Search for:
Cybersecurity, Data and Tech

Mexico: Requirements for the preservation of data messages and digitialization of documents published in the Official Gazette for public comments

By , and 4 Mins Read

In brief

On 11 May 2021, the ”Draft Modification of the Mexican Official Standard NOM-151-SCFI-2016, Requirements to be observed for the conservation of data messages and digitalization of documents, published on 30 March 2017” (”Project”) was published in the Official Gazette of the Federation.

The Project aims to regulate and approve the rules applicable to the communication and transmission of data messages through ”certified electronic communications.” Electronic communications, when certified, provide evidence related to the management of the delivery and receipt of data messages made between merchants (i.e., legal entities) and between merchants and public authorities. The Project is applicable to both the public and private sectors.

Key takeaways

Main conclusions

  • The Project defines and standardizes the rules for the communication and transmission of data messages. While previous rules regulated the preservation and digitalization of correspondences, it did not cover the delivery and receipt of data messages.
  • It applies to the communication, preservation and digitalization of correspondences (e.g., contracts) of merchants, which must be done by means of a certified electronic communication.
  • A certified electronic communication, a new concept introduced in the Project, provides digital and legal security in the communication of data messages sent between merchants and between merchants and authorities.
  • Merchants will have to hire the services of a certification service provider since they will have to use a certified advanced electronic signature and include a digital time stamp in each of the data message sent and received in the relevant correspondence.
  • The Ministry of Economy through the General Directorate of Commercial Regulations is tasked with the accreditation, supervision and the monitoring for compliance with the Project.
  • While the requirements are not mandatory, data messages that do not comply with the requirements of the Project will not hold any probative/evidentiary value.

Background

Specific requirements

  • The Project sets out the minimum requirements that certified electronic communications must meet. It applies to technological solutions that allow the transmission of data messages by electronic means, between the sender and receiver, and provides evidence related to the management of the delivery and receipt of messages. In particular, the Project applies to the following:
  1. Notifications, summons, subpoenas, requirements, request for reports or documents and final administrative resolutions made by means of official letters delivered by certified mail, with acknowledgment of receipt, electronic means of communication or any other means
  2. Preservation of merchant correspondence, with respect to the delivery and receipt of data messages
  3. The delivery, receipt and acknowledgement of receipt of data messages
  • The aforementioned communications must be kept complete, confidential and available from the moment they are sent until they are received, regardless of the technological solution used (i.e., software and hardware that carries out the certified electronic communication and that must be built in accordance with the data structures for sending and receiving data messages published by the Secretariat here).
  • Requirements to satisfy integrity, confidentiality and availability:
  1. The issuer is capable of electronically signing a data message with an advanced electronic signature (AES) certified by a Certification Authority recognized in Mexico.
  2. The issuer is able to encrypt the data message by means of a cryptographic algorithm or use a cryptographic protocol, compatible with industry standards, which can be consulted at www.firmadigital.gob.mx.
  3. The receiver is able to decrypt the data message using a cryptographic algorithm. The technological solution (service) used to receive the data message must be able to (i) generate the confirmation of receipt (acknowledgement); (ii) if necessary, allow the recipient to generate an acknowledgement of receipt signed with a certified AES, which also allows verification of the validity, revocation status (OCSP and/or CRL) and signature validation of the issuer of the certificate; and (iii) incorporate a digital time stamp in the data message.
  4. The receiver is able to detect any alteration to the integrity of the data message signed with certified FEA. Specifically: it must verify validity, revocation status (OCSP and/or CRL, as the case may be) and signature validation of the certificate issuer.
  5. When the applicable legal provisions so require, the parties must reliably guarantee the identity of the parties sending and receiving the data message.
  6. When the applicable legal provisions so require, the parties shall include the time at which the data message is sent and received.

The Draft will be open for public consultation until 10 July 2021. Comments may be submitted via email to the following: diana.munoz@economia.gob.mxconsultapublica@economia.gob.mx and juan.rivera@economia.gob.mx or through the Oficialía de Partes of the Secretariat of Economy, located at Calle Pachuca, number 189, Colonia Condesa, Alcaldía Cuauhtémoc, Mexico City, C.P. 06140, telephone 57 29 91 00, extensions 43219, 43235 and 13204.

For more information about the Project, please click here.

Categories:
Author

Carlos is a partner in Baker McKenzie's Information Technology and Communications Practice Group in Mexico City, and the head of the Firm's Technology, Media and Telecommunications (TMT) Industry Group in Mexico. A Certified Information Privacy Manager (CIPM) by the International Association of Privacy Professionals (IAPP), and an award winner of national accolades on digital transformation and legal innovation, Carlos is recognized by Chambers and Partners, Legal 500 and other international publications as one of the country's leading TMT lawyers. Carlos' strong specialization and multidisciplinary consultancy background (prior to joining Baker McKenzie, he led the TMT legal practice of PwC) and superior legal tech law knowledge, are the foundation of Carlos' unique vision and problem-solving skills, which allows Carlos to assist clients to identify and address corporate, commercial, technical, compliance, tax, regulatory, strategy, expansion and policy issues that arise in different phases of complex technology projects.

Author

Daniel Villanueva Plasencia is a member of the Intellectual Property Practice Group at Baker McKenzie Guadalajara. He has extensive experience in data privacy and information security matters; in regulatory issues related to information technologies and consumer protection; in intellectual and industrial property, especially focused on digital environments, including the use and licensing of trademarks, patents and copyrights. Before joining the Firm, he was a founding partner of a local firm in Guadalajara. During the last five years, Daniel has taught the intellectual property class at the Tecnológico de Monterrey, one of the most prestigious universities in Mexico.

Author

Andres Manautou-Miret is a Specialist in Baker McKenzie Monterrey office.

Related Posts

Write A Comment