Currently, protection of personal data in possession of private individuals is regulated under Federal Law from 2010, while the protection of data in possession of public bodies is subject to constitutional principles and the 2002 Law of Governmental Transparency, with no specific set of regulations. In this context, the General Law of Protection of Personal Data in Possession of Obligated Subjects has been passed in order to regulate the processing of personal data in the possession of the federal, state and municipal public sector.

The main aim of the law is to establish the foundations, principles and simple, expeditive procedures to guarantee that everyone may exercise their rights to access, rectify, cancel and challenge the personal data held by any authority, entity, body and organism of the Executive, Legislative and Judicial branches of government, autonomous bodies, political parties, trusts and public funds of the federation, federative entities and municipalities.

It establishes that the right to personal data protection will only be limited on grounds of national security, provisions for public order, health and safety or to protect third-party rights. Sensitive data (referring to more intimate matters) may not be processed without express consent from the individual in question, unless a law so provides or there is an emergency situation.

The law comprises 168 articles, divided into 11 titles, which:

• Distribute powers among the federal and state bodies, which are guarantors of the data protection.

• Establish the minimum thresholds and standardises the conditions regulating personal data processing.

• Regulate the organisation and operation of the National System of Transparency, Access to Information and Protection of Personal Data.

• Guarantee enforcement of the data protection principles.

• Protect personal data in the possession of any person or entity, and regulate suitable processing.

• Promote, foster and disseminate a culture of personal data protection.

• Regulate the means of challenging and procedures for local and federal bodies to lodge claims of unconstitutionality or constitutional disputes.

The following are key new points in the law:

• Delimitation of the attributes of the National Institute for Transparency, Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales or INAI), which will coordinate and assess actions relating to the transversal public policy of personal data protection, and establishing and implementing criteria in this area.

• Definition of the regulations for national and international transfer of personal data, facilitating the exchange of personal information among authorities at the three levels of government.  

• Implementation and maintenance of a security management system, in line with prevailing national and international standards.

• Establishment of specific rules for personal data processing by security and justice bodies, in the scope of telecommunications.

• Recognition of mechanisms to allow anyone to challenge the use of their data before INAI and state authorities.

Failure to comply with the obligations established in the Law will be fined. The grounds will be acting negligently, with willful misconduct or bad faith, during the resolution of applications for the modification of personal data, and unduly and partially or totally using, removing, disseminating, hiding, altering, mutilating, destroying or incapacitating data held or to which access or knowledge may have been acquired in the performance of a job, charge or commission.