The suppression of INAI as the personal data protection authority in Mexico.

12.12.2024

Mexico will face multiple challenges with the suppresion of INAI as its data protection authority; a new authority will take its place and its independence and specialization has been questioned. What happened and what comes next?

What is happening?

In November 2024, a long and controversial process culminated, resulting in a new amendment to the Mexican Constitution, this time with the objective of carrying out an “organic simplification” to avoid the “duplicity” of administrative functions attributed to various agencies that for years were in charge of several important areas and functions.

Among the organisms that will disappear as a result of this “organic simplification” is the National Institute of Transparency, Access to Information and Protection of Personal Data, known in Mexico and in the world as “the INAI” (for its acronym in Spanish); the exact moment in which the INAI will cease to operate is unknown at the time of writing, but we will know exactly in the days to come, when the amendments to various secondary laws are published in Mexico's Official Gazette.

As is well known, this forum is not intended for the exposition or debate of political opinions, so I will avoid referring to them as much as possible; however, it is inevitable to mention that one of the objectives of the constitutional amendment that put an end to the existence of INAI was and has been to disappear a constitutionally autonomous agency that has allowed Mexican citizens to exercise their right of access to public information.

In the pursuit of that objective, the enforcement of the personal data protection laws in force in Mexico has been called into question, to the extent that in certain forums it was even mentioned that these laws would be abrogated and the right to the protection of personal data would disappear in Mexico. Nothing could be further from the truth, but it is true that the information available was little, bad and in many occasions exclusively focused on the “transparency duties” of the INAI, ignoring that the enforcement of the laws on the human right to the protection of personal data is also in charge of the INAI (until it disappears, of course).

For this reason, these lines are intended to provide our international community with information on the context, immediate consequences and forecasts regarding the imminent disappearance of INAI.

2010: the protection of personal data in the hands of the “IFAI”; 2014: the INAI emerges as an autonomous body

In July 2010, the first law specifically aimed at regulating the right of individuals to the protection of their personal data was published in Mexico: the Federal Law for the Protection of Personal Data in Possession of Private Parties (the “LFPDPPP”, for its initials in Spanish), which incidentally left out of its scope of application the public administrations of all levels and other public bodies (these would be regulated later, in a 2017 law).

The LFPDPPP changed the name of the then Federal Institute of Access to Information (the “IFAI”, by its Spanish acronym) and incorporated to its functions (and name) the Protection of Personal Data; the Mexican legislator chose to assign to the institute that protected access to public information the functions of protection of personal data; a decision that demonstrated on several occasions the apparent contradictions of one and the other right, overseen by the same organism.

In February 2014, through a constitutional amendment, the IFAI was given autonomy, giving rise to the INAI that we all know; this amendment is the one that has been reversed, it will culminate with the disappearance of the INAI and the reform of various laws that should define the administrative authority that will be in charge of the enforcement of the LFPDPPP (a matter that up to this moment has not been satisfactorily clarified).

Convention 108 and the independence of oversight bodies

In June 2018 Mexico ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe (Convention 108); it did so as one of the few non-European countries that are part of this important international instrument; upon accession, Mexico also accepted the Additional Protocol of 2001, which among other provisions establishes the obligation of the signatory States to have one or more authorities in charge of supervising compliance with the principles set forth in Convention 108, which must exercise their investigative and intervention functions with complete independence.

This obligation (the independence of the supervisory authorities) has shaped the organization and functioning of the personal data protection authorities of the members of the Council of Europe, and of those that are not members of the Council of Europe, but have acceded to this Convention (such as Mexico).

Since the proposal of the constitutional amendment that has been approved was made public, we have argued that the disappearance of INAI and the transfer of its powers to an agency or entity that is part of the Federal Public Administration of Mexico will undermine the independence of the authority that must supervise the protection of personal data in this country; the approved amendment does not guarantee such independence and as soon as the new supervisory authority takes control of the functions that INAI currently exercises, we will see if it will operate in this way.

Is the protection of personal data in Mexico over?

The answer is NO; the disappearance of INAI does not entail the abrogation of the personal data protection laws in force in Mexico, all of them will remain in force and, the amendments that will be necessary to adapt them to the constitutional amendment that has been approved, will be aimed at modifying the authority or authorities that will now be in charge of enforcing them, since it has been foreseen that the protection of personal data processed by public bodies will be in charge of a different authority from the one that will enforce the law that “individuals” must comply with.

It is important to highlight the foregoing because, in the midst of the noise that the disappearance of the INAI has reasonably generated, the idea was spread that the laws on the matter would also disappear; we reiterate that this will not be the case.

At the same time, and regardless of the authority in charge, we must not forget that the international extension of the right to the protection of personal data, the unstoppable international transfer of this information, the reputation of all stakeholders and the trust that information society service providers must provide to all data subjects, allow us to anticipate that compliance with the principles will continue to be transcendental in the years to come.

Challenges and opportunities

In addition to the independence that the authorities in charge of personal data protection in Mexico will have to demonstrate, there are significant challenges in several aspects.

First, we see the specialization of the professionals in charge of enforcing the LFPDPPP in jeopardy; in its years of operation, INAI developed and promoted the specialization of the public servants who investigated violations of the law and sanctioned it; we hope that this specialization will not be disregarded by the new authority.

Secondly, we must take into account that for several years INAI carried out numerous diffusion tasks on the rights and obligations provided in the LFPDPPP, including the publication of compliance guides and recommendations whose continuity is not guaranteed; we hope that the new authority adopts and continues with this work.

Thirdly, and although it is true that there is still much to be done in this regard, we must recognize the impulse that INAI provided to the self-regulation of controllers and processors, as well as to the promotion of certifications in personal data protection; we hope that the initiatives, structure and organization of self-regulation and certification do not disappear in Mexico due to the changes that are coming.

Finally, it is important to highlight that INAI has positioned Mexico as a relevant country committed to the protection of personal data; there are many forums in which the work of INAI has been recognized internationally; we also hope that the new authority will maintain and reinforce Mexico's international prestige in this area.

Finally, I wish to emphasize that the current context presents an enormous opportunity for the updating of Mexico's data protection laws, which should be directed towards the adoption of the protection standards that the General Data Protection Regulation of the European Union has undeniably spread internationally; specifically, the Latin American region is experiencing a clear trend of adoption of such standards, initiated by Brazil and followed by countries such as Ecuador, Panama, and soon Argentina; Mexico should not be left out of this trend if it wishes to guarantee the protection of this right in the digitalized world in which we all now interact.

authors note: I finish writing this article on December 4, 2024; during the next weeks and months we will have more information about the changes in the LFPDPPP that should clear the doubts about the authority that will be in charge of its application.

 

Article provided by INPLP member: Héctor Guzmán-Rodríguez (BGBG, Mexico)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.