of the deficiencies that the audit might have identified. Otherwise, the representations made in their self-certification renewal papers would be inaccurate, misleading, or fraudulent.

Record Keeping

In addition, to the representations listed above, the Department of Commerce requires companies to retain appropriate records on the implementation of their safe harbor privacy practices. In other words, not only must a company represent that it has in place the required processes, procedures and policy, but it must also have a written record that documents the investigation conducted, the deficiencies identified, and the actions taken.

These records are to be made available upon request in case of an investigation or a complaint about non-compliance, or investigation about unfair and deceptive practices by a law enforcement agency – most likely the Federal Trade Commission.

FTC Enforcement – Twenty-Year Injunction

The FTC has already conducted enforcement actions and has prosecuted businesses for their misrepresentations in connection with Safe Harbor self-certification. These companies were charged for falsely claiming that they held current certification under the Safe Harbor program. See, for example, this consent agreement (pdf):

The consent decrees with each of these businesses include reporting requirements, whereby marketing and advertizing documents claiming compliance with the Safe Harbor principles must be filed with the Commission. In addition, each company is enjoined for 20 years from misrepresenting in any manner that it complies with or adheres to any privacy, security, or other compliance program sponsored by the US government or any other entity.

For more information

For additional information on the Safe Harbor, see Chapter 9 of Francoise Gilbert’s two-volume treatise Global Privacy and Security Law

Coming Soon to the European Union: Security Breach Disclosure Requirements

Posted by fgilbert on May 30th, 2010
Directive 2002/58/EC (or “e-Privacy Directive”), which defines the restrictions that apply to the protection of personal data in the context of wire or Internet communications, was amended in late 2009. This amendment establishes the first mandatory security breach disclosure regime for the European Union and will soon be reflected in the national laws of the EU and EEA Member States.
While this new security breach disclosure regime affects only providers of a publicly available electronic communication services, it is likely that it will be the foundation for defining a security breach disclosure framework that applies to other personal data holders.
For example, when amending their national laws, some of the EU Member States may opt to apply this security breach disclosure regime to the entire spectrum of data controllers and data processors, rather than limiting it to the smaller subset of electronic communication service providers that are subject to the ePrivacy Directive. Further, when the 1995 EU Data Protection Directive is revised, it should be expected, as well, that the security breach provisions of the ePrivacy Directive (as amended), at a minimum, will serve as a starting point.
The amendments must be implemented in each of the national laws of the Member States of the European Union and the European Economic Area by June 2011.

1. 2009/136/EC Directive

Directive 2009/136/EC entered into force on December 19, 2009. This directive amends and supplements the ePrivacy Directive, i.e., Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector.

The ePrivacy Directive provides a framework for responding to unsolicited commercial messages, the use of fax and similar technologies for telemarketing purposes, and defines the rules for the use of cookies, traffic data, location data, and public directories. With the 2009 Directive, existing provisions are amended to provide more protection for personal data. In addition, a new framework for the disclosure of a breach of security of data held by electronic communications networks and services is defined. While these provisions resemble those of the state security breach disclosure laws that have been adopted in the United States since 2003, there are significant nuances and discrepancies with the American model.

2. Security Measures

a.  2002 Draft

The 2002 version of the ePrivacy Directive requires covered entities to ensure adequate security. These provisions have been enhanced by the 2009 Amendment.
Under Article 4(1) of the e-Privacy Directive, Member States’ national laws must require publicly available electronic communications service providers to take appropriate technical and organizational measures to safeguard the security of their services. If necessary, these security measures must be taken in conjunction with the providers of the public communications network with respect to network security.
These security measures must take into account the developments in technologies, the new risks created by new types of attacks, and the cost of implementing the measures in relation to the risks. Security is appraised in light of Article 17 of 1995 Data Protection Directive.
Article 17 of the 1995 Data Protection Directive requires the implementation of “appropriate technical and organizational measures” to protect personal data against accidental or unlawful destruction, accidental loss, alteration, or unauthorized disclosure of, or access to personal data. In addition, when the processing is carried out by a subcontractor, the data controller must:
  • Conduct due diligence before entering into a contract with this third party;
  • Require in a written agreement that the third party act only on instructions from the data controller and use security measures to protect personal data; and
  • Verify compliance with adequate and relevant security measures for so long as the data processor holds personal data on behalf of the data controller.

b. 2009 Additional Requirement

The 2009 Directive supplements Article 4(1) of the ePrivacy Directive with specific and precise instructions. The new Article 4(1a) directs that the security measures must:
  • Ensure that personal data can be accessed only by authorized personnel for legally authorized purposes;
  • Protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure, and;
  • Ensure the implementation of a security policy with respect to the processing of personal data.
In addition, the 2009 Amendment grants the relevant national authorities the ability to audit the measures taken by providers of publicly available electronic communication services and to issue recommendations about best practices concerning the level of security that these measures should achieve.

3. Notice of Risk of Breach of Security

The concept of disclosure of a breach of security already existed in the 2002 version of the e-Privacy Directive. Covered entities, however, only had to notify their customers of a “risk of breach of security.” This requirement was usually fulfilled by adding a provision in the entities’ terms of service, which stated that wire or electronic communications are not secure or confidential and instructed the customers to use other communications means when transferring sensitive or valuable data. The 2009 Amendment preserves the original version of Article 4(2) of the ePrivacy Directive, but it supplements it with a more specific requirement for the disclosure of the breach of security.
Under Article 4(2) of the ePrivacy Directive, Member States’ national laws must require providers of publicly available electronic communications services to inform subscribers of any special risks of a breach of the security of the network. Such risks may especially occur for electronic communications services over an open network such as the Internet or analog mobile telephony. If the risk lies outside the scope of the measures to be taken by the service provider, the provider must also inform subscribers of any possible remedies, and of the likely costs involved.
The preamble of the 2002 version of the e-Privacy Directive notes that providers of publicly available electronic communications services over the Internet should inform users and subscribers of the measures that they can take to protect the security of their communications, such as by using specific types of software or encryption technologies. This requirement to inform the subscriber, however, does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service.

4. Breach of Security

The 2009 Amendment goes beyond the mere notion of warning of a “risk of breach of security.” It defines the framework for a breach disclosure requirement that is similar to – but different from – the provisions that are in effect in the United States.

 a. Personal Data Breach

  The 2009 Amendment introduces the notion of “personal data breach.” The term is defined in the new Article 2(h) of the amended ePrivacy Directive as:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed in connection with the provision of a publicly available communications service.”

b. Notice Requirements

Article 4(3), which is introduced by the 2009 Amendment, requires providers of publicly available electronic communications services to give “without undue delay” a notice of the breach to the competent national authority. In addition, if the breach is “likely to adversely affect” the personal data or the privacy of a subscriber or individual, the service provider must also notify the subscriber or individual of the breach of security “without undue delay.”
Thus, in most instances, two categories of notices must be given:
* One to the competent national authority, and
* The other to the subscriber or individual whose personal data or privacy is likely to be adversely affected.
It is not clear whether the subscriber, once informed, has to provide notice to all individuals affected, and who would bear the cost of making this notification.
There must be a “likely adverse effect.” According to the preamble, a breach should be considered as adversely affecting the data or privacy of a subscriber or an individual if it could result, for example, in identity theft or fraud, physical harm, significant humiliation or damage to reputation.
Thus, service providers would have to conduct a risk assessment, and presumably, would have to keep track of the assessment made and the grounds for their determination that a notice to subscribers or individuals was not warranted.
This assessment must be conducted in an expedited manner. The Preamble of the 2009 Directive stresses that the provider should notify the breach to the competent national authority as soon as it becomes aware that the breach has occurred.
The competent national authority is given an important role. It may force a disclosure. If the service provider has not already notified the subscriber or individual of the breach, the competent national authority may require the service provider to do so, after the competent national authority has evaluated the likely adverse effects of the breach.

c. Exemption

There is an exemption to the obligation to notify subscribers or individuals of a breach. This happens if the provider of publicly available electronic communications services has demonstrated to the satisfaction of the competent national authority that it has implemented appropriate technological protection measures, and that these measures were applied to the data concerned by the security breach.
However, the service provider nevertheless would have to notify the competent national authority. An important aspect of this safe harbor is that the exemption applies only if the service provider has demonstrated to the competent authority that there was no adverse effect.
It should be noted, in addition, that the 2009 Directive grants the national authority the ability to require the service provider to make the notification, even if the service provider determined that it was not necessary, if the national authority has determined that the incident is likely to have an adverse effect.
In order to be able to take advantage of the exemption, the technological protection measures must be such that they render the data unintelligible to any person who is not authorized to access these data. There is no suggestion for the measures to be taken, and no specific requirement for the use of encryption. It is sufficient if the data are “unintelligible.” It is likely that the national law implementing the Directive will interpret this term differently, which in turn might cause significant discrepancies between the applicable regimes in the Member States.

d. Content of the Notice

The Directive specifies the content of the two notices that must be given, i.e., the notice that is to be provided to the competent national authority and the notice that is to be sent to the affected subscribers or individuals. Both notices must include the following information:
  • A description of the nature of the breach;
  • The contact points where information about the breach can be obtained; and
  • Recommended measures to mitigate the possible adverse effects of the breach.
In addition, the notice to the competent national authority must describe:
  • The consequences of the breach, and
  • The measure proposed or already taken by the provider to address the breach.

e. Inventory

  Under new Article 4(4), the national laws implementing the amendment must require service providers to maintain an inventory of breaches that comprise the facts surrounding the breach, the effects of the breach, and the remedial action taken. The information must be sufficient to enable the competent national authorities to verify compliance with the notice requirements.

f. Guidelines and Implementing Measures

Given the novelty of the requirement for most European Union Member States, the 2009 amendment provides several means to facilitate the implementation of these provisions. These include, the use of guidelines and instructions concerning the circumstances in which providers are required to make the notification, the format of such notification and the manner in which the notification is to be made. The 2009 Directive also suggests that implementing measures may be drafted in the future in order to specify the circumstances, format, and procedures applicable to the information and notification requirements.

The comments in the Preamble recommend that the rules concerning the format and procedures applicable to the notification of security breaches, should take into account the circumstances of the breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law enforcement authorities in cases where early disclosure could unnecessarily hamper the investigation of the circumstances of a breach.
While the Directive itself does not provide for sanctions, it suggests that national laws may include appropriate sanctions for those who fail to make the required notification.

5. For More Information

For more information on the ePrivacy Directive and the 2009 Amendments, see Chapter 8 of Francoise Gilbert’s two-volume treatise Global Privacy & Security Law available through