Latest Posts:
Search for:

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

In Data

Mexico: New privacy challenges – The Unique Identity Platform and the future of data protection

by , and 4 Mins Read

Mexico’s Unique Identity Platform takes shape, transforming the foundations of data protection, cybersecurity, and state surveillance

On 27 November 2025, the Official Gazette of the Federation published the Guidelines for the Development and Operation of the Unique Identity Platform (PUI), in compliance with recent amendments to the General Population Law and the General Law on Forced Disappearance of Persons. These guidelines establish the regulatory, technical, and administrative framework for the management, interconnection, and security of the PUI, which will become the primary source for identity verification in Mexico, integrating biometric data and administrative records of both nationals and foreigners.

The Guidelines impose new obligations on all companies processing personal data, including enhanced requirements for data protection, cybersecurity, and cooperation with authorities. This includes mandatory notifications to regulators, stricter information security measures, and up-to-date documentation regarding personal data protection.

Contents

  1. Key takeaways
  2. Recommendation for companies
  3. Conclusion

Key takeaways

  • Obligated Parties: The guidelines are mandatory for all government entities and private companies, referred to as “Diverse Institutions.” This definition is broad and includes companies in sectors such as financial services, healthcare, telecommunications, and any organization managing employee databases.
  • Interconnection and Access Requirements: Public institutions and companies must interconnect with the PUI. The technical rules for this interconnection will be published in the Technical Manual for Diverse Institutions, which must be issued within 30 days.
  • Personal Data Segmentation: Companies must structure their personal data to collaborate with authorities, differentiating between basic, historical, and continuous searches.
  • Registration with Authorities: Legal entities must register in Mexico City using their Llave MX (digital key).
  • New Data Protection and Cybersecurity Obligations: Companies connected to the PUI must maintain security measures as required by data protection laws, plus any additional requirements set forth in the Guidelines and Manuals of the PUI.
  • Mandatory Notification to RENAPO: Companies must notify the regulator in case of any breach compromising the security of personal data.
  • Evidence of Compliance: Companies are required to document and keep updated evidence of compliance with personal data protection legislation.
  • Obligation to Cooperate with Authorities: The primary obligation is to assist in the search for missing persons, although the law’s wording may allow for broader interpretations.
  • Liability and Sanctions: Companies failing to implement the required measures for PUI interconnection may face fines ranging from USD 60,000 to USD 120,000.
  • Implementation Deadlines: Technical and operational manuals must be issued within 30 business days, and the National Personal Identification Service will begin operating no later than 45 business days after the manuals are published.

Recommendation for companies

  • Does this apply to me? Assess whether your company qualifies as an obligated party under the law. If necessary, consult with authorities to confirm criteria.
  • Do I collect CURP or should I? Review your company’s Personal Data Management Program, identifying existing databases that may be affected by this law. Document any controls or measures not yet formally recorded.
  • Update internal processes to ensure secure and continuous interconnection with the PUI, differentiating the types of searches required by the regulations.
  • Implement technical and administrative measures for the handling and safeguarding of personal data, ensuring compatibility with the standards defined in the PUI manuals.
  • Train staff on new obligations and regulatory risks related to identity data management and cooperation with authorities in cases of missing persons.
  • Review and strengthen privacy notices and response protocols for PUI information requests.
  • Register your company in the Llave MX system and designate a Technical Liaison for coordination with RENAPO and ATDT.

Conclusion

The entry into force of these guidelines represents a structural change in identity management and personal data protection in Mexico. Companies and obligated parties must anticipate the technical, administrative, and legal challenges posed by interconnection with the Unique Identity Platform, ensuring regulatory compliance, protection of fundamental rights, and avoidance of fines.

Our team is available to provide specialized advice and support your organization in adapting to this new regulatory environment.

Categories:
Tags:
Author

Carlos is one of Mexico's most active privacy, data protection and information security lawyers. He has implemented privacy management compliance programs for over 100 companies, including several Fortune 500 companies. He advises on corporate and commercial matters where privacy is an issue, including e-discovery, FCPA investigations, e-commerce, direct marketing, privacy in the workplace, litigation and M2M communications.

Author

Daniel Villanueva Plasencia is a member of Baker McKenzie’s Intellectual Property Practice Group in Guadalajara. He has extensive experience in intellectual and industrial property matters, including trademarks, patents and copyrights. Prior to joining the Firm, he was the founding partner of a local firm in Guadalajara.

Author

Paulina is an associate in the Mexico City office with seven years of experience in the legal field. She specializes in data privacy and security, technology, media, and telecommunications (TMT), as well as e-commerce, and commercial and software contracts. Additionally, she handles matters related to the aeronautical industry. Paulina holds an advanced LL.M. in law and digital technologies from Universiteit Leiden in the Netherlands. Her unique perspective comes from a year spent working abroad in Germany's automotive industry.

Related Posts