In February 2020, Mexico’s Instituto Federal de Telecomunicaciones (IFT) published new guidelines pursuant to Technical Provision IFT-012-2019 that have been reported to pose a significant barrier to trade for mobile telecommunications products. These guidelines came into effect in February of 2021, and it is reported that they restrict sales from companies and delay time to market by requiring in-country testing for Specific Absorption Rates (SAR). It is also reported that these testing requirements refer to out-of-date standards instead of recent guidance from the IEC/IEEE and ICNIRP. These requirements also lack the normal clauses exempting retroactive compliance, raising the spectre that not only would new products require testing, but all existing products would require testing as well.
Currently, there are only two accredited laboratories for SAR testing, which creates bottlenecks for testing new products and may cause time-to-market delays. The industry has repeatedly asked the IFT to accept interim certificates and/or international test reports until the testing laboratory infrastructure is sufficiently established and robust in the country.

According to Art. 190 of the Federal Telecommunications and Broadcasting Law, the telecom operators must keep certain data for the first 12 months in systems that allow consultation and delivery in real-time to the competent authorities through electronic means. The data includes:
- the name or corporate name and address of the subscriber;
- the type of communication service or messaging or multimedia services
- data necessary to trace and identify the original and destination of mobile telephone communications, including the destination number and whether the line is the subject of a contract or tariff plan or is prepaid;
- data necessary to determine the date, time and duration of the communication, as well as the messaging or multimedia service;
- the date and time of the first activation of the service and the location label (cell identifier) ​​since the service was activated;
- identification and technical characteristics of the devices, including the international equipment and subscriber identity codes (where applicable); and
the digital location of the geographical positioning of telephone lines.
At the end of the 12-month period, the operator must keep the data for an additional 12 months in electronic storage systems, during which time the delivery of information to the competent authorities must be carried out within 48 hours.
It reported that all processing and storage systems used by operators and authorised people in this regard must be located exclusively in Mexico, however this is not clear from the regulatory text.

Art. 30 of the Federal Law on the Protection of Personal Data in Possession of Individuals states that all data controllers are required to designate a personal data officer or department to act as a Data Protection Officer and handle requests from data subjects exercising their ARCO Rights under the Law. Data Protection Officers are also responsible for overseeing and advising on the protection of personal data within their organisations.

The Federal Copyright Act provides a safe harbour regime for intermediaries concerning copyright infringements. According to the 2020 amendments to Arts. 114 Septies and 114 Octies of the Mexican Federal Copyright Law, Internet Service Providers (ISPs) are not liable for copyright infringements if they:
- 'Promptly and readily' remove any copyrighted works that infringe copyright, regardless of whether they are notified of the infringement or discover it themselves.
- Do not initiate the transmission of the works, performances, or productions, do not select them, and do not receive financial compensation for their transmission, making available, or reproduction.
These safe harbour provisions limit ISP liability to ensure they are not directly liable for damages when they adhere to appropriate compliance measures. However, it is reported that these provisions lack the detail and clarity found in other similar regulations.

Copyright is not adequately enforced online in Mexico. It is reported that Mexico continues to face significant levels of copyright infringement, particularly through various online channels such as streaming platforms, peer-to-peer networks, direct downloads, stream copying, unauthorised streaming devices and applications, circumvention tools for video games and consoles, as well as physical media. As Internet access expands, online piracy is on the rise, and stakeholders indicate that Mexico ranks among the world's leading countries in terms of music and video game piracy. Furthermore, it is reported that stakeholders continue to report notable levels of piracy through Illicit Streaming Devices and illicit Internet Protocol television apps in Mexico.

Mexico has ratified the World Intellectual Property Organization (WIPO) Copyright Treaty.

Mexico has ratified the World Intellectual Property Organization (WIPO) Performances and Phonogram Treaty.

The Mexican Federal Law for Protection of Industrial Property protects against the disclosure of trade secrets and provides a framework for effective protection of trade secrets. Furthermore, the law lists different crimes regarding trade secrets (Art. 402). Art. 386 establishes administrative offences to protect trade secrets. However, it is reported that conformity procedures of the Agreement by which the Plenary of the Federal Institute of Telecommunications issues the Conformity Assessment Procedure for Telecommunications and Broadcasting (DOF: 25/02/2020) contain worrying language requiring the sharing of test reports that may contain in-depth confidential information about ICT products.

The Mexican Federal Law for Protection of Industrial Property provides a framework for effective protection of trade secrets.

There is an obligation for passive infrastructure sharing in Mexico to deliver telecom services to end users. It is practised in the mobile sector and in the fixed sector. Art. 1 of the Guidelines regarding the Deployment, Access and Shared Used of Telecommunications and Broadcasting Infrastructure states that it is intended to establish conditions that allow the access of different concessionaires to the infrastructure elements of other concessionaires installed in buildings, shopping centres, subdivisions, hotels or any other real estate, in order to promote the efficient development of telecommunications and broadcasting and the provision of such services under conditions of competition and free competition.

It is reported that Mexico mandates functional and accounting separation for operators with significant market power (SMP) in the telecom market.

Mexico has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Pursuant to the Decree amending and adding several provisions of Articles 6, 7, 27, 28, 28, 28, 73, 78, 94 and 105 of the Political Constitution of the United Mexican States, the "Instituto Federal de Telecomunicaciones" (IFT) is created. It is reported that the "Instituto Federal de Telecomunicaciones" (IFT), the executive authority for the supervision and administration of the telecommunications sector services, is independent from the government in its decision-making.

There are concerns that Art. 50 of the Provisions on Electronic Payment Fund Institutions might force firms to choose only cloud providers based in Mexico, thus indirectly imposing a local data processing requirement. The law requires electronic payment fund institutions to use secondary cloud services provided by a company that is not subject to a different jurisdiction. That would mean that the secondary cloud provider would need to be subject to the Mexican jurisdiction and therefore be located in the country.

Under Arts. 6, 8, and 9 of the Federal Law on the Protection of Personal Data in Possession of Individuals, consent is required for the cross-border transfer of personal data. However, Art. 37 of the law provides certain exceptions where such transfers may occur without the data subject's consent. These exceptions include transfers necessary for medical diagnosis, prevention, health care delivery, medical treatment, or health services management; transfers to entities under the common control of the data controller, such as holding companies, subsidiaries, or affiliates, provided they operate under the same internal processes and policies; and transfers necessary for the performance of a contract between the data controller and a third party in the data subject’s interest.