Subject: New Federal Law for the Protection of Personal Data in Possession of Private Parties.
I. Background
- The Federal Law for the Protection of Personal Data in Possession of Private Parties (the “Old Law”) was enacted in 2010 and had not been amended.
- On December 20, 2024, the decree ordering the extinction of the National Institute of Transparency, Access to Information and Protection of Personal Data (“INAI”) was published in the Official Gazette of the Federation, transferring its functions to the Federal Executive once the legislation to be adapted by the Congress of the Union within 90 calendar days following the publication of such decree enters into force.
INAI was an autonomous, specialized, independent, impartial and collegiate agency, with legal personality and its own assets, with full technical and managerial autonomy, with the capacity to decide on the exercise of its budget and to determine its internal organization. - As part of this change, on February 20, 2025, the initiative of a new Federal Law for the Protection of Personal Data in Possession of Private Parties (the “New Law”) was submitted to the Senate.
- On March 20, 2025, the Decree issuing the General Law of Transparency and Access to Public Information; the General Law of Protection of Personal Data in Possession of Obligated Entities; the New Law; and amending Article 37, Section XV, of the Organic Law of the Federal Public Administration (the “Decree”).
II. Main changes in the New Law
1. The normative base of principles and obligations is maintained, but with adjustments of inclusive language and homologation of rules.
2. The Anticorruption and Good Governance Secretary n (the “Secretary”) will be the new authority in charge of the protection of personal data in the private sector.
3. Several definitions are modified, with few substantive changes.
4. The assumptions under which the data controller will not be obliged to obtain the consent of the data subject are modified (with few substantive changes).
5. Precisions are made as to the cost of the medium in which the information provided derived from the execution of the exercise of access, rectification, cancellation and opposition rights (“Arco Rights”) is contained.
6. The figure of self-regulation is added and regulated (agreements between individuals or legal entities or with civil or governmental, national or foreign organizations) in the matter that complement the provisions of the New Law. Such schemes must contain mechanisms to measure their effectiveness in data protection, consequences and corrective measures in case of non-compliance, which must be notified to the Secretariat and the corresponding authorities. Likewise, codes of ethics and other types of support may be included.
7. Additional powers are granted to the Secretariat so that, based on its resolutions, it may order the delivery of personal data.
8. It is added that, in the procedure for the protection of rights, the responsible party must cover the shipping costs.
9. It is established that, against the resolutions of the Secretariat, an amparo proceeding may be filed before specialized judges and courts.
10. It is added as an infraction to act with negligence or fraud in the substantiation of the requests for the exercise of the ARCO Rights.
11. The transitory Articles establish a term of 90 calendar days from the day following the day after the publication of the Decree for the publication of the corresponding adjustments to the regulations and other applicable provisions of the New Law.
IV. Conclusion
The new legal framework seeks to centralize the protection of personal data in the Federal Executive, which reduces the independence that INAI used to have.
Except for this change, we note that there are few substantial modifications. We consider that the discussion of the New Law could have been used to incorporate important concepts that would have really contributed to have an added value, such as new business models and new information technology tools, in order to regulate more precisely and provide greater legal certainty in relation to (among other issues): (i) the processing of biometric data; (ii) the automated processing of personal data through the use of artificial intelligence mechanisms and their algorithms; (iii) the processing of data when making use of technologies such as blockchain (whether private or not), DAG (Directed Acyclic Graph) and the like; (iv) the recognition of the right to personal data portability; (v) the processing of personal data of minors (especially with respect to processing for advertising and marketing purposes); and; (vi) clarification on the territorial scope of application with respect to digital platforms that operate in Mexico from abroad and process personal data of data subjects located in Mexico.
When the secondary regulations of the New Law are issued, we will see if some of these concepts are incorporated, in the understanding that they may not go beyond the provisions of the New Law.
In view of the foregoing, we suggest reviewing the privacy policies and procedures in force, as well as the privacy notices, to ensure compliance with the provisions of the New Law and avoid penalties.
We hope you find the above information useful, and we remain at your service for any matter in this regard.