On November 28, 2024, the Mexican Senate approved a constitutional reform known as “organic simplification,” which resulted in the dissolution of several autonomous constitutional bodies, including the National Institute of Transparency, Access to Information, and Protection of Personal Data (INAI). This change was formalized in the Official Gazette of the Federation on December 20, 2024. As part of the reform, responsibilities related to access to information, transparency, and personal data protection are now transferred to a new body within the federal public administration.
On February 20, 2025, President Claudia Sheinbaum introduced a bill to the Senate titled “Decree for issuing the General Law on Transparency and Access to Public Information, the General Law on the Protection of Personal Data Held by Obligated Parties, and the Federal Law on the Protection of Personal Data Held by Private Parties, as well as amending various provisions of the Organic Law of the Federal Public Administration.”
The bill proposes maintaining the general structure of the Federal Law on the Protection of Personal Data Held by Private Parties, which was initially established in 2010. While the principles, rights, procedures, and sanctions remain largely unchanged, there are certain specifications introduced in the new legislation.
Under the bill, the Ministry of Anticorruption and Good Governance would take on the role of the primary authority responsible for enforcing the protection of personal data held by private entities, effectively replacing INAI. This new body, however, would not have the same constitutional autonomy as INAI, as it operates under the executive branch’s organizational structure and lacks budgetary and functional independence.
The bill also includes provisions allowing resolutions made by the Ministry of Anticorruption and Good Governance to be challenged via an amparo lawsuit. These challenges would be handled by specialized courts, a significant change since, prior to this bill, no such courts existed. The federal judiciary is tasked with establishing these specialized courts within 180 calendar days of the bill’s enactment.
As a result of the constitutional reform, additional legislative changes related to private sector data protection may be introduced. For example, a new bill suggests that entities will be required to notify the ministry about security breaches and obtain authorization for processing sensitive personal data. These and other provisions will need to undergo debate and approval by both chambers of the Mexican Congress before taking effect.
These ongoing legislative changes suggest a reevaluation of personal data protection in Mexico, despite concerns over the loss of an independent national authority in this field. The future of personal data protection in Mexico will be shaped by the progress of these legislative initiatives.
Your source for supply chain report news updates: The Supply Chain Report. For international trade insights and tools, head to ADAMftd.com.
#MexicoDataProtection #PersonalDataSecurity #DataPrivacy #MexicoTechRegulations #DataProtectionAuthority #CyberSecurity #DigitalPrivacy
