This year, the Federal Law on the Protection of Personal Data in Possession of Private Parties (the “Data Protection Law“) completed a decade of effectiveness in our country. The main objective of said Law is to protect the personal data3 of individuals (the “Data Subjects“) and to regulate the processing thereof, thereby guaranteeing the right to privacy and the right to informational self-determination of the Data Subjects —that is, the right to have control over and decide about their personal data—, as well as the rights to access, rectification, erasure and objection with respect to personal data (known in Mexico as “ARCO Rights“), recognized in Article 16 of the Political Constitution of the United States of Mexico.
As a result of the entering into force of the Data Protection Law, private companies that process personal data for commercial purposes have gradually become aware not only of the responsibilities and obligations with which they must comply under said Law and the relevant fines in the event of a breach (which could be material), but also of the relevance and positive impact that the observance of said Law may have on the reputation of the company, resulting in a competitive advantage by having the customers’ trust to possess and process his/her personal data.
It is worth mentioning that, although we are of the opinion that the Data Protection Law sets forth sufficient principles, rights and obligations for adequately regulating the processing and protection of personal data of Data Subjects, after ten years of the entry into force of said Law we deem necessary that it is updated and adapted to the new business models and new information technology tools, in order to regulate more precisely and to provide more legal certainty in connection with, for example, the processing of biometric data, automated processing of personal data through the use of artificial intelligence mechanisms and the algorithms thereof, processing of data using technologies such as blockchain (whether private or not), DAG (Directed Acyclic Graph) and similar technologies, recognition of the right to portability of personal data7, processing of children’s personal data (especially regarding processing of data for advertising and marketing purposes); as well as clarification of the territorial scope of the Law with respect to digital platforms operating in Mexico from abroad and processing personal data of Data Subjects located in Mexico8.
1 Datos personales significa cualquier información concerniente a una persona física identificada o identificable (Art. 3, fracción V, de la Ley de Datos personales).
2 Tratamiento significa la obtención, uso (que incluye cualquier acción de acceso, manejo, aprovechamiento, transferencia o disposición de datos personales), divulgación o almacenamiento de datos personales, por cualquier medio (Art. 3, fracción XVIII, de la Ley de Datos Personales).
3 Personal data means any information concerning an identified or identifiable individual (Art. 3, paragraph V, of the Data Protection Law).
4 Treatment means the collection, usage (including any action of accessing, handling, exploiting, transferring or disposing personal data), disclosure or storage of personal data, through any means (Art. 3, paragraph XVIII, of the Data Protection Law).
5 Actualmente el derecho a la portabilidad de datos personales únicamente está previsto en la Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados (entes públicos).
6 Aunque en el Reglamento de la Ley de Protección de Datos se regula ciertos aspectos relativos al ámbito de aplicación de territorial del mismo, somos de la opinión de que es necesario precisar en qué medida o no les será aplicable a este tipo de plataformas digitales, y es necesario que dicho ámbito se establezca a nivel legal y no reglamentario.
7 Currently the right to portability of personal data is only set forth in the General Law on the Protection of Personal Data in Possession of Governmental Entities (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados).
8 Although the Regulations of the Data Protection Law regulate certain aspects related to the territorial scope of application of the same, we are of the opinion that the extent to which it will be applicable to this type of digital platforms must be specified, and that said scope is set forth at a legal, not regulatory level.