The Institute of Access to Information and Data Protection (“IFAI”) has made it known that it is going to be aggressive in enforcing the Mexican data protection law. While some commentators warn about the willingness to “show its teeth”, the basic question is still how to avoid being bitten.

Considering the allowable penalties can be in excess of US$1 Million, it is worthwhile to understand how one can effectively work with the law.

Mexico is one of the participating economies of the Asia-Pacific Economic Cooperation Forum (“APEC“). As part of APEC, Mexico is also one of the first economies to join the “Cross-Border Privacy Rules” (“CBPR“) system. This system was developed over a multi-year process so that the economies in Asia could manage multiple different privacy systems in a culturally and commercially sensitive manner. In recognition of the challenges (both politically and culturally) one of the central elements of the CBPR system is the use of “Accountability Agents”.

The Mexican law directly contemplates the use of self-regulatory schemes in Article 44. For the company that takes IFAI’s willingness to enforce as a gating factor in asking for an opinion as to compliance, the use of an Accountability Agent, or Trustmark can be appealing. A good Accountability Agent will provide legitimate, concrete guidance on how to actually comply with the law without having to go to the regulator for an opinion. Currently, TRUSTe is the only Accountability Agent participating in the APEC CBPR System, and they haven’t been endorsed by the Mexican Government. However, looking at their certification program can give insight into how a company may leverage a Trustmark to give evidence of compliance with privacy rules.

When the regulator signals its willingness to enforce data protection laws, it is worthwhile for companies to consider a holistic approach to their compliance programs. It isn’t just about having firewalls. Companies also need appropriate policies, consent processes, administrative safeguards, and independent evaluations of their privacy posture to effectively mitigate the regulatory risk. The Accountability Agent can be a core part of mitigating the risk of regulatory fines from IFAI.

 

Tags: IFAI, Mexico, Privacy Law
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John Tomaszewski John Tomaszewski

John Tomaszewski specializes in emerging technology and its application to business. His primary focus has been developing trust models to enable new and disruptive technologies and businesses to thrive. In the “Information Age”, management needs to have good advice and counsel on how…

John Tomaszewski specializes in emerging technology and its application to business. His primary focus has been developing trust models to enable new and disruptive technologies and businesses to thrive. In the “Information Age”, management needs to have good advice and counsel on how to protect the capital asset which heretofore has been left to the IT specialists – its data.

John’s expertise in the understanding of a company’s data protection and management needs provide a specialized point of view which allows for holistic solutions. A good answer should always solve at least three problems.

John has been a co-author of several information security and privacy publications, including the PKI Assessment Guidelines and Privacy, Security and Information Management: An Overview; as well as publishing scholarly works of his own on the topic. He has also provided input to the drafting of various security and privacy laws around the world; including the APEC Cross-Border Privacy Rules system. He is a frequent speaker globally on the topics of cloud computing, Self Regulatory Organizations (“SROs”), cross-border privacy schemes, and secure e-commerce.

Read more about John Tomaszewski
Show more Show less
Related Posts
Data Protection Challenges in M&A Transactions in China
February 9, 2022
China’s New Data Security Law
July 8, 2021
China Released Second Draft of Personal Information Protection Law
June 15, 2021