Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

III. Privacy issues

Federal privacy protection

There have been six data and privacy bills presented by different Deputies and Senators of the Mexican Congress (Honorable Congreso de la Unión) since February 2001.1 The proposals are all modeled loosely on international data protection standards such as those found in the European Union Data Protection Directive, the Spanish Data Protection Law, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the APEC Privacy Framework. The proposals include general data protection principles, the rights of data subjects, the obligations of data controllers and data users, and the supervisory authority. International transfer of personal information is prohibited to countries without adequate level of protection.

However, as of June 2007, no agreement has been reached on any of the initiatives among stakeholders and the different parliamentary groups of the Mexican Congress, and the outcome of such initiatives remains to be seen during the works of the Legislature of the Mexican Congress.

In April 2007, Commissioners of the Federal Institute of Access to Public Information unanimously approved the creation of a working group to develop a data protection bill.2 The Mexican Congress has organized workshops on data protection since 2003 with the participation of different stakeholders including government agencies, banking and financial groups, telecommunications and commercial chambers and academic groups with the purpose of discussing the impact of the proposed data protection bills.

On November 2-4, 2005, the Fourth Ibero-American Personal Data Protection Meeting (IV Encuentro Iberoamericano de Protección de Datos Personales)3 was held in Mexico City. As a result of this meeting, the participants issued a document entitled: "The Mexico Statement" (La Declaración de Mexico).4 It provides a list of nine conclusions: (i) the protection of personal data as a fundamental right; (ii) information technology demands; (iii) regulatory developments and globalization; (iv) the protection and security of medical data; (v) the Ibero-American Data Protection Network; (vi) fostering the development of a legislative framework on data protection in Mexico; (vii) the XXVIII Conference of Data Protection; (viii) cooperation between the Mexican DPA (Instituto Federal de Acceso a la Información Pública), the Spanish and the Argentinean DPA; and (ix) the creation of data protection working groups.

Privacy regulator

There is a National Authority of Personal Data only for the Federal Public Administration (President, Attorney General, Ministries and State-owned enterprises): the Federal Institute of Access to Public Information (IFAI, or Instituto Federal de Acceso a la Información Pública). Besides IFAI, there are multiple organs for the protection of data, belonging to different branches of the State, related to the right of access to public information. As it is now conceived, IFAI has no authority when the personal data is in the hands of private people or entities, even those destined to provide information.

Currently there are several separate governmental agencies dealing with personal financial data: the Ministry of Finance (SHCP), the Central Bank (BANXICO), the National Banking and Stock Exchange Commission (Comisión Nacional Bancaria y de Valores, or CNBV), the Financial Service Users Agency (CONDUSEF), the Consumers Agency (PROFECO), and the vast amount of public information offices (Unidades de Enlace) established after the enactment of the Transparency and Public Information Law (LFTAIPG). There are many other offices as well.5

IFAI has issued a data protection guideline, as well as security recommendations for the protection of personal data held in databases of the Federal Executive Branch. The aim is for public agencies to comply with internationally data protection standards.6

Financial privacy

The Law of Protection and Defense of the User of Financial Services (LPDUSF) provides the legal framework for the protection and defense of the rights and interests of users of financial services rendered by private and public institutions duly authorized, as well as those rendered by the social sector.7 This law also regulates the organization, procedures and functioning of the National Commission for the Protection and Defense of Users of Financial Services (CONDUSEF), which is in charge of promoting, advising, protecting, and defending the rights and interests of users before financial institutions; judging their conflicts on an impartial basis, and promoting legal equity in the relations between them.

The LPDUSF protects the disclosure of the banking, fiduciary and securities secrets by mandating the CONDUSEF maintain strict reserve on the information and documents that the CONDUSEF may know as part of its duties and that is related to deposits, services or any other kind of transactions carried out by financial institutions. CONDUSEF shall be legally entitled to provide information only in case such information or documents is requested by a judicial authority, and by virtue of a sentence duly resolved in trial.[35]

Public functionaries of the National Commission are personally liable for breaching the duty of confidentiality or secrecy provided in Article 13 of the LPDUSF, obliging them to repair any damage and loss caused as a result of disclosing banking, fiduciary or securities secrets (Articles 14-15).8 Ley de Instituciones de Crédito [The Credit Institutions Law], Articles 117, 117 bis and 118; Ley del Mercado de Valores [Securities Market Law], Article 25; Ley de Ahorro y Crédito Popular [Saving and Popular Credit Law], Article 34; Investment Partnerships Law (Ley de Sociedades de Inversión) Article 55; and the Ley para Regular las Sociedades de Información Crediticia [Law to Regulate Credit Information Partnerships] (Section I Articles 18, 28, 37, 38, 39 and 52). A public official involved in matters related to the application and interpretation of taxes must keep all declarations and data provided by tax contributors or third parties confidential (Article 17-D, 17-J and 69, Fiscal Code of the Federation (Código Fiscal de la Federación).9

The United States-Mexican border has been an area of increased surveillance. Mexican authorities now routinely perform "security sweeps" of homes in areas bordering the United States.10 On the United States side, biometric facial recognition systems have been implemented by the Immigration and Naturalization Service11 at the Mesa de Otay border crossing (San Diego-Tijuana) for frequent United States commuters to Mexican maquiladora factories. The biometric data is stored with driver's license numbers, vehicle registration numbers and passport status information in an INS database. When a commuter in the program approaches the United States border, a transponder under his vehicle sends a signal to the checkpoint booth, activating the database and displaying the driver's image. Other commuters use a voice-activated device in addition to the facial scan.12

Recent developments

In February 2007, the Mexican Advertising Internet Association (AMIPCI) released its trustmark, "Sello de Confianza AMIPCI."13 The trustmark seeks to enhance security on e-commerce transactions and represents an acknowledgement that institutions and businesses adhering to AMIPCI's trustmark: (i) are legally established and located in Mexico, (ii) their websites are trustworthy and ethical responsible; and (iii) comply with privacy and information policies based on international privacy guidelines. The Sello de Confianza AMIPCI promotes the compliance of AMIPCI's ethical code, articles 16, 17, 18 bis and 76 bis of the FCPL and the APEC Privacy Framework.14 The Consumer Protection Agency (PROFECO) and the Ministry of Economy (Secretaría de Economía) were involved in the drafting and fully endorse that trustmark.

Civil society advocacy work

There are currently no public interest organizations specializing exclusively in advocacy and legal protection of privacy rights. There are, on the other hand, various associations and centers dedicated to the study, publication and promotion of transparency, right to know and access to public information.15

State privacy protection

On June 14, 2003, the Constitutional Congress of the State of Colima enacted a Personal Data Protection Law.16 The purpose of the law is to protect and guarantee the protection of personal data as a fundamental human right. Colima is the first state that has enacted a privacy and data protection legislation in the Mexican Republic. Colima's Data Protection Law has been in full effect since June 15, 2003, but its provisions have not yet been interpreted by Colima's local courts or by the Supreme Court.

The state of Jalisco introduced reforms to the state Civil Code in 2005 in order to regulate the protection of personal data, including data contained in electronic registries of private entities. Chapter III of the Civil Code of the State of Jalisco entitled "On Private Information" contains 39 provisions, which specifically regulate the protection of personal information of citizens residing in that State.17

The provisions of this Code contain definitions on private information, personal data, electronic data; data subject rights, data purpose; personal data registry; data collection obligations; the prohibition to collect, process and transfer sensitive personal data; obligations on the collection of patient medical data; obligations on security safeguards of personal data; the confidentiality of professional secrets; obligations to inform about the destination and transfer of personal information; consent to the transfer of personal information; the right to request access to personal data contained in private registries and archives; terms and conditions to modify, correct, update or cancel personal data; data preservation obligations; financial and credit data obligations; and third party data transfer conditions.

Footnotes