Doing Business in Mexico? It’s Time to Revise Your Privacy Practices
By Holly K. Towle, Henry L. Judy, Samuel R. Castic
On July 6, 2010, Mexico’s “Law on the Protection of Personal Data Held by Private Parties” took effect, and some of the most stringent requirements are currently scheduled to take effect in July 2011. Accordingly, the time for companies that are covered by the law to adjust their privacy policies and business practices is today, not mañana.[1] In many ways, this law is more robust than approaches taken to data protection in the United States. It brings Mexican privacy law far closer to, or goes beyond, the concepts and structure of the European Data Protection Directive (“EU Directive”)[2] or other approaches such as the Canadian Personal Information Protection and Electronic Documents Act.[3] The law also seems to approximate the European Union approach of treating data protection as a basic right.[4] This Alert discusses some of the key provisions of Mexico’s new law.
What Data Is Covered?
The law applies to “personal data,” which is “any information concerning an identified, or identifiable individual.”[5] Although the U.S. Federal Trade Commission has proposed a similar approach[6] and some of its enforcement orders already take such an approach, such breadth is not used in all aspects of data protection. For example, U.S. state breach notification laws generally are limited to specified categories of sensitive personal data such as a name in combination with a social security number or credit card number. It is unclear whether the term “identifiable” would reach profiles and other types of data that are able to approximate individuals, such as on a statistical basis.
The law also applies to “sensitive” personal data. This category is defined generally as personal data touching on the most private areas of the data subject’s life or whose misuse might lead to discrimination or involve a serious risk for the data subject,[7] i.e., there are three separate concepts at issue: a broad “touching on” concept, discrimination, and serious risks. The law does not address the issue of what consequences the serious risks concept is concerned with. The law indicates that this general, three-part concept in particular includes personal data that might reveal “racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, union membership, political views, or sexual preference.”[8] This formulation in effect expands on the analogous categories of sensitive data under the EU Directive because it is not limited to specified categories of information, as is the EU Directive. The Mexican law also adds genetic data to its specific list of sensitive data. While it lists “sexual preference” rather than the EU Directive’s “sex life,” it may be as broad as the Directive in that regard because of its non-exclusive formulation. The Mexican law does not create a special category for the processing of data relating to offenses and criminal convictions, as the EU Directive does. In the U.S., most of these categories of sensitive data are protected by a variety of sector-specific laws, such as the federal U.S. Genetic Information Nondiscrimination Act of 2008, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and various constitutional doctrines, some of which are aimed at privacy and some of which are aimed at prohibited outcomes such as discrimination.
Whose Data Is Protected?
The law protects the personal data of the “data owner,” a term defined in the statute to mean the individual to whom the personal data relates.[9] In this Alert, we use the term “data subject” instead to avoid any misunderstanding. In the U.S., “data owner” typically refers to the person collecting the data and U.S. legal concepts do not automatically treat or assume that the “owner” of data is the person to whom it relates.[10] For example, U.S. state data security breach statutes often require the “data owner” to give notice to the individual who is the subject of the data: if “data owner” were that individual, he would be required by law to give notice to himself!
In contrast, the Mexican law uses the term “data owner” to mean the data subject. The term seems to reflect the concept of habeas data as employed in the law of a number of Latin American countries under which the individual may compel the disclosure by the public authorities (and some private interests) of his or her personal data because the individual is considered to have sufficient ownership interest in it to have the right to control its use.
What Entities and Individuals Are Regulated?
The law applies broadly to all entities or individuals that process personal data. The law purports to apply broadly: “The parties regulated under this Law are private parties, whether individuals or private legal entities, that process personal data, with the exception of: I. Credit reporting companies under the Law Regulating Credit Reporting Companies and other applicable laws, and; II. Persons carrying out the collection and storage of personal data that is exclusively for personal use, and without purposes of disclosure or commercial use.”[11] Thus, the Mexican law does not apply to public authorities.
The law does not itself specify any additional jurisdiction requirements that would need to be met for the law to apply, but we presume for purposes of this Alert that jurisdictional and other qualifiers exist under other aspects of Mexican law. Nevertheless, U.S. companies with subsidiaries or distributors in Mexico, or that otherwise process personal information concerning Mexican employees, customers, or business contacts, may wish to assume they are covered. Similarly, U.S. companies that contract with Mexican companies, such as for call centers and similar outsourced services, may wish to assume that they will be asked to reflect obligations under the new Mexican law in their contracts.
What Is Processing Data and Who Are the Data Processor and Data Controller?
The law states that regulated parties are those who “process” personal data. “Processing” is broadly defined to mean retrieval, use, disclosure or storage by any means, and use covers “any action of access, management, exploitation, transfer or disposal of personal data.”[12] The “data processor” is someone (individual or entity) that, alone or jointly with others, processes data on behalf of a data controller. A “data controller” is someone who decides on the processing,[13] i.e., the person in charge of directing others. These terms are used in the Mexican law with the same type of meaning that they have in the EU Directive.
Provisions That May Require a Change in Practices
Mexico’s new law may require a change in some practices that are permissible in the U.S., absent adoption and enforceability of significant changes of the type recently proposed by the Federal Trade Commission or Department of Commerce.[14] The following examples illustrate some of the types of changes that may be required.
- Consent. Subject to listed exceptions,[15] all processing of personal data is subject to the consent of the data subject. Consent levels vary. For example, in certain circumstances consent can be assumed, such as after a privacy policy has been made available. In other cases, consent must be “express,” meaning in some circumstances (such as for sensitive data) that the consent be “written” and signed (although if structured appropriately, such consent can be provided electronically).[16]
- Relevant Data. Mexico’s law requires the data controller to “ensure” that personal data it maintains be “relevant, correct, and up-to-date for the purposes for which it has been collected.”[17] The law also requires a phase-out of collected data.
First, when the data is no longer necessary “for the fulfillment of the objectives set forth in the privacy” policy and applicable law, it must be “cancelled.” Note that the privacy policy has a large impact here and use of it to explain the purposes of collection is important under this law. The “cancel” concept appears to be explained in the part of the law allowing the data subject a continuing right to “cancel” his data.[18] As explained there, cancellation invokes a “blocking” period. “Blocking” is essentially defined as labeling data in the database once it has served its purpose so that it will not be used during the blocking period even though it is retained, such as until a statute of limitations period has run.[19] After that, it must be “erased” or “deleted” in the database and the data subject must be notified of the cancellation.[20] This right of notification could create a considerable administrative burden depending on how it is implemented in regulations (e.g., is the notification directly to the data subject; may notification be given generally such as by notice on a website or in newspapers; may notifications be cumulated and given at regular intervals, such as quarterly)? Similarly, how can the notification obligation be tailored to variations in Mexico ’s communications infrastructure?
Notwithstanding these kinds of questions, the foregoing is a more sophisticated approach than some data protection laws take. Some privacy regimes speak in terms of eliminating personal data as soon as it is no longer necessary for its disclosed or presumed collection purposes, but that is not always practical. Using a U.S. illustration, consumer credit card transaction data might not be “necessary” once the item purchased is delivered, if the purpose of the transaction is viewed as a sale and delivery. Legal realities are more complex, however, as such data needs to be available to respond to investigations that will take place if the cardholder claims that a “billing error” has occurred — if the card issuer determines its private investigation in the cardholder’s favor, the merchant will retain its legal right to pursue the cardholder in court until the statute of limitations runs. Similarly, the cardholder may, for the relevant statute of limitations, sue the merchant for product defects or other aspects of the contract not within the “billing error” investigation. The Mexican law understands that it may be necessary or advisable to hold data until risks have expired.
The law also permits a “disassociation” procedure, which means a “procedure through which personal data cannot be associated with the data subject nor allow, by way of its structure, content or degree of disaggregation, identification thereof.” This appears to correspond to concepts of anonymization or de-identification under U.S. and EU law. However, no guidance as to permissible procedures is provided, particularly on the key point of whether “disassociation” is permissible following “cancellation,” or, putting it another way, whether “disassociation” is a permissible form of “erasure.” The only context in which disassociation is mentioned is where the law addresses exemptions from certain data subject to consent requirements.[21] Nor is any guidance provided as to the relation of “disassociation” under the new law to procedures of coding and anonymization under health care law, as in the case in the U.S. under HIPAA.
Second, data “relating to nonperformance of contractual obligations” must be removed after 6 years from “the calendar day on which said nonperformance arose.”[22] This wording has the potential to cut off claims by parties (data controller or data subject) entitled to sue under statutes of limitation longer than 6 years or under “discovery” rules sometimes allowing later suit if the claimant could not reasonably have discovered the nonperformance before the statute of limitations ran. Of course, especially with regard to contracts calling for complex performance over time, this provision opens the door to questions as to the exact calendar day on which nonperformance arose. It is also not clear how the different sections of the law work together in this regard, but at least under one section, restrictions on the cancellation power exist which might be helpful in resolving this kind of problem.[23]
Third, portions of the Mexican law seem to strike new ground in that they may place an even greater emphasis on a right of cancellation and deletion than do other privacy regimes, including the regimes established on the model of the current EU Directive. In this regard, the Mexican law appears to be anticipating the communication issued by the European Commission on November 4, 2010, concerning a comprehensive revision to the data protection regime established under the EU Directive (“Communication”). This Communication placed greater emphasis on deletion of personal data and reflected arguments in favor of a “right to be forgotten” and the concept that anonymity fosters personal autonomy.[24] Such a “right,” of course, raises countervailing policy questions that are the subject of current debate.[25]
- Service Providers. Mexico’s law requires that companies “ensure compliance” with its requirements, even when “third parties” are used.[26] That term is defined to mean a Mexican or foreign individual or legal entity (other than the data subject or data controller), so it includes a very broad scope of parties such as all subcontractors and service providers.[27] Accordingly, contracts with vendors need to be updated to address this and additional obligations under the new law.
- Privacy Policy. The law requires data controllers to provide a privacy “notice” to data subjects explaining what information is collected and why.[28] The notice must at least contain listed items, some of which are not commonly disclosed in the United States under generic privacy regimes (though some may be disclosed under sector-specific regimes or other statutes relating to the Internet or by members of U.S. Safe Harbor relating to the EU Directive). The notice must also be made available to data subjects in compliance with specific timing and formatting requirements.[29]
- Security. According to the IAPP translation, Mexico’s law requires “all responsible parties[30] that process personal data” to establish and maintain physical, technical, and administrative security measures designed to protect personal data from damage, loss, alteration, destruction or unauthorized use, access or processing.[31] In the U.S., many states have versions of such an obligation, with Massachusetts having the most extensive version. Federal sector-specific laws in the U.S. can also impose similar obligations (e.g., HIPAA and GLBA), and the FTC’s enforcement orders addressing inadequate data security or access controls pursuant to section five of the FTC Act are to a similar effect. The Mexican law prohibits data controllers from implementing security measures that are any less protective than controllers use to protect their own information. Also, in determining the security means to implement, data controllers must take into account “the potential consequences to the data subjects, the sensitivity of the data and technological development.” The concept may require data controllers to re-examine and update their security measures as they acquire additional types of personal data, as technology advances and as various risk levels change. Hence, the new Mexican law explicitly poses the familiar challenge or impossibility of matching affordability and foreseeability within a dynamic and non-uniform information security environment.
- Access. Mexico’s law permits individuals to access, rectify and cancel personal data that entities maintain about them.[32] Importantly, personal data must be preserved in a manner that permits exercise of these rights “without delay,” and the law requires the entity to respond to the request within twenty days of receipt.[33] As previously discussed, “cancellation” is a nuanced concept in the law and other details apply – the point here is that these robust rights exist and have detailed requirements and specified time limits for compliance.
- Data Transfers. Mexico’s law requires data controllers that transfer personal data to “domestic or foreign third parties other than the data processor” to: (a) provide a copy of the relevant privacy notice to the transferees; and (b) include in that notice a clause regarding data transfers and “whether or not” the data subject “agrees” to those transfers. Assuming such a notice and agreement, data processing by the transferee must be done as agreed in that notice.[34] There is a list of domestic and international transfers that can be done without consent, such as transfers to certain corporate affiliates, but the ambiguity and limitations in the list encourage obtaining consent in the privacy notice.
- Penalties. The new law contains penalties for violations that range in severity from a warning, to a maximum penalty of 320,000 days of the Mexico City minimum wage,[35] or approximately USD $1,595,000.[36] The penalty is doubled when sensitive data is involved, which can mean a maximum fine of approximately USD $3,190,000.
Recommendations
Now is the time for companies subject to Mexico’s new law to start bringing their policies and practices into compliance. Critically, the law places a fundamental importance on the content of privacy policies, so companies should review their privacy policies in light of the new requirements. Although the Mexican law burdens companies with the expense of compliance with yet another country’s unique privacy regime, the Mexican law permits some flexibility to achieve compliance by means of well-designed contracts and disclosures. As this Alert indicates, many key aspects of the new law remain uncertain and companies with direct or indirect operations in Mexico will wish to receive advice as they commit their compliance resources.
The agency with primary authority for implementation of the new law and for supervising compliance is the Federal Institute for Access to Information and Data Protection (Instituto Federal de Acceso a la Información y Protección de Datos).[37] Currently, the Federal Institute and the Ministry of Economy (Secretaría de Economía (SECON)) are working on draft implementing regulations. These will be issued for public comment with the aim of adopting them in final form in July. It will be important to follow the progress of that project.
Though the law was enacted on July 6, 2010, some of the more stringent requirements will not take effect until one year to eighteen months after the date of enactment,[38]so there is still time to review policies and bring practices into compliance. If you would like assistance in that endeavor or other compliance efforts, K&L Gates has data protection attorneys who can help. Please feel free to contact any of the attorneys listed below.
Notes:
[1] The official Spanish language version of the law is available at here; an unofficial English language translation is available courtesy of the International Association of Privacy Professionals here. The analysis herein relies on the unofficial English translation that the IAPP has provided, which may contain inaccurate or misleading translations.
[2] Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, available here.
[3] Available here.
[4] See supra note 1 at ch. I, art. 1 (addressing the “right” to “information self-determination of individuals.”).
[10] See, e.g., State v. Farmer, 80 Wash. App. 795, 911 P.2d 1030 (Wash. App. 1996) (no legitimate expectation of privacy in information a person reveals to third party such as evidence of a transaction with a business; holding that a warrantless seizure of sales receipts from a merchant to compare them to receipts defendant submitted to insurance company under claim for property loss did not violate the state constitution).
[14] See “FTC Proposes Broad New Privacy Framework, and Asks ‘How It Might Apply in the Real World’” available here; see alsohere.
[23] See id. at ch. III, art. 26 (significant list of situations in which cancellation is not required).
[24] See generally, hereat 51 (discussing common themes between EU and FTC approaches).
[25] See, e.g., Paul Sonne, Max Colchester and David Roman, Wall Street Journal, “Plastic Surgeon and Net’s Memory Figure in Google Face-Off in Spain” (Mar. 7, 2011), available here.
[30] Some have argued that a more correct translation would be “data controllers.” We take no position on the issue but note that such an interpretation could be considered to create two categories of data controllers: those who process and those who do not.
[35] See id. at ch. X, art. 64 (noting fines in multiples of the Mexico City minimum wage); see also Laurence Iliff, “Mexico Raises 2011 Daily Minimum Wage by 4.1% to About $4.60,” Wall Street Journal, Dec. 21, 2010, available here (noting that minimum wage in Mexico City is 59.82 pesos per day).
[37] Available here (Announcement IFAI/019/11 dated Feb. 16, 2011).