News
The suppression of INAI as the personal data protection authority in Mexico.
Mexico will face multiple challenges with the suppresion of INAI as its data protection authority; a new authority will take its place and its independence and specialization has been questioned. What happened and what comes next?
What is happening?
In November 2024, a long and controversial process culminated, resulting in a new amendment to the Mexican Constitution, this time with the objective of carrying out an “organic simplification” to avoid the “duplicity” of administrative functions attributed to various agencies that for years were in charge of several important areas and functions.
Among the organisms that will disappear as a result of this “organic simplification” is the National Institute of Transparency, Access to Information and Protection of Personal Data, known in Mexico and in the world as “the INAI” (for its acronym in Spanish); the exact moment in which the INAI will cease to operate is unknown at the time of writing, but we will know exactly in the days to come, when the amendments to various secondary laws are published in Mexico's Official Gazette.
As is well known, this forum is not intended for the exposition or debate of political opinions, so I will avoid referring to them as much as possible; however, it is inevitable to mention that one of the objectives of the constitutional amendment that put an end to the existence of INAI was and has been to disappear a constitutionally autonomous agency that has allowed Mexican citizens to exercise their right of access to public information.
In the pursuit of that objective, the enforcement of the personal data protection laws in force in Mexico has been called into question, to the extent that in certain forums it was even mentioned that these laws would be abrogated and the right to the protection of personal data would disappear in Mexico. Nothing could be further from the truth, but it is true that the information available was little, bad and in many occasions exclusively focused on the “transparency duties” of the INAI, ignoring that the enforcement of the laws on the human right to the protection of personal data is also in charge of the INAI (until it disappears, of course).
For this reason, these lines are intended to provide our international community with information on the context, immediate consequences and forecasts regarding the imminent disappearance of INAI.
2010: the protection of personal data in the hands of the “IFAI”; 2014: the INAI emerges as an autonomous body
In July 2010, the first law specifically aimed at regulating the right of individuals to the protection of their personal data was published in Mexico: the Federal Law for the Protection of Personal Data in Possession of Private Parties (the “LFPDPPP”, for its initials in Spanish), which incidentally left out of its scope of application the public administrations of all levels and other public bodies (these would be regulated later, in a 2017 law).
The LFPDPPP changed the name of the then Federal Institute of Access to Information (the “IFAI”, by its Spanish acronym) and incorporated to its functions (and name) the Protection of Personal Data; the Mexican legislator chose to assign to the institute that protected access to public information the functions of protection of personal data; a decision that demonstrated on several occasions the apparent contradictions of one and the other right, overseen by the same organism.
In February 2014, through a constitutional amendment, the IFAI was given autonomy, giving rise to the INAI that we all know; this amendment is the one that has been reversed, it will culminate with the disappearance of the INAI and the reform of various laws that should define the administrative authority that will be in charge of the enforcement of the LFPDPPP (a matter that up to this moment has not been satisfactorily clarified).
Convention 108 and the independence of oversight bodies
In June 2018 Mexico ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe (Convention 108); it did so as one of the few non-European countries that are part of this important international instrument; upon accession, Mexico also accepted the Additional Protocol of 2001, which among other provisions establishes the obligation of the signatory States to have one or more authorities in charge of supervising compliance with the principles set forth in Convention 108, which must exercise their investigative and intervention functions with complete independence.
This obligation (the independence of the supervisory authorities) has shaped the organization and functioning of the personal data protection authorities of the members of the Council of Europe, and of those that are not members of the Council of Europe, but have acceded to this Convention (such as Mexico).
Since the proposal of the constitutional amendment that has been approved was made public, we have argued that the disappearance of INAI and the transfer of its powers to an agency or entity that is part of the Federal Public Administration of Mexico will undermine the independence of the authority that must supervise the protection of personal data in this country; the approved amendment does not guarantee such independence and as soon as the new supervisory authority takes control of the functions that INAI currently exercises, we will see if it will operate in this way.
Is the protection of personal data in Mexico over?
The answer is NO; the disappearance of INAI does not entail the abrogation of the personal data protection laws in force in Mexico, all of them will remain in force and, the amendments that will be necessary to adapt them to the constitutional amendment that has been approved, will be aimed at modifying the authority or authorities that will now be in charge of enforcing them, since it has been foreseen that the protection of personal data processed by public bodies will be in charge of a different authority from the one that will enforce the law that “individuals” must comply with.
It is important to highlight the foregoing because, in the midst of the noise that the disappearance of the INAI has reasonably generated, the idea was spread that the laws on the matter would also disappear; we reiterate that this will not be the case.
At the same time, and regardless of the authority in charge, we must not forget that the international extension of the right to the protection of personal data, the unstoppable international transfer of this information, the reputation of all stakeholders and the trust that information society service providers must provide to all data subjects, allow us to anticipate that compliance with the principles will continue to be transcendental in the years to come.
Challenges and opportunities
In addition to the independence that the authorities in charge of personal data protection in Mexico will have to demonstrate, there are significant challenges in several aspects.
First, we see the specialization of the professionals in charge of enforcing the LFPDPPP in jeopardy; in its years of operation, INAI developed and promoted the specialization of the public servants who investigated violations of the law and sanctioned it; we hope that this specialization will not be disregarded by the new authority.
Secondly, we must take into account that for several years INAI carried out numerous diffusion tasks on the rights and obligations provided in the LFPDPPP, including the publication of compliance guides and recommendations whose continuity is not guaranteed; we hope that the new authority adopts and continues with this work.
Thirdly, and although it is true that there is still much to be done in this regard, we must recognize the impulse that INAI provided to the self-regulation of controllers and processors, as well as to the promotion of certifications in personal data protection; we hope that the initiatives, structure and organization of self-regulation and certification do not disappear in Mexico due to the changes that are coming.
Finally, it is important to highlight that INAI has positioned Mexico as a relevant country committed to the protection of personal data; there are many forums in which the work of INAI has been recognized internationally; we also hope that the new authority will maintain and reinforce Mexico's international prestige in this area.
Finally, I wish to emphasize that the current context presents an enormous opportunity for the updating of Mexico's data protection laws, which should be directed towards the adoption of the protection standards that the General Data Protection Regulation of the European Union has undeniably spread internationally; specifically, the Latin American region is experiencing a clear trend of adoption of such standards, initiated by Brazil and followed by countries such as Ecuador, Panama, and soon Argentina; Mexico should not be left out of this trend if it wishes to guarantee the protection of this right in the digitalized world in which we all now interact.
authors note: I finish writing this article on December 4, 2024; during the next weeks and months we will have more information about the changes in the LFPDPPP that should clear the doubts about the authority that will be in charge of its application.
Article provided by INPLP member: Héctor Guzmán-Rodríguez (BGBG, Mexico)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Dezember 2024
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010