Data Protection in Mexico: One Right, Two Systems, Different Protections and Uncontrolled Data Breaches

Abstract

To obtain a complete understanding of how data protection laws apply in Mexico, readers must start with the following fact: There are two main data protection laws in Mexico. One applies to companies and individuals processing personal data for non-household activities, the other provides the framework that all Mexican States shall follow to regulate data processing by public entities identified as ‘sujetos obligados’ or ‘obligated subjects’. Even when both laws regulate ‘data protection’ in a very similar way, a close look into them reveals that they provide different rights to data subjects and different obligations for data controllers. As we will indicate, this situation may lead to problems on the differentiated protections and obligations when citizens’ rights are processed by two types of data controllers that otherwise should not have different obligations when processing this information. Mexico, Data Protection, Data Subjects, Portability, Impact Assessment, Breach, Security