The State of Communication and Privacy Law in Mexico (2020)

  1. Is there a data protection law?
    yes iconyes

    Mexico has adopted a federal data protection law for data held by private entities in 2010, and related regulation in 2011. In 2017, it adopted a data protection law for data held by public entities, which includes law enforcement agencies.

    See more
  2. Is there a data protection authority?
    yes iconyes

    The National Institute for Transparency, Access to Information and Protection of Personal Data is the current data protection agency. Created in 2014 and renamed in 2015, it replaced the Federal Institute for Access to Information and Protection of Personal Data.

  3. Does the data protection law apply to law enforcement activities?
    yes iconyes

    The data protection law for data held by public entities includes law enforcement activities. It defines public entities as any authority, entity, or body of the Executive, Legislative or Judicial Powers, autonomous units, political parties, trusts, public funds, or Unions. It also includes any other natural or legal person who receives and exercises public resources or performs acts of authority at the federal, state, or municipal levels.

    See more
  4. What are the criteria, if any, for the transfer of personal data to third countries under their data protection law?

    If the data controller transfers personal data to third-party nationals or foreigners (other than the data controller), it should communicate the transfer in the privacy notice including the purposes of the transfer. The data should be processed according to the privacy notice, and should contain a clause indicating whether the data subject consents or not to the transfer. Likewise, the third-party recipient will agree to assume the same obligations that correspond to the person responsible for transferring the data. The transfers of personal data can be done without consent in specific cases specified in the law.

    See more
  5. The Mexican Constitution protects the privacy of communications and personal data. Every person has the right to enjoy protection on their personal data, and to access, correct, and delete such data. All people have the right to oppose the disclosure of their data, according to the law.

    Interception of communication - Prior judicial order is required.

    Access to the content of communications - Prior judicial order is required.

    Access to metadata - Prior judicial order is required.

    Access to subscriber data - Prior judicial order is required for accessing retained subscriber data.

    Location data - Prior judicial order is required.

    See more
  6. What’s the factual basis to access communications data?

    The factual basis for accessing communications data in Mexico includes:

    Articles 292 and 294 of the National Criminal Procedure Code

    Articles 5, 9, XXVI, 32-29 and 100-104 of the National Guard Law

    For details on the above articles,

    See more
  7. The following authorities are the ones authorized to request the intervention of private communications:

    * The Head of the Office of the Attorney General (Fiscalía General de la República), including those to whom they delegate this faculty, and their counterparts in each of the federal entities

    * The Commander of the National Guard or the Head of the General Headquarters of Police Coordination

    * National Intelligence Center - CNI (Executive Branch)

    In terms of national security, the National Intelligence Center - CNI is the competent authority to intercept private communications if an “imminent threat to national security” exists.

    See more
  8. Does the country have provisions about access to data in cases of emergency?
    yes iconyes

    Article 303 of the National Procedure Code states that in exceptional cases, when the physical integrity or life of a person is in danger or the victim of the crime is at risk, and when the facts investigated are related to the illegal deprivation of liberty, kidnapping, extortion, or organized crime, the Attorney General, or the public servant to whom this faculty is delegated, under the strictest responsibility, can directly request access to location data in real time or the disclosure of retained data stored by telecom companies or content or application providers.

    See more
  9. Is there any data retention mandate?
    yes iconyes

    Article 190 of the Federal Telecommunications and Broadcasting Act (LFTR) of 2014 orders telecommunications providers to retain data for 12 months on systems that allow law enforcement agencies to access and obtain the data electronically, in real time. After this one-year period, telecommunications providers must keep the data for an additional 12 months and, upon request, deliver it to authorities within 48 hours.

    See more
  10. Are there any rules that authorize the use of malware?

    In Mexico, there is no specific law that regulates the use of malware. However, the legislation recognizes the possibility that some authorities may require federal judicial authorization for the intervention of private communications for specific purposes, and that might be the legal authority used by the Mexican Government. Those authorities are: Office of the Attorney General of the Republic and Offices of the states of the Federation, National Intelligence Center (CNI), and National Guard.

    See more
  11. Is there any law that compels companies to provide direct access to their internal servers for law enforcement purposes?

    To the best of our knowledge there is no law that obliges companies to provide this kind of access. Article 189 of the Telecom Law authorizes telecom, content and application providers to comply with the competent authority’s access request in the terms established by law.

  12. Does the law compel companies to assist law enforcement agencies in their investigations?

    Article 301 of the National Criminal Procedure Code sets out that telecom and Internet providers, and any other company that can intervene in a private communication, shall be compelled to collaborate with the authorities in such measures when requested and in an efficient manner. Likewise, such companies must have the necessary technical capacity to meet the requirements requested by the judicial authority to comply with a communications intervention order.

  13. Does the State report on the number of requests to access communications data?
    yes iconyes

    In Mexico, governmental agencies must regularly disclose statistical information about the requests they have made to telecommunications service providers for communication interceptions, access to communications records, and access to location data in real time.

    See more
  14. Is there any legal limitation that prohibits companies from publishing transparency reports?

    No, to the contrary. Mexico had an obligation compelling companies to publish transparency reports, which was repealed. The Federal Telecommunications Institute (IFT, in Spanish), in accordance with Article 189 of the Federal Telecommunications and Broadcasting Law, issued a guideline that regulated the collaboration between the government and the private sector.

    See more
  15. Do telecommunication companies publish transparency reports?

    Telefónica-Movistar- YES

    AT&T- YES

    Telmex/Telcel- NO

    Axtel- NO

    Megacable- NO

    Izzi- NO

    Totalplay- NO

    Telefónica-Movistar publishes yearly transparency reports. AT&T publishes regular transparency reports. Although it provides very little data for most of the Latin American and European countries, AT&T’s report is more detailed in Mexico’s section. Regardless, it is still not as detailed as the report for the U.S. The remaining companies do not disclose transparency reports.

    See more
  16. Can companies notify users about States’ data requests?

    There is no legal provision that establishes a mandatory obligation to notify the user that their data was requested by the State.