04 / 01 / 25
New Federal Law for the Protection of Personal Data in Possession of Private Parties
MEXICO CITY, MEXICO, April 1st, 2025 – On March 20, 2025, the new Federal Law for the Protection of Personal Data in Possession of Private Parties (NFLPPDPPP) was published in the Official Gazette of the Federation, which entered into force on March 21st, 2025, therefore abrogating the previous Federal Law for the Protection of Personal Data in Possession of Private Parties (FLPPDPPP).
Through the publication of the NFLPPDPPP, its main purpose is to standardize rules, principles, bases and procedures in the exercise of the right to the protection of personal data held by private parties; establish that the Anti-Corruption and Good Governance Ministry (the “Ministry”) will be the protective authority of personal data in possession of private parties, replacing the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI); as well as to specify that against the resolutions issued by the Ministry, the amparo trial will proceed and will be heard by judges and courts specialized in the matter.
In this order of ideas, below we highlight the main amendments made to the NFLPPDPPP to be considered, which are:
- In relation to the main modifications to the definitions contemplated, we highlight the following:
- “Data Subject” and “Personal Data”: In relation with both terms, the limitation to “natural” persons as the data owners of the personal data that was made available to companies is eliminated, expanding its scope to “identifiable persons”;
- “Ministry”: Derived from the disappearance of the INAI, the regulatory authority contemplated in the NFLPPDPPP is the Anti-Corruption and Good Governance Ministry, which will have the purpose of diffusing the knowledge of the right to the protection of personal data in Mexico, promoting its exercise and overseeing the due observance of the provisions set forth in the aforementioned law;
- “Processing”: The scope of the processing of personal data was extended to “any operation or set of operations performed by means of manual or automated procedures applied to personal data, related to the collection, use, recording, organization, preservation, processing, utilization, communication, diffusion, storage, possession, access, handling, utilization, disclosure, transfer or disposal of personal data”, and
- “Consent”: The NFLPPDPPP establishes that consent must be free, specific and informed. It also establishes that, if a data responsible processes personal data for a purpose other than the one foreseen in the privacy notice provided at the time the personal data was made available to the responsible, the data responsible must request again the consent of the data owner for the use of his personal data in accordance with its new purpose.
- In relation to the modifications to the requirements with which privacy notices must comply, the main changes consist of:
- Time at which it must be made available to the owners of personal data: According to the new law, the privacy notice must no longer be made available to the owners of personal data before they provide the information to the responsible parties, but only at the time the data is collected;
- Obligation of the responsible party to inform the owner, through the privacy notice, of the following:
- The existence and main characteristics of the processing to which its personal data will be subjected, so that it can make decisions;
- Said privacy notice must contain the personal data that will be subject to processing, distinguishing those that are sensitive, as well as those that require the consent of their owner, and
- The privacy notice must include the mechanisms, means and procedures to exercise the rights of access, rectification, cancellation and opposition (ARCO), as well as the mechanism and procedure to revoke the consent of the owner of the personal data.
- A new obligation is included for those responsible for personal data to establish controls or mechanisms whose purpose is to ensure that all people involved in any phase of the processing of personal data maintain confidentiality with respect to such data, which shall subsist even after the relationship between the owner and the person responsible for the personal data has ended.
It also provides the possibility of establishing internal controls or mechanisms so that all collaborators of the data responsible, whether individuals or legal entities, may agree among them or with civil or governmental, national or foreign organizations, binding self-regulation schemes on the matter, which complement the provisions of the NFLPPDPPP. In the event of implementing such schemes, they must be notified simultaneously to the corresponding authorities and to the Ministry.
- In relation to the exercise of the owners of personal data of their ARCO rights, the description of the ARCO right to be exercised must be included, as well as comply with certain conditions that were not foreseen in the previous FLPPDPPP to exercise their respective right of opposition;
- Additionally, the possibility of filing a nullity trial before the Federal Court of Administrative Justice, which was contemplated against resolutions issued by INAI, was eliminated. Currently, the means of defense against the resolutions issued by the Ministry is the amparo trial, which must be filed before District Courts and Collegiate Circuit Courts specialized in matters of access to public information and protection of personal data, and
- Finally, the Measurement and Updating Unit (UMA) is established as the measure or basis for determining the penalties to be imposed on those responsible for personal data in the event that they were to commit any infringement of the provisions contemplated in the NFLPPDPPP, which range from 100 to 320,000 times the UMA, depending on the type of infringement committed.
Due to the new changes in the NFLPPDPPP, it will be necessary to review and, if necessary, update the policies and processes regarding personal data, as well as the privacy notices of the companies in order to verify their compliance with the new legislation. The SMPS Legal team is at your disposal for any questions or comments regarding this notice.