On April 27, 2010, a sweeping new law on data protection was passed by the Mexican Senate, clearing the way for the President to sign the landmark legislation, which provides for penalties up to an astounding $1.5 million for violations under the law.  The new Federal Law for the Protection of Personal data (la Ley Federal de Protección de Datos Personales en posesión de los particulares), prescribes, among other things, the manner with which both private and public entities must treat the collection, use, and disclosure of personal data relating to Mexican citizens.

The new law also expands the oversight of Mexico’s data protection authority and its jurisdiction will now extend to the private sector, in addition to government authorities, and in keeping with its expanded duties, will be renamed the Federal Institute of Access to Information and Data Protection. The law envisions the Institute to take a leading role in conducting inspections to ensure compliance under the law and issuing monetary penalties when it concludes that an entity has failed to comply with the law.  

Similar to the European Union, under the law, “sensitive personal data” (data concerning a individual’s race, medical condition, or religious beliefs, for example) is accorded special weight and requires the affirmative consent of an individual before an entity can process such data.

While the law appears to be a significant step forward for the protection of individuals’ personally identifiable information in Mexico, it remains to be seen the extent to which the law will be enforced.  Still, certain violations of the law could result in terms of imprisonment up to three years, and any company processing the personal data of Mexican citizens would be well advised to promptly ensure that its policies and practices are in keeping with the new law.