Data security and cybercrime in mexico – lexology database logo

The Federal Law for the Protection of Personal Information in Possession of Private Entities is one of the most advanced laws in Mexico and Latin America. This legislation is ahead of the international curve and aims to comply with standards such as those under the General Data Protection Regulation and the various privacy regulations in the United States.

Although some deputies submitted bills to Congress in 2017, none of them have been approved by any commission of the Chamber of Deputies or by the Senate. Therefore, no short-term legislative amendments are expected. As there are presidential elections in 2018, the legislative process is likely to be slow.

• when the collection of personal data is necessary for medical attention or diagnosis or for rendering sanitary assistance, medical treatment or sanitary services, provided that the data subject is unable to consent and provided that the data is collected by a person subject to legal professional privilege.


There is a general rule regarding the period for which an organisation must retain records, which states that records containing personal data must be retained only for the period necessary for the completion of the purpose for which the data was collected.

Article 37 of the regulations of the Federal Law for the Protection of Personal Information in Possession of Private Entities provides that the period for retaining records must not exceed the period necessary for completion of the purpose for which the data was collected, and in order to determine the applicable period, data owners must pay attention to any legal provisions applicable to the sort of data collected and also consider the administrative, tax, legal and historical aspects of the data.

• when the collection of personal data is necessary for medical attention or diagnosis or for rendering sanitary assistance, medical treatment or sanitary services, provided that the data subject is unable to consent and provided that the data is collected by a person subject to legal professional privilege.

• detailed information as to the data transfers that the data owner is willing to make, involving personal information, expressly indicating the name of the data processor and the type and category of activity sector of the latter and expressly indicating the purpose of such transfer. Also, when required, a clause indicating whether the data subject consents to the data transfer;

Article 19 of the Federal Law for the Protection of Personal Information in Possession of Private Entities requires every data owner to implement and maintain administrative, technical and physical security measures to prevent the loss, alteration, destruction or unauthorised access and use of any collected and stored personal information.

Yes, Article 20 of the Federal Law for the Protection of Personal Information requires data owners to immediately notify individuals about any security breach that occurs during any phase of data collection, storage or use, which may significantly affect the individual’s patrimonial or moral rights.

Similarly, Article 64 of the law requires data owners to notify individuals without delay of any breach that significantly affects their moral or patrimonial rights, as soon as the data owner confirms that a breach has occurred and when the data owner takes action to determine the magnitude of the breach.

The Federal Bureau for Consumer Protection operates a call blocking registry covering both landlines and mobile phone numbers, which gives suppliers 30 days to stop making marketing calls or sending marketing messages to a registered consumer.

Yes, the guidelines for the privacy notice require that individuals are informed as to any technology that allows the automatic collection of personal information simultaneously to contact with said individual. The guidelines require data owners to request individuals’ consent through an opt-in mechanism and to inform them as to how to deactivate said technology, unless it is required for technical reasons.

• When a data owner that is authorised to collect, store and use personal information with the aim of profiting, causes a security breach in the database containing the information under its custody. This is punishable by imprisonment of between three months to three years.

• To collect, use or store personal information, with the aim of profiting, through error or deceit of the data subject or error or deceit of the person who can authorise the transfer. This is punishable by imprisonment of between six months to five years.

Not automatically. Since the INAI is not entitled to declare damages or loses, in order to collect any damages or loses derived from the unauthorised use, storage or collection of personal information, an independent civil action would be required.

No international standards relating to cybersecurity have been adopted in Mexico. In recent years the government has become more aware of the need to specifically regulate cybersecurity and to enhance legal proceedings to fight cybercrime activities. The Mexican government is in the process of implementing various actions detailed in its National Digital Strategy and its National Cybersecurity Plan, which should result in the consolidation of a cybersecurity legal framework.

The only activity that is currently expressly regulated as a felony and punishable as such by the Federal Criminal Code of Mexico is child pornography and any sexual content involving an underage individual or someone considered incapable of understanding or resisting such an act.

• To use, obtain, transfer or in any other way dispose of the resources, electronic payment funds or virtual assets, that is the property of clients of any FTI; or to use, obtain, transfer or in any other way dispose of the resources, electronic payment funds or virtual assets that are the property of any FTI. This is punishable by imprisonment of between three and nine years. If the person conducting the above criminal offence is a shareholder, counsel, officer, director, administrator, employee or supplier of an FTI, he or she is liable to imprisonment of between six and 18 years.

When dealing with illegal activities considered as criminal offences, the Attorney’s General Office is the authority responsible for investigating and pursuing them. If, as a result of the investigations conducted by the Attorney’s General Office, it is deemed that there is evidence of criminal activity, the office will formally request a criminal court to initiate criminal proceedings.

Yes, it is possible to obtain insurance for cybersecurity breaches and data protection, although it is uncommon for companies to obtain this sort of insurance. However, as awareness of threats to cybersecurity increases, it is expected that this kind of insurance will become more popular.

banner