Data Protection and Information Management: An Interview with Corporate Attorneys in Mexico
The laws relating to privacy and data protection are developing at a rapid pace and companies face ever-growing demands regarding compliance and legislation. To find out more, Lawyer Monthly speaks to Luis Rubio and Arturo Perez, Partners at the Corporate & Securities department of Greenberg Traurig’s Mexico City office.
Please introduce yourself, your role and your firm.
Formed in late 2011 and launched in 2012, Greenberg Traurig, S.C. is part of Greenberg Traurig, LLP, an international, multidisciplinary law firm with 1750 attorneys and governmental affairs professionals in 34 locations in the United States, Latin America, Europe and Asia. The Mexico City office has continued to grow and now has over 40 attorneys, offering strategic legal advice with a collaborative approach, handling major transactions, and offering dispute prevention and resolution, regarding Corporate, Capital Markets, Infrastructure, Energy, M&A, Telecommunications, and Litigation matters. Together with the firm’s global Latin America Practice, the Mexico City office advises both international clients seeking to enter the Mexican and other Latin American markets, as well as clients with established business interests in Mexico and the region.
Although the data protection law in Mexico was only implemented in 2010, the government has continued to update the legislation to adapt to changing trends within the industry. What are the main challenges to arise within Mexican data protection law?
The main current challenges refer to construction and enforcement of the provisions of the Personal Data Protection Law and how such legislation will keep up to speed with the rapidly changing technological developments and applications. Recently, IFAI, the agency entrusted with enforcing the law, begun imposing penalties for not having in place privacy notices. If these isolated actions become a trend; most surely such proceedings and decisions will be legally challenged.
How are these challenges navigated?
IFAI has issued some guidelines to deal with the implementation of privacy notices and to provide orientation as to the obligations provided in such law. Also this agency has an ongoing advertisement campaign on information about the rights and obligations of companies and individuals collecting and using personal data.
How would you like to see legislation amended to better protect data?
Although the Ministry of Economy and IFAI has been making a lot of effort, following to the enactment of the Law, to clarify some vague terms and questions about the implementation of procedures or enforcement, there is still plenty of room for improvement. We consider that based on the current basic framework, additional provisions or administrative interpretations are required to clarify ambiguous terms related with data collection made through smartphones, magnetic cards, web-based applications, cookies and web beacons, cloud computing and social networks, especially in those cases where the data owner, the technology service provider (e.g. internet provider), the website host, and the entity processing data are located in different jurisdictions. It is still yet to be seen how IFAI will enforce Mexican laws against foreign entities with no presence in Mexico collecting personal data from Mexican nationals through any of these means.
In this regard, we would expect IFAI to continue promoting international efforts to foster cooperation and enforcement of cross-border data transfers (such as the recent incorporation of Mexico to the APEC Cross-border Privacy Rules) and coordinate self-regulation binding agreements between different industries, emphasizing those industries where the data collection and processing is intense. Perhaps sometime in the future and depending upon the enforcement and supervisions experience, it would be worth analyzing the convenience of having certain differentiated regulation for some industries.
Technology has made data processing and transfer a multinational issue and therefore, no single country or statute may now pretend to regulate, enforce or even being able to fully protect the privacy rights of its nationals. Thus, multinational efforts are required to coordinate cooperation and enforcement between regulatory agencies as a first stage and the creation of binding guidelines and minimum standards at a later point.
What are the most common data protection cases you deal with?
Most of our practice focuses on providing advice to domestic and foreign clients to comply with the requirements provided for in the Personal Data Protection Law, drafting the required privacy notices and responding to specific compliance questions related with the types of data collected, form of granting consent and cross-border data transfer issues.
It is foreseeable that in the near future our practice will also encompass compliance matters to ensure that current practices and policies implemented within the companies that deal with personal data comply with applicable provisions.
What penalties face companies/individuals who breach privacy/data protection laws?
The main infringements to the provisions of the Personal Data Protection Law consist of: (i) failure to provide the privacy notice or a fully compliant notice; (ii) failure to comply with a request of the personal data owner to have access to, rectify, cancel or oppose to the use of his/her information; (iii) failure to comply with the confidentiality duty; (iv) unauthorized personal data transfers to a third party; (v) breaching data base security systems; (vi) fraudulently collecting personal data; and (vii) creating data bases containing sensitive personal data.
Depending on the infringement and whether it is a first-time or repeated offender, the penalties consist of a warning or imposing a fine ranging from U.S. $500 to U.S. $1,600,000.
Additionally, the following are considered felonies that are punished with prison of three months to five years: (i) intentionally breaching data base security systems that are under his/her custody with the purpose of profiting from such breach; and (ii) fraudulently collecting personal data with the intention of profiting from such collection.
Has the amount of data protection-related challenges risen considerably as the growth of technology becomes more and more rapid?
Currently, technological developments have not increased the amount of data protection-related challenges. Although briefly addressed in the law, general provisions are in place regarding cloud computing through additional clarification is required.
On the other hand, as more Mexican companies do business in other jurisdictions through e-commerce, legal counsel will be required in order to adapt current privacy notices and procedures to local legislation and to comply with such foreign data protection rules and regulations. Such internationalization will pose interesting challenges and significant costs for developing global information management systems compliant with several data protection local regulation.