/>iOn March 20, 2025, Mexico’s new Federal Law on the Protection of Personal Data held by Private Parties (FLPPDPP) published in the Official Gazette of the Federation. Effective March 21, the new law replaces the FLPPDPP published in July 2010.
Among the key changes the decree and new FLPPDPP introduce is the dissolution of the National Institute of Transparency, Access to Information, and Protection of Personal Data (INAI). Before the decree’s publication, INAI served as an autonomous regulatory and oversight authority for matters related to transparency, information access, and personal data protection. As of March 21, 2025, these responsibilities will be transferred to the Ministry of Anticorruption and Good Governance (Ministry), a governmental body reporting directly to the executive branch. The Ministry will now supervise, oversee, and regulate personal data protection matters.
Related to personal data protection, companies may wish to consider the following points when preparing to comply with the new FLPPDPP:
- The definition of “personal data” is amended to remove the previous limitation to natural persons, expanding the scope to any identifiable individual—when their identity can be determined directly or indirectly through any information.
- The law now requires that the data subject give consent “freely, specifically, and in an informed manner.”
- Public access sources are now limited to those the law explicitly authorizes for consultation, provided no restrictions apply, and are only subject to the payment of the applicable consultation fee.
- The scope of personal data processing expands to encompass “any operation or set of operations performed through manual or automated procedures applied to personal data, including collection, use, registration, organization, preservation, processing, communication, dissemination, storage, possession, access, handling, disclosure, transfer, or disposal of personal data.”
- As a general rule, the data subject’s tacit consent is deemed sufficient for data processing, unless the law expressly requires obtaining prior explicit consent.
- Regarding the privacy notice, the new FLPPDPP requires data controllers to specify the purposes of processing that require the data subject’s consent. Additionally, the express obligation to disclose data transfers the controller carries out is eliminated.
- Resolutions the Ministry issues may be challenged through amparo proceedings before specialized judges and courts.
Takeaways
| 1. | Although this amendment does not introduce substantial changes with respect to the obligations of those responsible for processing personal data, companies should review their privacy notice and, if necessary, adjust it to the provisions of the FLPPDPP including, where appropriate, replacing references to the INAI. |
|
| 2. | If any data protection proceedings were initiated before the INAI while the previous law was in effect, the provisions of the prior law will continue to govern such proceedings, with the exception that the Ministry will now handle them. |
|
| 3. | The executive branch will have 90 days to issue the necessary amendments to the new FLPPDPP regulations. Companies should monitor for the amendments’ publication to identify changes that may impact their compliance obligations under the new law. |
