©DAVARA ABOGADOS, S.C., 2010 www.davara.com.mx

MEXICAN CONGRESS PASSES DATA PROTECTION LAW

The Act will become effective the next day after its publication

Federal Data Protection Act (FDPA)On April 27th, 2010 the

Mexican Senate passed the Federal Data Protection Act (FDPA) for private entities. The new rule establishes the principles, rights and proceedings to protect the fundamental right on data protection according to art. 16 of the Mexican Constitution at a Federal level. Although not yet published, the Act will become effective the next day after its publication in the Federal Register (Diario Oficial de la Federación).

Fundamental right of data protection, Personal Identifiable Information (PII) and sensitive data

The FDPA protects natural persons (data subject) and guarantees their right to privacy (data protection). Therefore, legal persons are excluded of such protection.

For the purposes of this law, personal data (PII) shall be any information concerning identified or identifiable natural persons. In particular, the law sets additional guarantees for sensitive data. Such data are those which reveal ideology, trade union membership, religion, beliefs, racial or ethnic origin, current or future health condition, genetic information or sex life.

As general rule, processing of personal data will require data subject´s consent. Nevertheless, some and not little exceptions may apply. On the other hand,controller must obtain this consent expressly and in written, with his/her signature or electronic signature, for sensitive data.

Controller and processorPrivate persons, legal or natural,

who process PII, are under this law. Nevertheless, credit bureaus and persons who process personal data in the exercise of activities which are exclusively personal or domestic, are excluded.

The Act defines controller as the private person, natural or legal, who determines the processing of personal data. Processor is the natural or legal person who lonely or jointly with others processes data on behalf of the controller.

Both, controller and processor, have to adopt measures to fulfill the requirements of the Act and minimize any legal risk.

Principles for making data processing legitimate

Controllers must guarantee the following principles on the processing of personal data:

◆ Lawfulness of data processing;◆ Quality of data as they must

be relevant, accurate and updated;◆ Proporcionality regarding the

purpose for processing of such data as stated in the privacy disclaimer;

◆ Legitimate purpose of the processing;

◆ Data subject´s consent, unless an exception applies;

◆ Information to be given to the data subject when collecting his/her data;

◆ Liability in case of unlawful processing of personal data;

FDPA SUMMARY

DATA PRINCIPLESPrivate entities shall guarantee the following principles when processing personal data: lawfulness of data processing, data subject´s consent, information, data quality, purpose, legitimacy, adequacy to the purposes, and liability.

DATA SUBJECT´S RIGHTSThe Law protects the data subject´s rights of access; rectification; erasure or blocking, and objection.

LEGAL PROCEEDINGSData subject has the power to engage in legal proceedings if his/her rights have been violated (administrative remedy). In addition, controllers and processors will be subject to liability for unlawful processing of personal data.

SUPERVISORY AUTHORITYThe Federal Institute for Access to Public Information (IFAI) will enforce the Act and protect the fundamental right of data protection in Mexico. The Department of Commerce will also have an active role by promoting best practices on data protection in its area. Other authorities also will support IFAI´s goals in their own area.

FOR IMMEDIATE RELEASE MEXICO, D.F. - APRIL 27, 2010

©DAVARA ABOGADOS, S.C., 2010 www.davara.com.mx

Data subject´s rightsThe person whose data are

processed is entitled to exercise, unless an exception applies, the following rights:

◆ Right of access: to obtain from the controller information about the data that are being processed;

◆ Right of rectification: when the data processed are inaccurate or incomplete;

◆ Right of erasure: at any time if the processing of data does not comply with the provisions. Erasure implies data being blocked, not being deleted until expiration of provided legal terms;

◆ Right of objection: to the processing of personal data.

Controller´s obligationsThe processing of personal data

requires to adopt several measures in order to guarantee its lawfulness. Among other, the controller shall:

◆ Provide information through a privacy disclaimer to the data subject when collecting his/her personal data.

◆ Adopt and maintain organizational and security measures to protect the personal data and prevent their alteration, loss, unauthorized processing or access.

◆ Obtain data subject´s consent, unless when any exception applies;

◆ Establish proceedings in order than the data subject can exercise his/her rights.

Codes of conduct, privacy online and other issues

The Act encourages to draw up codes of conduct to increase the level of data protection. Natural or legal persons by themselves or with the cooperation of national or international civil or governmental organizations, can set such codes of conduct, privacy seals or other mechanisms with rules and standards on privacy. Such instruments shall be notified to the IFAI.

The Act applies both offline and online processing of personal data. Therefore, controllers shall adopt measures to guarantee a lawful processing of personal data in any case.

Processing of personal data carried out by credit bureaus are excluded of this Act. Such data processing will follow the Federal Credit Bureau of Information Act. There are also specific regulations that could apply in the telecommunication sector according to the Telecommunications Act or in the Health sector.

Infractions and sanctionsControllers are subject to

liability when processing personal data in a way that causes damages to the data subject. An unlawful processing could be fined even with prison when such unlawful processing constitutes a felony.

In particular, the Law contains a range of sanctions that includes

warnings to the controller; pecuniary sanctions (up to US$ 1,500,000.00), and even prison when having authorized access the user infringes security measures to obtain data with intent to profit.

Entry into force and deadline for some provisions

The FDPA will become effective the next day after its publication in the Federal Register.

Within a year after the Act becomes effective, the Executive Power will issue a rule regarding several aspects, such as the proceedings for protecting data subjects´rights or the proceeding to impose sanctions.

Controllers shall:1. within a year after the entry

into force of the Act:a. Designate a Chief

Privacy Officer (CPO)b. Provide privacy

disclaimers2. within 18 months after the

entry into force of the Act:a. Implement procedures to

enable data subjects to exercise the rights.

FOR IMMEDIATE RELEASE MEXICO, D.F. - APRIL 27, 2010

About Davara Abogados, S.C. Davara Abogados is a boutique law firm that provides legal advice and consulting services specialized on ITC Law (data protection/privacy, e-commerce, e-signature and e-Government) to public and private entities.

Although incorporated in Mexico, D.F., Davara Abogados has a long established and leading practice in European IT Law. Also, Davara Abogados participates at ABA, leading the Latin American E-commerce Committee at the Section of Science and Technology Law.

The material in this publication does not constitute legal advice and Davara Abogados does not accept liability for any loss or damage caused to any person relying on any information or ommission in the publication.

Contact usFor additional information or legal

advice, please contact Davara Abogados.

Davara Abogados can provide you expert legal advice regarding the privacy implications of the Act, drafting privacy disclaimers, security documents or training your staff to the level of risk when processing personal data.