Implementation of the Federal Law for the Protection of Personal Data in Possession of Private Entities

November 9, 2010

Please be informed that in 2008 Article 16 of the Mexican Constitution was amended in order to include data protection as a constitutional right, by recognizing that: “…Every person has the right to protect his or her personal data, and the right to have access to, rectify and cancel said personal data, when stored by a third party, as well as the right to oppose the handling of his or her personal data…”.

As a consequence of this amendment, the Federal Law for the Protection of Personal Data in Possession of Private Entities was published in the Federal Official Gazette on July 05, 2010.

This law was implemented on July 06, 2010, and its Regulations need to be enacted by Mexican Congress within a year of the publication date of the above-cited law.

The main objective of this Law is to recognize and protect in Mexico the rights to data protection internationally known as ARCO, which means Access, Rectification, Cancellation and Opposition, and it is aimed at regulating the collecting and handling of personal data, so that said activities are carried out in a lawful, controlled and informed manner, thus ensuring the privacy of Mexican citizens.

This Law defines personal data as “any information concerning an identified or identifiable person”. The Law also defines “sensitive personal data” as: “Personal information that concerns the most intimate details of the subject, of which undue use could result in discrimination or could create a serious risk for the subject. Specifically, sensitive data is deemed as being any data that may reveal aspects such as racial or ethnic origin, present or future health status; genetic information; religious, philosophical or moral beliefs; union affiliation; political opinions and sexual preference”.

This new law is not applicable to institutions that are part of the financial industry or to private bodies collecting and storing personal data exclusively for personal use.

The authority in charge of enforcing this Federal Law will be the Federal Institute for Access to Information and Data Protection. This Institute will report to the Ministry of Economy and will be responsible for, among other things, verifying that the private bodies collecting and handling personal information are complying with the law, as well as resolving any proceedings concerning data protection set out in the law.

This Law will have a direct impact on the operations of companies that work with or use personal databases; including the pharmaceutical, telecommunications, marketing and advertising industries, as well as internet service providers and online service providers. The Law imposes new obligations on private bodies handling personal information, such as having to show consumers a so-called PRIVACY WARNING (AVISO DE PRIVACIDAD), prior to collecting any consumer’s personal information, which will confirm that the consumer is consenting to the collecting and handling of his or her personal information.

This will allow private bodies to collect personal data from consumers, based on an opt-out scheme (except in the case of the collection and use of sensitive data, where an opt-in option will be required), but will oblige private entities to use the personal data collected only for the purposes for which the information was obtained, and will also force said private entities to adopt security measures avoid its theft, loss or unauthorized access.

Some of the activities deemed as infringements by the Law are:

I. Acting negligently or in bad faith when dealing with petitions to access, recify, cancel or oppose personal data;

II. Making a false declaration concerning the existence of personal data when there is indeed personal data in the databases of the private entity collecting and handling personal information;

III. Handling personal data in contravention to the law;

IV. Omitting any of the elements outlined in the law in the privacy warning;

V. Storing inaccurate personal data (due to an error of the private body collecting and handling personal information);

VI. Substantially altering the purpose for which the data was collected;

VII. Transferring personal data in situations not authorized by the law;

VIII. Collecting personal data without the consent of the subject;

IX. Handling personal data in a way that affects the enforcement of ARCO rights.

These infringements could be punished with:

A. – A warning from the Institute.

B. – Fines of up to 160,000 days minimum wage (approximately $670,000 USD).

C. – Fines of up to 320,000 days minimum wage (approximately $1,350,000 USD).

This law also classifies some activities as crimes that can be punished with imprisonment, as in the case of a person who is authorized to handle personal data and causes a breach of security measures with the intention of gaining a pecuniary benefit. This offence could lead to a sentence of between 3 months and 3 years in prison.

Likewise, a person who collects and handles personal data fraudulently with the aim of gaining a pecuniary benefit shall be punished by imprisonment from between 6 months to 5 years.