The Institute of Access to Information and Data Protection (“IFAI”) has made it known that it is going to be aggressive in enforcing the Mexican data protection law. While some commentators warn about the willingness to “show its teeth”, the basic question is still how to avoid being bitten.
Considering the allowable penalties can be in excess of US$1 Million, it is worthwhile to understand how one can effectively work with the law.
Mexico is one of the participating economies of the Asia-Pacific Economic Cooperation Forum (“APEC“). As part of APEC, Mexico is also one of the first economies to join the “Cross-Border Privacy Rules” (“CBPR“) system. This system was developed over a multi-year process so that the economies in Asia could manage multiple different privacy systems in a culturally and commercially sensitive manner. In recognition of the challenges (both politically and culturally) one of the central elements of the CBPR system is the use of “Accountability Agents”.
The Mexican law directly contemplates the use of self-regulatory schemes in Article 44. For the company that takes IFAI’s willingness to enforce as a gating factor in asking for an opinion as to compliance, the use of an Accountability Agent, or Trustmark can be appealing. A good Accountability Agent will provide legitimate, concrete guidance on how to actually comply with the law without having to go to the regulator for an opinion. Currently, TRUSTe is the only Accountability Agent participating in the APEC CBPR System, and they haven’t been endorsed by the Mexican Government. However, looking at their certification program can give insight into how a company may leverage a Trustmark to give evidence of compliance with privacy rules.
When the regulator signals its willingness to enforce data protection laws, it is worthwhile for companies to consider a holistic approach to their compliance programs. It isn’t just about having firewalls. Companies also need appropriate policies, consent processes, administrative safeguards, and independent evaluations of their privacy posture to effectively mitigate the regulatory risk. The Accountability Agent can be a core part of mitigating the risk of regulatory fines from IFAI.