Data Protection and Transparency in Mexico: 5 Things Businesses Need to Know About the New Legal Framework

Una versión en español de esta Insight está disponible haciendo clic arriba.

A major reform package was recently enacted in Mexico introducing new regulations on personal data protection and transparency. This structural shift in Mexico’s regulatory framework will unfold over the coming months, but public and private entities alike should be aware of new obligations and prepare for the operational changes they may require. Here are the key highlights of the reform that companies doing business in Mexico should note.

Quick Overview

Through the reform package, which was published in Mexico’s Federal Official Gazette on March 20, the following laws were enacted:

• The General Law on Transparency and Access to Public Information
• The General Law on the Protection of Personal Data Held by Public Authorities
• The Federal Law on the Protection of Personal Data Held by Private Parties
• An amendment to Article 37, Section XV of the Organic Law of the Federal Public Administration.

Read on for more details about each of these aspects of the reform and what they mean for your operations.

1. Access to Information

The new General Law on Transparency and Access to Public Information does the following:

• Establishes principles and procedures to guarantee access to public information across all branches and levels of government, including political parties and entities that use public resources.
• Introduces the concept of “open data,” mandating that public information be freely accessible, reusable, and published in open formats.
• Creates the National System for Access to Public Information to coordinate nationwide implementation.
• Disbands the National Institute for Transparency, Access to Information, and Personal Data Protection (INAI), transferring its functions to a new entity under the Ministry of Anti-Corruption and Good Governance. This new entity will be named Transparencia para el Pueblo (Transparency for the People).
• Grants administrative authority to the Ministry to oversee a redesigned National Transparency Platform, which now includes modules for access requests, appeals, and institutional communication.

2. Protecting Personal Data with Public Authorities

The new General Law on the Protection of Personal Data Held by Public Authorities:

• Applies to all government bodies and guarantees the protection of personal data.
• Reaffirms the principles of lawfulness, purpose, consent, quality, proportionality, information, and accountability.
• Strengthens ARCO rights (access, rectification, cancellation, and opposition) – which you can read more about here.
• Requires public authorities to conduct data protection impact assessments and implement preventive and corrective measures.
• Designates the Ministry of Anti-Corruption and Good Governance as the lead agency for enforcing and interpreting law.

3. Protecting Personal Data with Private Parties

The new Federal Law on the Protection of Personal Data Held by Private Parties:

• Regulates personal data processing by companies and individuals.
• Clarifies rules on consent, privacy notices, and security measures.
• Expands the definition of personal data processing to include both manual and automated operations.
• Introduces the right to data portability and the right to object to automated processing.
• Provides criteria for valid public data sources and outlines new grounds for denying ARCO requests.
• Authorizes the regulator to order the release of data and allows for appeals via constitutional amparo proceedings.

4. Enforcement and Sanctions

The amendment to Article 37 of the Organic Law of the Federal Public Administration grants the Ministry of Anti-Corruption and Good Governance new powers to enforce transparency and data protection standards, including verification and sanctions.

5. Top Compliance Tips

The three new laws will enter into full force on May 19, and the amendment to Article 37 already took effect March 21. So, you’ll want to act quickly to ensure your operations are compliant. Consider taking the following steps:

✅ Update privacy notices and internal data protection policies to reflect the new legal framework and institutional references.

✅ Map and review all data processing activities, particularly where automated or profiling-based systems are involved.

✅ Revise ARCO request procedures and implement documentation protocols for denials, which are now subject to new grounds under the law.

✅ Implement or update consent mechanisms and ensure data subjects are informed of their right to portability and to object to automated decisions.

✅ Plan for impact assessments, especially for high-risk processing or sensitive data, in compliance with public or sectoral guidance once issued.

✅ Train key personnel on the new regulatory framework, roles of Transparencia para el Pueblo, and interactions with the redesigned National Transparency Platform.

✅ Monitor for guidance and secondary regulations expected from the Ministry of Anti-Corruption and Good Governance.

Conclusion

We will continue monitoring the implementation process and any forthcoming regulations that may further define compliance obligations under this new legal framework. For more information on how this impacts your operations in Mexico, reach out to your Fisher Phillips attorney or the author of this Insight. Fisher Phillips Mexico is at your service to assist you with any questions related to this topic, as well as with any matter in labor law. Make sure you are subscribed to Fisher Phillips’ Insight System to have the most up-to-date information sent directly to your inbox.