Latest Posts:
Search for:

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

In Data Protection

Mexico: From 2010 to 2025 – Evolution of the new Federal Law on the Protection of Personal Data held by Private Parties

by , and 6 Mins Read

On 20 March 2025, the Decree issuing a new Federal Law on the Protection of Personal Data Held by Private Parties was published in the Official Gazette of the Federation. According to the Decree, the new law came into effect on 21 March 2025, repealing the 2010 Federal Law on the Protection of Personal Data Held by Private Parties.

Although the new law is similar to the 2010 law, the updated text establishes the Secretariat of Anti-Corruption and Good Governance as the new authority, incorporates changes to the definitions from the 2010 law, and sets certain obligations that will require privacy notices, internal policies and data processing agreements to be more precise.

Key takeaways

The most relevant changes in the new Federal Law on the Protection of Personal Data Held by Private Parties include:

  • The functions of INAI are effectively transferred to the Secretariat of Anti-Corruption and Good Governance.
  • Definitions of “databases,” “public access sources”, and “data controller”, “processing”, among others, are modified.
  • The possibility of processing personal data for purposes similar or analogous to those informed in the privacy notice is eliminated.
  • Union membership is no longer considered sensitive personal data.
  • Specific conditions for exercising the right to object, including automated processing through artificial intelligence systems, are established.
  • The chapter on regulatory authorities is eliminated, removing the powers of the Ministry of Economy in matters of personal data protection.
  • Amparo proceedings will be the recourse against decisions of the Secretariat of Anti-Corruption and Good Governance.
  • To reflect inclusive language, the terms “data subject” and “data controller” have been replaced by neutral terms.

In the section below, you will find a more detailed description of the changes introduced in the new law on personal data protection.

In depth

On 20 March 2025, a new law on personal data protection for the private sector was published in the Official Gazette of the Federation (“Decree“). The new Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) came into effect on 21 March 2025, repealing the 2010 law.

The publication of this new law stems from the Decree reforming, adding, and repealing various provisions of the Political Constitution of the United Mexican States, in terms of organic simplification. This decree was published in the Official Gazette on 20 December 2024, with the aim of dissolving the National Institute of Transparency, Access to Information, and Protection of Personal Data (INAI) and transferring its functions to the Secretariat of Anti-Corruption and Good Governance (SABG). Now, with the publication of the new LFPDPPP as secondary law, the INAI is effectively dissolved.

The most relevant changes in the new LFPDPPP are as follows:

Definitions. The new law introduces changes to several definitions, including:

  1. Databases: The LFPDPPP applies to databases regardless of their creation form or modality, type of support, processing, storage, and organization.
  2. Public access sources: These will not be considered as such when the information contained is obtained unlawfully or has an illicit origin.
  3. Data Controller: The updated text refers to definition of “Regulated Subjects”, being private individuals or entities that process personal data. The reference to the data controller as the one who “decides” on the processing of personal data is removed.
  4. Processing: A more extensive definition is provided, determining that processing is any operation or set of operations performed through manual or automated procedures applied to personal data. It also more clearly defines activities constituting personal data processing, including recording, organizing, storing, disseminating, possessing, among others.
  5. Personal Data: Notably, the definition of personal data no longer includes the reference to information belonging to a natural person, leaving only the term ‘person’.

Authorities’ Powers. The new LFPDPPP replaces references to the INAI with the SABG, effectively transferring the INAI’s functions to the Executive Branch. Additionally, the powers of the Ministry of Economy in personal data matters are removed. The Ministry of Economy had been notable for issuing the Privacy Notice Guidelines.

Also, it provides that the decisions of the SABG can be challenged through amparo proceedings. Note that on 13 March 2025, amendments to the Amparo Law were published, which could affect the substantiation of this recourse.

Obligations for Data Controllers. The 2025 LFPDPPP reaffirms the obligation of data controllers to establish controls or mechanisms to ensure the confidentiality of personal data by those involved in processing. This obligation must continue even after the termination of the data controller and those individuals.

Additionally, the new law eliminates the possibility of processing personal data for purposes compatible or analogous to those stated in the privacy notice. In such cases, the data controller must obtain the data subject’s consent for new purposes.

Data Subjects’ Rights. The updated law includes a provision allowing data subjects to object to processing when (i) the processing is automated, (ii) without human intervention, (iii) causes undesired effects on the data subject, and (iv) the purpose of the processing is to evaluate, analyze, or predict behavior, reliability, professional performance, among other aspects.

It also establishes that exercising ARCO rights may have a cost unless the data subject provides the necessary means or mechanism to reproduce the personal data.

Sanctions. The law explicitly states that fines will be calculated in UMAS, replacing the reference to minimum wages. It is noteworthy that the new law reused the sanction scenarios established in the 2010 law, leaving without sanction the general infringement mentioned in subsection XIX of article 58 of the new law. This section presents as a sanctionable infringement any non-compliance by the data controller with the obligations established in the LFPDPPP.

Conclusion

While the new LFPDPPP does not differ significantly from the 2010 law, the updated text includes certain provisions and modifications that will require privacy notices to be more precise regarding the purposes of processing and the personal data required for achieving those purposes. Therefore, it is important for data controllers to review their privacy notices and internal policies on personal data protection and the use of artificial intelligence.

Additionally, due to the change in the definition of “data controller,” it is important for data processors to have a contract clearly stating that they act as data processors. Otherwise, they could fall within the definition of “data controller” and thus be required to comply with the associated requirements.

Categories:
Tags:
Author

Carlos is one of Mexico's most active privacy, data protection and information security lawyers. He has implemented privacy management compliance programs for over 100 companies, including several Fortune 500 companies. He advises on corporate and commercial matters where privacy is an issue, including e-discovery, FCPA investigations, e-commerce, direct marketing, privacy in the workplace, litigation and M2M communications.

Author

Daniel Villanueva Plasencia is a member of Baker McKenzie’s Intellectual Property Practice Group in Guadalajara. He has extensive experience in intellectual and industrial property matters, including trademarks, patents and copyrights. Prior to joining the Firm, he was the founding partner of a local firm in Guadalajara.

Author

Paulina is an associate in the Mexico City office with seven years of experience in the legal field. She specializes in data privacy and security, technology, media, and telecommunications (TMT), as well as e-commerce, and commercial and software contracts. Additionally, she handles matters related to the aeronautical industry. Paulina holds an advanced LL.M. in law and digital technologies from Universiteit Leiden in the Netherlands. Her unique perspective comes from a year spent working abroad in Germany's automotive industry.

Related Posts