Last review date: 02 December 2024
Currently, there are no non-personal data regulations in Mexico.
Regarding data privacy, there is one regulator, previously the National Institute for Transparency, Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales or “INAI” for its acronym in Spanish).
Congress has recently terminated INAI, and a new regulator will assume its responsibilities. According to the decree published on 20 December 2024 in the Official Gazette of the Federation, each power and public entity will be the controller of guaranteeing the rights of access to information and protection of personal data. In the private sector, the Secretariat of Anticorruption and Good Governance will assume these responsibilities. This entity will oversee data privacy and cybersecurity regulations, ensuring standards are upheld. The transition is crucial for maintaining data security within the jurisdiction. As of January 2024, we await further details on the structure and mandate of this new regulator, which will address evolving challenges in data protection and cybersecurity.
Although, currently there is no specific regulation for cybersecurity issues, the Secretariat of Anticorruption and Good Governance will most likely maintain and enforce the non-binding recommendations to prevent cyber-attacks and data breaches published by INAI.
Last review date: 31 December 2024
In recent years, INAI has imposed the following fines: 39 million pesos in 2020; 90 million pesos in 2021; 18 million pesos in the first half of 2022; and 11 million pesos in 2024.
Likewise, according to INAI's records, the most sanctioned sectors in the last years are mass media, financial and insurance companies, health and social welfare and manufacturing industries. The conducts that historically generate more sanctions are: (i) the collection and/or transfer of personal data without data subjects' consent, (ii) processing personal data in contravention of the principles, (iii) omitting mandatory information elements in the privacy notice, and (iii) obstructing verification acts.
Due to the dissolution of the INAI, it remains to be seen how rigorously the Secretariat of Anticorruption and Good Governance will enforce regulations.
Last review date: 31 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Staying the same
Class actions/group actions under data or cyber regulation are:
☒ Not available in the jurisdiction
Last review date: 31 December 2024
There are:
☒ administrative remedies /civil penalties applied by regulators and law enforcement
- Monetary penalties as high as USD 1.9 million and USD 3.9 million when Sensitive Personal Data is involved
- Administrative warnings
☒ criminal penalties from regulators and law enforcement
The act of compromising the security of a database containing personal data with the intention to profit is a criminal offence which can be punished with up to 3 years of imprisonment and up to 6 years when sensitive personal data are involved. Furthermore, obtaining and processing personal data through deceit and with the intention to profit is also considered a criminal offence punishable with up to five years of imprisonment, and up to 10 years when sensitive personal data are involved.
☒ private remedies
- Civil lawsuit for damages
- Class actions (Consumer Protection Framework)