Protection of personal data in the EU and Mexico
Protecting the personal data of individuals has become a major concern worldwide. As a result, several countries have adopted new regulations that aim to provide or enhance such protection. Here, we will briefly present some of the most relevant features of the data protection regulations recently adopted by the European Union (“EU”) and Mexico, two important business partners to the United States.
The General Data Protection Regulation (“GDPR”) adopted by the European Parliament and Council on April 27, 2016, will become enforceable on May 25, 2018. The GDPR intends to strengthen the data protection for all individuals who reside within the EU and has a very interesting feature in that, similar to the United States’ Foreign Corrupt Practices Act (FCPA), the GDPR extends its scope to individuals and companies processing data of EU residents regardless of their location (within or outside the EU). The extraterritorial nature of the GDPR combined with its broad definition of what constitutes protected personal data means that GDPR obligations may be triggered by something as simple as receiving a business card from an EU resident (since most business cards come with at least a name and email, which constitutes personal data protected by the GDPR). Importantly, failing to comply with the GDPR may have severe consequences as the penalties for companies may go up to 4% of the annual worldwide turnover of the preceding fiscal year. In other words, a company breaching the GDPR in “X” country (whether or not within the EU) may be subject to a fine of 4% of its GLOBAL income.
The “Ley Federal de Protección de Datos Personales en Posesión de los Particulares” (“LFPDPPP”), Mexico’s Federal Data Protection Law, which was enacted in 2010, also seeks to enhance the protections to personal data of individuals. Unlike the GDPR, the LFPDPPP is not extraterritorial in nature. That aside, the scope of the protected personal data in the GDPR and LFPDPPP is quite similar; thus, it is also very easy for a company operating in Mexico to become subject to LFPDPPP obligations. The consequences of non-compliance with the LFPDPPP are steep, as penalties may go up to approximately USD $1,500,000.00. According to the Instituto Nacional de Accesso a la Información, the Mexican authority in charge of enforcing the LFPDPPP, almost 250 fines have been issued since the LFPDPPP went into effect, and the companies fined for failing to comply with the LFPDPP included important financial institutions and hotels.
In summary, any company processing (or that may process) the personal data of EU residents, such as hotels, hospitals, universities, companies with EU clients or suppliers, should begin a process to ensure compliance with the GDPR as soon as possible, as said regulation becomes enforceable on May 25, 2018. As for the LFPDPPP, since it is already in effect and firmly being enforced, companies doing business in Mexico should evaluate their current programs to ensure compliance. As for those that have still not adopted any compliance program and that may be subject to either the GDRP, the LFPDPPP, or both, they should move quickly to implement a proper compliance program and avoid the possible harsh penalties.
 Numbers current through December 31, 2017.