Database

Browse Database

MEXICO

Since February 2020, entry into force in 2021

Pillar Technical standards applied to ICT goods, products and online services  |  Sub-pillar Self-certification for product safety
Agreement whereby the Plenary of the Federal Telecommunications Institute issues the Conformity Assessment Procedure for Telecommunications and Broadcasting (Acuerdo mediante el cual el Pleno del Instituto Federal de Telecomunicaciones expide el Procedimiento de evaluación de la conformidad en materia de telecomunicaciones y radiodifusión)
It is reported that certain elements of the conformity assessment procedures for second-hand, rebuilt, or reconditioned ICT products contained in DOF: 25/02/2020 are duplicative and would make import operations complex and unfeasible. Under the new definitions of “Family” and “Model” (Chapter 4, Section 1, Article 26, Number 2), any product model that is not included in a Family would have to be certified under the certification scheme called “Sample by Product Model and Surveillance for More than One Lot.” This procedure requires that the certificate of conformity indicates the number of products that make up the lots, resulting in continuous and even parallel updates of the certificate of conformity.
Further, if conformity certificates become non‐transferable – as established in Art. 7 (Chapter 3, Section 1) – new conformity certificates would have to be issued to both manufacturers and distributors of products, thereby delaying the entry of products into the Mexican market. As a result of this regulation, it is not possible to certify and, consequently, to import, used, second-hand, rebuilt, or reconditioned ICT products. Certification for these types of products already exists for various NOMs ((Norma Oficial Mexicana) under the powers of the Ministry of Economy, so there is a potential contradiction between the mandate of the telecoms regulator and the existing criteria for evaluating the conformity of the Ministry of Economy.
Coverage Second-hand, rebuilt, or reconditioned ICT products

MEXICO

Since July 2020

Pillar Technical standards applied to ICT goods, products and online services  |  Sub-pillar Self-certification for product safety
Law of Quality Infrastructure (Ley de Infraestructura de la Calidad)
Until 2020, product certification in Mexico could only be undertaken by certification bodies accredited by the Entidad Mexicana de Acreditación (EMA). For IT equipment and consumer electronics, the Mexican agency issuing certificates is the Underwriters Laboratories of Mexico.
The Law of Quality Infrastructure, which repealed the Federal Law on Metrology and Standardization, allows for self-declaration of conformity if the standard bodies confirm that the Conformity Assessment Procedure includes the obligation by the goods producers (or services suppliers) to be accountable, or if it does not affect the public interest (Arts. 60 and 69).
Coverage Horizontal

MEXICO

Reported in 2021

Pillar Quantitative trade restrictions for ICT goods, products and online services  |  Sub-pillar Other import restrictions, including non-transparent/discriminatory import procedures
Lack of transparency in import procedures
It is reported that Mexico provides insufficient prior notification of procedural changes, inconsistent interpretation of regulatory requirements at different border posts, and uneven border enforcement of Mexican standards and labeling rules. Some imports are still not allowed in all ports of entry. Restricting goods to certain ports has made it difficult for foreign exporters to arrange for transportation and logistics, especially for electronic commerce purchases involving SMEs.
Coverage Horizontal

MEXICO

N/A

Pillar Intermediary liability  |  Sub-pillar Safe harbor for intermediaries for any activity other than copyright infringement
Lack of intermediary liability framework in place beyond copyright infringements
A basic legal framework on intermediary liability beyond copyright infringement is absent in Mexico's law and jurisprudence.
Coverage Internet intermediaries

MEXICO

Since December 1996, last amended in July 2020

Pillar Intermediary liability  |  Sub-pillar Safe harbor for intermediaries for copyright infringement
Federal Copyright Act (Ley Federal del Derecho de Autor)
Mexico has a safe harbour regime in place for intermediaries for copyright infringements. The Copyright Law does not make internet service providers (ISPs) liable in specific situations like caching, search engine, mere conduit or routing. Recent amendments have introduced Arts. 114 Septies and 114 Octies, into the existent Mexican Federal Copyright Law, containing the provisions related to ISP’s liability. The amendment provides that ISPs will not be liable as long as:
- They "promptly and readily" eliminate any copyrighted works that infringe upon copyright, regardless of whether they acquire knowledge of the infringement through a notice or by their own means;
- They do not initiate the chain of transmission of the works, performances or productions or select them, and do not receive financial compensation for the transmission, making available or reproduction of the works.
Limited safe harbor measures have been provided, so that ISPs are not directly liable, when they comply with appropriate compliance measures. Thus, the measures implemented are free from liability to pay damages, and not from complying with the precautionary measures.
It is reported, however, that such provisions lack the detail and clarity that are present in other regulations on the same topic.
Coverage Internet intermediaries

MEXICO

Since July 2010

Pillar Domestic Data policies  |  Sub-pillar Requirement to perform an impact assessment (DPIA) or have a data protection officer (DPO)
Federal Law on the Protection of Personal Data in Possession of Individuals (Ley Federal de Protección de Datos Personales en Posesión de los Particulares)
Art. 30 of the Federal Law on the Protection of Personal Data in Possession of Individuals states that all data controllers are required to designate a personal data officer or department to act as Data Protection Officer and handle requests from data subjects exercising their ARCO Rights under the Law. Data Protection Officers are also responsible for overseeing and advising on the protection of personal data within their organizations.
Coverage Horizontal

MEXICO

Since July 2010

Pillar Domestic Data policies  |  Sub-pillar Framework for data protection
Federal Law on the Protection of Personal Data in Possession of Individuals (Ley Federal de Protección de Datos Personales en Posesión de los Particulares)
The protection for processing and control of personal data is governed by the Data Protection Law, which sets forth that the processing of personal information is subject to the consent of the owner. Such consent may be implied, which is sufficient to process general personal data, whereas express consent is required to process financial information, and written consent is required to process sensitive information.
Coverage Horizontal

MEXICO

Since July 2014, last amended in April 2021

Pillar Domestic Data policies  |  Sub-pillar Minimum period for data retention
Federal Telecommunications and Broadcasting Law (Ley Federal de Telecomunicaciones y Radiodifusión)
According to Art. 190 of the Federal Telecommunications and Broadcasting Law, the telecom operators must keep certain data for the first 12 months in systems that allow consultation and delivery in real time to the competent authorities through electronic means. The data includes:
- the name or corporate name and address of the subscriber;
- the type of communication service or messaging or multimedia services
- data necessary to trace and identify the original and destination of mobile telephone communications, including the destination number and whether the line is the subject of a contract or tariff plan or is prepaid;
- data necessary to determine the date, time and duration of the communication, as well as the messaging or multimedia service;
- the date and time of the first activation of the service and the location label (cell identifier) ​​since the service was activated;
- identification and technical characteristics of the devices, including the international equipment and subscriber identity codes (where applicable); and
the digital location of the geographical positioning of telephone lines.
At the end of the 12-month period, the operator must keep the data for an additional 12 months in electronic storage systems, during which time the delivery of information to the competent authorities must be carried out within 48 hours.
It reported that all processing and storage systems used by operators and authorised people in this regard must be located exclusively in Mexico, however this is not clear from the regulatory text.
Coverage Telecommunications sector

MEXICO

Signed in 2015, entry into force in April 2020
Since July 2020
Since July 2015
Since March 2018

Pillar Cross-border data policies  |  Sub-pillar Participation in trade agreements committing to open cross-border data flows
First Amending Protocol (which amends the Additional Protocol to the Framework Agreement of the Pacific Alliance) (Primer protocolo modificatorio del Protocolo Adicional al Acuerdo Marco de la Alianza del Pacífico)

United States Mexico Canada Agreement (USMCA)

Tratado de Libre Comercio entre los Estados Unidos Mexicanos y la República de Panamá (Mexico-Panama FTA)

Comprehensive and Progressive Agreement for Trans Pacific Partnership (Tratado Integral y Progresista de Asociación Transpacífico)
According to Art. 13.11 of the First Amending Protocol (which amends the Additional Protocol to the Framework Agreement of the Pacific Alliance), the four parties (Chile, Colombia, Peru and Mexico) commit to allow cross-border information transfers through electronic means, including also the transfer of personal data for business activities. Moreover, in Art. 13.11.bis the parties commit to ban forced localisation of computer facilities in their national territories. Other binding commitments can be found in Article 19.8.6 of the United States Mexico Canada Agreement (USMCA), Art. 14.10 of the Mexico-Panama Free Trade Agreement, and Art. 14.11.2 of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP).
Coverage Horizontal

MEXICO

Since January 2021

Pillar Cross-border data policies  |  Sub-pillar Conditional flow regime
Provisions on Electronic Payment Fund Institutions (Disposiciones aplicables a las instituciones de fondos de pago electrónico a que se refieren los artículos 48, segundo párrafo; 54, primer párrafo, y 56, primer y segundo párrafos de la Ley para Regular las Instituciones de Tecnología Financiera)
There are concerns that Art. 50 of the Provisions on Electronic Payment Fund Institutions might force firms to choose only cloud providers based in Mexico, thus indirectly imposing a local data processing requirement. The law requires electronic payment fund institutions to use secondary cloud service provided by a company that is not subject to a different jurisdiction. That would mean that the secondary cloud provider would need to be subject to the Mexican jurisdiction.
Coverage Cloud services

MEXICO

Since July 2010

Pillar Cross-border data policies  |  Sub-pillar Conditional flow regime
Federal Law on the Protection of Personal Data in Possession of Individuals (Ley Federal de Protección de Datos Personales en Posesión de los Particulares)
Consent is necessary for data transfer of personal data across borders on the basis of Arts. 6, 8, and 9 of the Federal Law on the Protection of Personal Data in Possession of Individuals. Moreover, pursuant to Art. 37 of the law, domestic and international transfers of personal data may be carried out without the consent of the data subject under certain exceptions including, among others: the necessity of the transfer for medical diagnosis or prevention, health care delivery, medical treatment or health services management; the transfer to the holding company, subsidiaries or affiliates under the common control of the data controller, or to a parent company or any company of the same group as the data controller, operating under the same internal processes and policies as the data controller; the necessity by virtue of a contract executed or to be executed between the data controller and a third party in the interest of the data subject.
Coverage Horizontal

MEXICO

Since June 2013

Pillar Telecom infrastructure and competition  |  Sub-pillar Presence of independent telecom authority
Decree amending and adding various provisions of Articles 6, 7, 27, 28, 28, 73, 78, 94 and 105 of the Political Constitution of the United Mexican States (Decreto por el que se reforman y adicionan diversas disposiciones de los artículos 6o., 7o., 27, 28, 73, 78, 94 y 105 de la Constitución Política de los Estados Unidos Mexicanos)
Pursuant to the Decree amending and adding several provisions of Articles 6, 7, 27, 28, 28, 28, 73, 78, 94 and 105 of the Political Constitution of the United Mexican States, the "Instituto Federal de Telecomunicaciones" (IFT) is created. It is reported that the "Instituto Federal de Telecomunicaciones" (IFT), executive authority for the supervision and administration of the telecommunications sector services, is independent from the government in its decision making.
Coverage Telecommunications sector

MEXICO

N/A

Pillar Telecom infrastructure and competition  |  Sub-pillar Functional/accounting separation for operators with significant market power
Requirement of accounting and functional separation for dominant network operators
It is reported that Mexico mandates functional and accounting separation for operators with significant market power (SMP) in the telecom market.
Coverage Telecommunications sector

MEXICO

Since July 2020

Pillar Intellectual Property Rights (IPRs)  |  Sub-pillar Effective protection covering trade secrets
Mexican Federal Law for Protection of Industrial Property (Ley Federal de Protección a la Propiedad Industrial)
The Mexican Federal Law for Protection of Industrial Property provides a framework for effective protection of trade secrets.
Coverage Horizontal