Implications of the New Personal Data Protection Law in Mexico
In a global context where the protection of personal information is becoming increasingly relevant, Mexico has taken a decisive step with the entry into force of the new Federal Law on the Protection of Personal Data Held by Private Parties (“Law”), published in Mexico’s Official Federal Gazette in March 2025. Although the Law retains the fundamental principles of the legal framework established in 2010, it introduces a series of concepts and procedures that broaden the responsibilities of obligated parties and establishes a new competent authority, all of which merit detailed analysis.
Reconfiguration of fundamental concepts
Primarily, the Law redefines one of the core concepts of the subject: personal data. The definition of this concept is expanded to specify that a person, whether physical or legal, can be identifiable by direct or indirect means. This is especially relevant in contexts where metadata, digital identifiers, and/or combinations of information acquired from different sources are used.
Likewise, the concept of consent is defined as a free, specific, informed, and unequivocal expression of will by the owner of the personal data (“Data Owner”). This definition raises the standard of legitimacy for data processing, as it requires that consent cannot be presumed or obtained ambiguously or broadly. As a result, those responsible for processing such information (“Regulated Parties,” as defined by the Law) assume a greater evidentiary and operational burden in terms of the documentation and traceability of consent. This requirement not only enhances the protection level for the Data Owner but also demands greater attention to compliance processes by Regulated Parties, especially in digital and/or automated environments where consent is obtained through electronic platforms. However, the Law includes additional particularities regarding consent that should be reviewed in the text itself.
On the other hand, another of the changes in the Law is the redefinition of the concept of processing. While the 2010 legislation covered the essential stages of the data lifecycle, it allowed for some ambiguity regarding intermediate processes or new methods arising from technological advancements. To address the need for greater legal clarity, the Law adopts a more detailed, technical, and comprehensive definition, explicitly incorporating a broader set of both manual and automated operations.
Privacy Notice and correlated obligations
The privacy notice can be considered the concrete manifestation of the Regulated Party’s duty to inform the Data Owner about the collection and use of personal data. Under the new Law, the contents of this notice must be more precise and comprehensive. It must clearly state what data is being collected, explicitly identify which data is considered sensitive, and specify the purposes for processing said data. The Law maintains the obligation that the privacy notice must include the options and means by which the Data Owner can limit the use or disclosure of their data, the methods and procedures to exercise their ARCO rights (Access, Rectification, Cancellation, andOpposition), and the procedure and means through which changes to the privacy notice will be communicated.
Strengthening the Duty of Confidentiality
To ensure transparent processing of personal data, the Law introduces a proactive approach to the duty of confidentiality. While it retains the principle of confidentiality established in the previous law, it now adds an organizational requirement, that is, that the Regulated Parties, or any third parties involved, must implement specific measures or controls to ensure that all people involved in any phase of personal data processing effectively comply with this obligation.
This is where confidentiality agreements with clients, employees, and/or suppliers serve an essential role.
Elimination of INAI and Institutional Reorganization
One of the most significant changes in the Law is the elimination of the regulatory authority on personal data, the National Institute for Transparency, Access to Information and Protection of Personal Data (“INAI” for its acronym in Spanish). Before its removal from the Political Constitution of the United Mexican States, INAI was an autonomous constitutional body tasked with ensuring public access to information and protection of personal data. Following recent constitutional changes and the publication of the Law, the responsibilities for supervision, verification, sanctioning, and issuance of data protection guidelines have been assigned to the Ministry for Anti-Corruption and Good Governance (the “Ministry”), created just a few months ago. Specifically, the Ministry will rely on a decentralized administrative body called “Transparency for the People” to resolve complaints filed by private parties. Furthermore, procedures regarding access to public information initiated before the Law’s enactment will continue under Transparency for the People, according to the regulations in force at the time of their commencement.
Implications for Regulated Parties
Considering the new legal provisions, Regulated Parties must adapt their privacy policies and notices, as well as update their procedures and data collection mechanisms. Additionally, due to the creation of the new Ministry and the new administrative body, Transparency for the People, a period of legislative activity is expected to modify secondary regulations. During this time, technical guidelines, interpretative criteria, and possible sanctions may be issued by the competent authority.
Our legal team is ready to provide personalized advice and answer any questions regarding the Law. We are also available to support the analysis, development, or improvement of your privacy policies, ensuring they comply with current regulations and adequately protect your users' information.
Disclaimer: J.A. Treviño Abogados S.A. de C.V. (the “Firm”) does not necessarily endorse, and is not responsible for, any third-party opinion expressed in this article, and therefore the Firm will not be liable for the content of such opinions. Any article, comment, quote or any other information appearing under the authorship of any person or legal entity other that the Firm, even if related to the Firm, solely represents the opinion, comment or position of such author. The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any subject matter. The information contained in this article is protected as property of the Firm. No recipient of this article, client of the Firm or otherwise, should act or refrain from acting on the basis of any content included in the article without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from an attorney licensed in the relevant jurisdiction. This article contains general information and may not be updated. The Firm expressly disclaims all liability in respect to actions taken or omitted based on any or all of the contents of this article.
