The General Data Protection Regulation (GDPR) of the European Union and its implications in Mexico
The exponential technological advances in recent decades, in particular the use of big data and digital services, enhanced by the new dynamics imposed by the health emergency derived from the pandemic, have stressed the current regulation on personal data protection, which has led authorities worldwide to question whether a stricter protection regime is required.
At the head of the trend, the European Union adopted on May 25, 2016, the General Data Protection Regulation (“GDPR”). The GDPR repealed the 1995 European Union (the “EU”) Data Protection Directive (Directive 95/46 /EC) (the “EU Directive”), with the purpose to provide more strict regulation regarding the protection of personal data.
The GDPR is mandatory for: (i) entities established within the EU, and (ii) entities resident outside the EU, which offer their products or services to EU citizens.
Mexico, following the principles of the EU Directive, published on July 5, 2010, the Federal Law for the Protection of Personal Data in Possession of Individuals, and subsequently, the secondary regulation (the “Data Law”).
The Data Law has not been homologated to the GDPR; however, Mexican individuals and companies may be required to comply with the GDPR if (i) they offer and deliver products or services on a regular basis to EU residents, or (ii) they use tools that allow them to track cookies or IP addresses of people visiting their website from EU countries.
In case of breach, Mexican individuals or entities, or their affiliates located in the EU, may be subject to penalties under the GDPR. Fines can be up to €20 million or 4% of the annual revenue. During the three years in which the GDPR has been in force, the European Commission has imposed 680 fines, amounting to more than €287 million.
The Data Law and the GDPR share substantially the same principles:
- The obligation to obtain the prior consent of the owner for the processing of his/her personal data;
- The obligation to have a privacy notice and to deliver it to the owner prior to the processing of his/her data;
- The terms in which the owner may exercise his/her rights of Access, Rectification, Cancellation and Opposition (the “ARCO Rights”);
- The incorporation of the concepts of (i) the data controller (Responsible), who is the person that decides on the processing of the personal data of the owner, and (ii) the data processor, who is the person that process the data on behalf of the data controller; and
- The obligation to appoint a Data Protection Officer who will be in charge of supervising compliance with the regulation.
Some of the new obligations incorporated by the GDPR, which are not included yet in the Mexican regulation, are:
- The portability right, which entitles the owner to obtain a copy of his/her personal data processed by the Controller;
- Introduces the principle of data protection by design (Privacy by Design);
- Incorporates express obligations regarding the consent of minors under 16 years of age; and
- New obligations and requirements if the data controller implements new technologies in the processing of the data.
As a suggestion, Mexican companies that might obtain and treat data from EU residents or Mexican subsidiaries of international companies, must evaluate the impact of the GDPR in their operations, and consider strengthening their personal data protection regime to comply with international standards, including the GDPR, to avoid any contingencies or fines.
For more information on the GDPR and the personal data protection regime in Mexico, please contact your regular contacts at Nader, Hayaux & Goebel,
Luciano Pérez Gómez
+52 (55) 4170 3027