What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The data protection regime in Mexico is one of the most advanced regimes in Latin America, with a well-defined data protection law and clear data protection authority. The Mexican Constitution entitles all individuals with the right to the protection of their private life and personal data, including the right to access, correct and cancel this data.
The Federal Law on the Protection of Personal Data Held by Private Parties, the related Regulations to the Federal Law and the Guidelines for Privacy Notice set the requirements that private employers need to follow when ensuring employee data privacy in Mexico. The Law defines two types of protected data:
- personal data, and
- sensitive personal data
Personal data is broadly defined as any information concerning identified or identifiable individuals. Sensitive personal data is more strictly defined as the information that touches the most private areas of an individual’s life, and for which undue utilization could result in discriminatory acts, including information which can reveal: race/ethnicity, health status, genetic information, religion/philosophical/moral beliefs, union membership, political views and sexual preference.
Consent is required when processing personal data, except when otherwise allowed through the law (such as when the employer is fulfilling obligations under a legal relationship with the data subject). Consent can be provided verbally, in writing or via any technology. Note that tacit consent is allowed under the law when the individual is provided with a privacy notice and has the option to opt-out of the collection. When processing sensitive data, written consent (electronic or otherwise) must be obtained.
Mexico is a member of the Asia Pacific Economic Corporation (APEC) Cross Border Privacy Rules (CBPR), making it easier to transfer data between Mexico and other members (including Australia, Canada, Chinese Taipei, Japan, Singapore, South Korea and the United States).
The current authority responsible for enforcement of data privacy law and regulations in Mexico is the:
National Institute for Transparency, Access to Information and Personal Data Protection (INAI)