Mexico City, Mexico – A significant legislative change in Mexico came into effect on March 21, 2025, with the enforcement of the Federal Law on the Protection of Personal Data Held by Private Parties (FLPPD). This new law, which was published just a day before its enactment, introduces critical alterations that reshape the privacy landscape in Mexico, particularly concerning how private entities handle personal data.
One of the most groundbreaking reforms is the dissolution of the National Institute of Transparency, Access to Information and Protection of Personal Data. The oversight responsibilities previously held by this body have now been transferred to the Ministry of Anti-Corruption and Good Governance, marking a significant restructuring in the governance of data protection.
The FLPPD redefines “personal data” more broadly than before, not limiting its ownership to natural persons. This implies that, now, legal entities can also exercise data rights, which include access, rectification, cancellation, and objection – collectively known as the ARCO Rights. The changes extend to obligating entities to provide clear privacy notices and obtain explicit consent for data processing where required.
Detailed regulations that align with the new act are expected to be released within 90 days from its initiation. These regulations will likely provide clarity and further detail on the changes introduced.
Under the new law, several novel obligations for data handlers include issuing simplified privacy notices electronically, ensuring third-party data processors maintain the confidentiality of personal data post their contractual term, and promoting data protection measures internally within organizations.
Enhancements in data owner rights have also been codified, such as the integration of data update processes within rectification rights and protections against automated personal data processing that could significantly affect individuals, such as profiling for employment reliability or behavior without human oversight.
The legislation frames self-regulation opportunities where data processors can agree on compliance metrics and penalties for non-compliance with other entities or oversight bodies. This self-regulation can manifest in various forms like codes, policies, or procedures which aid in legal compliance while facilitating the assertion of data rights by individuals.
Moreover, to strengthen the enforcement and oversight, the new legal framework mandates the establishment of district and specialized courts to handle constitutional remedy requests, known as amparo petitions, within 120 days from the law’s enactment.
While the penalties for non-compliance remain unadjusted, they are substantial, ranging from approximately USD $565.70 to USD $1,810,240, with the potential for doubling if sensitive data is involved.
Amidst these changes, it is crucial for corporations, especially those handling substantial personal data, to reassess their data protection policies to ensure conformity with the new requirements, thus averting potential legal repercussions.
As this article was generated by AI technology and may contain inaccuracies or errors, corrections or retractions can be requested by contacting [email protected].