Mexico’s General Law on the Protection of Personal Data held by Obliged Subjects

On January 26, 2017, Mexico’s General Law on the Protection of Personal Data held by Obliged Subjects [Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados] (the General Law) was published in the Federal Official Gazette.

It entered into force the next day, the Jan. 27, and provided a term of six months for the federal government and entities of the federation to adjust its laws in the aspects related to personal data protection, for example, the Federal Law on Transparency and Access to Public Information, to comply with the minimums set forth in this new law.

The General Law regulates Articles 6 and 16 of the Constitution and intends to set forth the bases, principles and procedures to guarantee the protection of personal data managed by Obliged Subjects, i.e., data controllers. The General Law defines Obliged Subjects as any authority, entity, body and agency of the Executive, Legislative and Judicial branches at the federal, state and municipal levels, autonomous bodies, political parties, trusts and public funds.

Among the objectives of the General Law are to: establish the minimum bases and homogeneous conditions that will govern the processing of personal data and the exercise of the rights of access, rectification, cancellation and objection (known as ARCO rights); regulate the organization and operation of the National System of Transparency, Access to Information and Protection of Personal Data referred to in the General Law and the General Law on Transparency and Access to Public Information; guarantee the observance of the principles of personal data protection provided in the General Law and other applicable laws and regulations; protect personal data held by Obliged Subjects and regulate its processing; ensure that all individuals can exercise their personal data protection rights; promote and disseminate a culture of personal data protection, etc.

The enactment of the General Law is relevant considering that there was no legal body or regulation which provided for the specific protection of personal data which was held by government entities. Most of the laws and regulations in the public sector provided for the protection of personal data as a limit to the right of access and information but by no means established a set of guarantees, duties and mechanisms similar to those included in the Federal Law on the Protection of Personal Data held by private parties. These differences are important since data subjects were left to a disproportionate protection of their data protection rights. In other words, data subjects did not have the same guarantees regarding the protection of their personal data which was processed by the government and that processed by private parties.

Like the Federal Law on the Protection of Personal Data held by Private Parties, the General Law recognizes the data processing principles of legality, purpose, loyalty, consent, quality, proportionality, notice (information) and accountability.

In order to comply with these principles it establishes, for example, that Obliged Subjects must process personal data in accordance with its faculties and attributions, for specific, licit, explicit and legitimate purposes; request consent for the processing of personal data (the general rule is implicit consent but for specific activities express consent will be required); provide a privacy notice to data subjects before the processing of their personal data to inform them of the characteristics of the processing; define mechanisms to comply with the accountability principle such as; allocation of resources for implementing programs and policies for the protection of personal data; design, develop and implement its public policies, programs, services, systems or computer platforms, electronic applications or any other technology involving the processing of personal data, in accordance with the provisions set forth in the General Law and applicable laws; and ensure that its public policies, programs, services, systems or computer platforms, electronic applications or any other technology involving the processing of personal data, by default comply with the obligations set forth in the General Law and other applicable laws.

The General Law also determines that Obliged Subjects must comply with the duties of confidentiality and security and that they must take all necessary measures to guarantee the confidentiality of the personal data they process and adopt and maintain appropriate technical, administrative and physical security measures to avoid its damage, loss, alteration, destruction, unauthorized use, access or processing.

In contrast to the Federal Law on the Protection of Personal Data held by Private Parties, the General Law does establish within its provisions that when the Obliged Subjects intend to put into operation or modify public policies, systems or computer platforms, electronic applications or any other technology that in their opinion and in accordance with the General Law involve the intensive or relevant processing of personal data (i.e., when there are inherent risks in the personal data to be processed; sensitive personal data is processed, and transfers of personal data are intended) they must carry out a Privacy Impact Assessment (PIA), and submit it to federal and local authorities (guarantors).

The General Law also requires that security measures for the processing of personal data are documented and contained in a personal data protection management system, i.e., the set of interrelated elements and activities aimed to establish, implement, operate, monitor, review, maintain and improve the processing and security of personal data, in accordance with the provisions of the General Law and other applicable regulations. The Obliged Subject shall prepare a security document (i.e., an instrument which describes the technical, physical and administrative security measures adopted to guarantee the confidentiality, integrity and availability of the personal data) containing at least: the inventory of personal data and processes of such data; the functions and obligations of individuals who process personal data; risk and gap analysis; work plan; mechanisms for monitoring and reviewing security measures, and the training program to be developed.

Another difference, and probably of most importance to service providers interested in contracting with the public sector, the General Law specifically defines cloud services and sets forth the requirements and characteristics needed to contract such services as well as services in other matters. (Note that the General Law does not define “other matters” but it might be understood as other mechanisms which allow for the processing of personal data).

Cloud computing is defined as the model of external provision of on-demand computing services, which involves the provision of infrastructure, platform or software, distributed flexibly, through virtual procedures, in dynamically shared resources.

Article 63 of the General Law establishes that the data controller may contract or adhere to services, applications and infrastructure involving the processing of personal data, in cloud computing, and other matters, provided that the external provider guarantees policies which protect personal data that are equivalent to the principles and duties established in the General Law. Obliged Subjects must limit the processing of the personal data by the service provider through contractual clauses or other legal instruments.

Article 64, sets forth that where the data controller adheres to services, applications and cloud computing infrastructure and other matters, through general contracting conditions or clauses, it may only use those services in which the service provider:

I. Complies at least with the following:

a) has and applies policies for the protection of personal data which observe the principles and duties established by the General Law and other applicable regulations;

b) transparent subcontracting;

c) refrains from including conditions that authorize or allow for the ownership of the information on which the service is provided, and

d) maintains confidentiality with respect to the personal data on which the service is provided;

II. has mechanisms, at least, to:

a) inform the changes in its privacy policies or conditions of the service;

b) allows the data controller to limit the processing of the personal data on which the service is provided;

c) establishes and maintains security measures for the protection of the personal data on which the service is provided;

d) guarantees the deletion of personal data once the service rendered to the data controller has been completed and the latter has been able to retrieve the data;

e) prevents access to personal data to persons who do not have access privileges, or, if it is at the justified request of a competent authority, informs the data controller of such fact.

In any case, the data controller cannot adhere to services that do not guarantee the proper protection of personal data, in accordance with the General Law and other applicable provisions.

As we may note the General Law contemplates within its body several interesting figures, and of most importance, the contracting of cloud computing which nowadays has become or is becoming a “must” in the private and public sector. Therefore, service providers who would like to contract with the Mexican government must observe the relevant provisions of the General Law if they want to be considered as service providers. Considering that the government is one of the most important consumers of these technologies, service providers must be aware of this General Law and the estate/local regulations resulting from it.