The Mexican Institute for Access to Information and Personal Data (“IFAI”) has the power to initiate upon petition of interested parties or ex officio any action to verify compliance with the Mexican Federal Law for the Protection of Personal Data in Control of Private Persons (the “Data Protection Law”) by data controllers. The Data Protection Law provides data subjects with the right to enforce the protection of their Personal Data before the IFAI in cases where data controllers refuse to provide information about the Personal Data that it holds on the requesting data subject or refuse to rectify the Personal Data from errors, among others. Upon notice of a resolution from the IFAI, data controllers have 10 days within which to comply with the resolution.
Data subjects may further seek indemnification from data controllers when they consider that they have suffered damages or losses derived from a breach by the data controller of the Data Protection Law. Although there may be claims available for data subjects in connection with damages (including moral), these proceedings are not pursued due to the difficult procedure in evidencing the cause of the damages, the effect (directly caused by the action of the data collector or processor) and especially to quantify the damage. Data subjects have the right to access, rectify the Personal Data from errors, cancel information kept by the data controller oppose the use for purposes other than those authorized to the data controller, and to revoke the authorization to process personal data.
The Data Protection Law sets forth: (a) Monetary penalties:
- Failure to comply with the Data Protection Law may result in monetary penalties that can reach approximately $1.5 million; and up to approximately $3 million when sensitive Personal Data is involved.
- Please note that according to the Data Protection Law, these penalties are exclusive of any claim for damages that could be filed by the data subject.
(b) Criminal liability:
- The Data Protection Law indicates that the act of compromising the security of a database containing Personal Data with the intention to profit is a criminal offence, which can be punished with up to 3 years of imprisonment; and up to 6 years when sensitive Personal Data is involved.
Furthermore, the act of collecting, using, disclosing or storing Personal Data through deceit of the data owners with the intention to profit is also considered a criminal offence punishable with up to 5 years of imprisonment; and up to 10 years when sensitive Personal Data is involved.
Selected Enforcement Actions/ General Comments
Enforcement actions. IFAI has enforced fines in more than 20 cases between 2012 and 2013, for over 5 million USD total. IFAI has specially targeted the financial, telecom and health sector, but fines have been imposed in the services sector as well. In a relevant case for the health sector, a Mexican Health and Addictions Treatment Institution was fined with more than $200,000 USD on charge of obstruction of justice. In the case, the clinical records of a data subject which was party to litigation in a case before the Supreme Court of Justice were provided to media, without data subjects consent. The leak caused a dramatic turn around in the public opinion with regard to case and the decision took by the Court. Clinical records were under the legal responsibility of the Institution, since the data subject has been treated there for mental disorders 25+ years before the data leak. IFAI followed an ex-officio investigation to find out the cause of the leak and whether the Institution had in place sufficient security measures to protect patient’s information. The Institution prevented IFAI officers to examine security measures used by the Institution to protect personal data, which was viewed by the IFAI as obstruction of justice. With regard to fines in connection to Banking and Telecom sectors, must of the fines imposed are related to cases of unsolicited emails, misuse of personal data for marketing purposes; in most cases, privacy notices were found to lack minimum mandatory information elements or were inconsistent with companies internal processes. The Data Protection Law came into force on July 6, 2010, and is Mexico’s first law at the federal level. It creates a new set of obligations and compliance challenges for companies that collect, process, store or manage personal data in Mexico. The Data Protection Law exempts the collection or storage of personal data strictly for personal purposes, without the intention to further divulge such information or use it for commercial purposes. Certain Personal Data are regarded by the Data Protection Law as being sensitive personal data. In general, the treatment of Sensible Personal Data requires additional attention and measures and its mishandling is subject to more stringent penalties. In general, all data collectors must deliver a privacy notice to the data subjects (including employees) and appoint a person or group responsible for Personal Data-related requirements.