Data protection in Mexico: an overview of recent enforcement efforts and trends
December 2013 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
Mexico has enacted legal reforms (from the constitution down), accompanied by a governmental institutional framework, in order to make the protection of personal information a valuable and warranted right in Mexico.
Derived from those reforms – especially the Federal Law for the Protection of Personal Data in Possession of Private Entities – it is not uncommon to see Privacy Notices displayed in major department stores, privacy related recordings when you call a bank to check your credit card balance, and clauses in contracts dealing with the matter in a wide array of industries.
Notwithstanding the above, it is becoming more common to see reports about the imposition of fines – on people and companies alike – for breaching Mexican data privacy laws. As a matter of fact, the Mexican federal government has issued several communications to publicly announce the imposition of sanctions on financial institutions, pharmaceutical companies, telecommunication companies, gyms and even doctors.
According to information published in one of Mexico’s most prestigious financial newspapers, the Federal Institute for the Access of Public Information and Data Protection (IFAI) imposed six different fines on one of Mexico’s top financial institutions, amounting to a total of approximately $1.4m. The reason for such fines is the alleged negligence of the financial institution to timely process the request of some users to exercise their ARCO rights, and alleged negligence in the treatment of personal information by allowing the use of such data once the user or IFAI had requested that it cease. The financial institution in question will appeal these rulings.
Another relevant example that has made the news relates to the telecommunication services industry. According to news articles citing official releases from the IFAI, the authority has recently applied a fine of around $480,000 to Mexico’s top cell phone services provider, arguing the unauthorised use of a client’s contacts in order to reclaim an overdue balance. Although no information on the matter is available, it is foreseeable that this fine will also be appealed. Other sanctions in this sector relate to uses of personal data for purposes different from those authorised by the owner or because personal data is given to third parties without the consent of the user for a wide array of purposes.
Other companies have been fined by the IFAI for infringements of the Federal Law for the Protection of Personal Data in Possession of Private Entities, based on the fact that they failed to provide their customers with clear information on how to exercise their ARCO rights. A firm was also fined for the transfer of sensitive personal data without the consent of its owner and because there was no information in its privacy notices on how it was possible for data owners to limit the use and transfer of their information.
In this sense, from the examples listed above, it is clear that the enforcement of the Federal Law for the Protection of Personal Data in Possession of Private Entities is ongoing and has no signs of stopping. Therefore, it is likely that we will continue to see these kinds of stories in the newspapers on a daily basis.
Notwithstanding the above, it is worth mentioning that recently published studies on the topic state that around 35 percent of Mexican companies are still in the process of developing and publishing their privacy notices – which likely implies that there are important gaps in their corporate policies or they are absent. Worst still, other studies state that just 20 percent of Mexicans actually read them and that their knowledge of how other entities deal with personal information is directly related to their level of education. As a matter of fact, some voices actually argue that the market for the illicit exchange of personal data in Mexico is growing by as much 10 percent annually.
Data protection in Mexico is, to some extent, a recent development; therefore it is foreseeable that it will take some time to actually create a proper culture of respecting and valuing such information as we value other goods, services or rights. The enforcement examples outlined above (although not final) lead us to believe that such awareness is growing and will become a reality in the years to come. The evidence suggests the road will not be easy or smooth, but the signs are encouraging.
Tomas Arankowsky-Tames is a partner at AVAH Legal, S.C. He can be contacted on +52 (55) 5570 7547 or by email: email@example.com.
© Financier Worldwide
AVAH Legal, S.C.