close sidebar
    Data Protection Overview
  1. Is there a data protection law?
  2. Is there a data protection authority?
  3. Does the data protection law apply to law enforcement activities?
  4. What are the criteria, if any, for the transfer of personal data to third countries under their data protection law?
    5. Communications Privacy Law
  5. What’s the legal authorization needed to access communications data?
  6. What’s the factual basis to access communications data?
  7. Which authorities have the legal capacity to request access to communications data?
  8. Does the country have provisions about access to data in cases of emergency?
  9. Is there any data retention mandate?
  10. Are there any rules that authorize the use of malware?
  11. Is there any law that compels companies to provide direct access to their internal servers for law enforcement purposes?
  12. Does the law compel companies to assist law enforcement agencies in their investigations?
    13. The State of Communication and Privacy Law in Mexico (2020)
    Transparency & Communications Privacy
  13. Does the State report on the number of requests to access communications data?
  14. Is there any legal limitation that prohibits companies from publishing transparency reports?
  15. Do telecommunication companies publish transparency reports?
  16. Can companies notify users about States’ data requests?
Back to top

The State of Communication and Privacy Law in Mexico (2020)

By Katitza Rodríguez Veridiana Alimonti
in collaboration with Luis Fernando García (R3D) Luiza Rehder

This report focuses on criminal investigations and builds on the 2016 Mexico comprehensive study.

  1. Is there a data protection law?
    yes iconyes

    Mexico has adopted a federal data protection law for data held by private entities in 2010, and related regulation in 2011. In 2017, it adopted a data protection law for data held by public entities, which includes law enforcement agencies.

    See more
    2. Back to top
  2. Is there a data protection authority?
    yes iconyes

    The National Institute for Transparency, Access to Information and Protection of Personal Data is the current data protection agency. Created in 2014 and renamed in 2015, it replaced the Federal Institute for Access to Information and Protection of Personal Data.

    3. Back to top
  3. Does the data protection law apply to law enforcement activities?
    yes iconyes

    The data protection law for data held by public entities includes law enforcement activities. It defines public entities as any authority, entity, or body of the Executive, Legislative or Judicial Powers, autonomous units, political parties, trusts, public funds, or Unions. It also includes any other natural or legal person who receives and exercises public resources or performs acts of authority at the federal, state, or municipal levels.

    See more
    4. Back to top
  4. What are the criteria, if any, for the transfer of personal data to third countries under their data protection law?

    If the data controller transfers personal data to third-party nationals or foreigners (other than the data controller), it should communicate the transfer in the privacy notice including the purposes of the transfer. The data should be processed according to the privacy notice, and should contain a clause indicating whether the data subject consents or not to the transfer. Likewise, the third-party recipient will agree to assume the same obligations that correspond to the person responsible for transferring the data. The transfers of personal data can be done without consent in specific cases specified in the law.

    See more
    5. Back to top

  5. The Mexican Constitution protects the privacy of communications and personal data. Every person has the right to enjoy protection on their personal data, and to access, correct, and delete such data. All people have the right to oppose the disclosure of their data, according to the law.

    Interception of communication - Prior judicial order is required.

    Access to the content of communications - Prior judicial order is required.

    Access to metadata - Prior judicial order is required.

    Access to subscriber data - Prior judicial order is required for accessing retained subscriber data.

    Location data - Prior judicial order is required.

    See more
    Back to top
  6. What’s the factual basis to access communications data?

    The factual basis for accessing communications data in Mexico includes:

    Articles 292 and 294 of the National Criminal Procedure Code

    Articles 5, 9, XXVI, 32-29 and 100-104 of the National Guard Law

    For details on the above articles,

    See more
    Back to top

  7. The following authorities are the ones authorized to request the intervention of private communications:

    * The Head of the Office of the Attorney General (Fiscalía General de la República), including those to whom they delegate this faculty, and their counterparts in each of the federal entities

    * The Commander of the National Guard or the Head of the General Headquarters of Police Coordination

    * National Intelligence Center - CNI (Executive Branch)

    In terms of national security, the National Intelligence Center - CNI is the competent authority to intercept private communications if an “imminent threat to national security” exists.

    See more
    Back to top
  8. Does the country have provisions about access to data in cases of emergency?
    yes iconyes

    Article 303 of the National Procedure Code states that in exceptional cases, when the physical integrity or life of a person is in danger or the victim of the crime is at risk, and when the facts investigated are related to the illegal deprivation of liberty, kidnapping, extortion, or organized crime, the Attorney General, or the public servant to whom this faculty is delegated, under the strictest responsibility, can directly request access to location data in real time or the disclosure of retained data stored by telecom companies or content or application providers.

    See more
    Back to top
  9. Is there any data retention mandate?
    yes iconyes

    Article 190 of the Federal Telecommunications and Broadcasting Act (LFTR) of 2014 orders telecommunications providers to retain data for 12 months on systems that allow law enforcement agencies to access and obtain the data electronically, in real time. After this one-year period, telecommunications providers must keep the data for an additional 12 months and, upon request, deliver it to authorities within 48 hours.

    See more
    Back to top
  10. Are there any rules that authorize the use of malware?

    In Mexico, there is no specific law that regulates the use of malware. However, the legislation recognizes the possibility that some authorities may require federal judicial authorization for the intervention of private communications for specific purposes, and that might be the legal authority used by the Mexican Government. Those authorities are: Office of the Attorney General of the Republic and Offices of the states of the Federation, National Intelligence Center (CNI), and National Guard.

    See more
    Back to top
  11. Is there any law that compels companies to provide direct access to their internal servers for law enforcement purposes?

    To the best of our knowledge there is no law that obliges companies to provide this kind of access. Article 189 of the Telecom Law authorizes telecom, content and application providers to comply with the competent authority’s access request in the terms established by law.

    Back to top
  12. Does the law compel companies to assist law enforcement agencies in their investigations?

    Article 301 of the National Criminal Procedure Code sets out that telecom and Internet providers, and any other company that can intervene in a private communication, shall be compelled to collaborate with the authorities in such measures when requested and in an efficient manner. Likewise, such companies must have the necessary technical capacity to meet the requirements requested by the judicial authority to comply with a communications intervention order.

    Back to top
  13. Does the State report on the number of requests to access communications data?
    yes iconyes

    In Mexico, governmental agencies must regularly disclose statistical information about the requests they have made to telecommunications service providers for communication interceptions, access to communications records, and access to location data in real time.

    See more
    14. Back to top
  14. Is there any legal limitation that prohibits companies from publishing transparency reports?
    no

    No, to the contrary. Mexico had an obligation compelling companies to publish transparency reports, which was repealed. The Federal Telecommunications Institute (IFT, in Spanish), in accordance with Article 189 of the Federal Telecommunications and Broadcasting Law, issued a guideline that regulated the collaboration between the government and the private sector.

    See more
    15. Back to top
  15. Do telecommunication companies publish transparency reports?

    Telefónica-Movistar- YES

    AT&T- YES

    Telmex/Telcel- NO

    Axtel- NO

    Megacable- NO

    Izzi- NO

    Totalplay- NO

    Telefónica-Movistar publishes yearly transparency reports. AT&T publishes regular transparency reports. Although it provides very little data for most of the Latin American and European countries, AT&T’s report is more detailed in Mexico’s section. Regardless, it is still not as detailed as the report for the U.S. The remaining companies do not disclose transparency reports.

    See more
    16. Back to top
  16. Can companies notify users about States’ data requests?

    There is no legal provision that establishes a mandatory obligation to notify the user that their data was requested by the State.

    17. Back to top