By Larissa Calva-Ruiz

Mexico’s Federal Law for the Protection of Personal data (la Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (the "Law") protects an individual’s personal data by restricting its use and prescribing the way in which both private and public entities must treat the collection, use, and disclosure of personal data relating to Mexican citizens. The owner of the information has the right to decide who can access his/her personal data and in which ways it might be disclosed to others. The owner has the right to correct such information, control the transfer of the information and block or cancel its use. Also, the owner of the information has the right to access his own information regardless of the holder.

Personal data is defined as data which affects the intimate sphere of its owner and whose inappropriate use may result in discrimination or may bring about a great risk to its owner. "Sensitive data" is information that may reveal aspects such as:

  • Racial or ethnic origin
  • Present or future health status
  • Genetic information
  • Religious belief
  • Philosophical and moral beliefs
  • Union affiliation
  • Political views
  • Sexual Preference

Any type of use of sensitive data must be expressly authorized by its owner through a privacy notice. Authorization to use other types of personal data may be express or implied. Any inappropriate use of sensitive or personal data is penalized with economic sanctions; for crimes related to the inappropriate use of personal or sensitive data, the sanctions can go up to 10 years of prison. The organization in charge of enforcing the Law is the Instituto Federal de Acceso a la Información, IFAI (Federal Institute for Access to Public Information).

As for cross border transfer of data, personal data may be transferred nationally or internationally without authorization of the owner: (i) when the transfer is made to parent companies, subsidiaries or affiliates under the control of the party responsible for the data or to a parent company or any other company within the same corporate group of the responsible party that uses the same procedures and internal policies; (ii) when the transfer is provided for in a treaty that Mexico is a part of; (iii) when the transfer is necessary to prevent disease or for medical diagnosis, medical care, or medical treatment; or (iv) when the transfer is necessary by virtue of an agreement executed or pending execution by the owner of the data, the party responsible for the use of the data and a third party, among other reasons provided for in the Law.

On April 27, 2010, the new law on data protection was passed by the Mexican Senate, clearing the way for the President to sign the landmark legislation, which provides for penalties up to an astounding $1.5 million for violations under the law. The Law’s purpose is to place Mexico in the same level of protection of personal data as the countries that are members of the OECD, APEC and the European Union and complies with the standards approved in the 31st International Conference of Data Protection and Privacy of 2009. As soon as the President signs it and the Law is published in the Federal Official Gazette, it will have full force and effect.

For further information, please contact Larissa Calva-Ruiz at (714) 424-2833.