Mexico Implements New Data Protection Framework

Introduction

The new federal law on personal data protection introduces significant changes to the regulatory framework, aiming to strengthen personal data protection and guarantee the rights of data subjects. Effective from 21 March 2025, this new legal framework replaces the previous 2010 law and abrogates the autonomous data protection institute (INAI), centralizing oversight functions within the federal public administration under the Ministry of Anti-Corruption and Good Governance. These reforms respond to evolving technological risks associated with automated processing, sensitive data profiling, and the proliferation of electronic or technological means used by private parties to process personal data.

The law establishes a new authority responsible for overseeing data protection, ensuring compliance with the new legal framework, and providing legal certainty for individuals and organizations. By transferring the INAI’s material and financial resources to the Ministry, the government seeks to streamline processes and avoid duplication of efforts while raising concerns about the independence of data protection enforcement. This transition is part of a broader simplification of the organic law governing federal public administration, eliminating several other autonomous agencies in favor of specialized administrative bodies.

Protecting personal data is a fundamental right, and the new law aims to ensure that data controllers and processors handle personal data securely and transparently. It codifies data subjects’ rights—including access, rectification, cancellation, and opposition (ARCO)—and introduces additional safeguards for sensitive data, such as health or biometric information, which now require explicit consent and enhanced security measures. Organizations must implement access control mechanisms and guarantee that data processing does not produce adverse legal effects for data subjects.

The new law applies to private parties that process personal data, including companies, non-profit organizations, and individuals acting as data controllers or data processors. It establishes clear distinctions between data controllers, who determine the purposes and means of data processing, and data processors, who handle data on behalf of controllers, and both parties are subject to compliance obligations and potential sanctions. The regulatory framework is designed to promote good governance, transparency, and accountability in the handling of personal data, reflecting international best practices and Mexico’s commitments under treaties such as the USMCA.

Overview of the New Legal Framework

The new legal framework eliminates the National Institute for Transparency, Access to Information, and Protection of Personal Data (INAI), transferring its material and financial resources to the new authority. As of 9 May 2025, the INAI ceased to exist, and the Secretaría de Anticorrupción y Buen Gobierno officially assumed its functions in data protection and transparency. This reform forms part of a broader organic simplification that dissolved seven autonomous agencies, consolidating oversight within ministries to enhance coordination and anti-corruption efforts.

The law introduces a new definition of personal data, which includes any information that can identify an individual (natural or legal), either directly or indirectly, and expressly covers sensitive data categories such as biometric, genetic, health, and financial information. By removing the limitation to “persona física,” the legislation allows legal entities to be recognized as data subjects with ARCO rights, a novel concept in Mexican data protection law.

The new law establishes self-regulation schemes, allowing data controllers and processors to develop their own codes of conduct, privacy standards, and certification mechanisms. These voluntary frameworks must be approved by the Ministry and provide recognized means to demonstrate compliance, thereby reducing administrative burdens and fostering industry-led best practices.

The law requires data controllers and processors to implement security measures to guarantee the confidentiality, integrity, and availability of personal data. These measures include:

• Access control mechanisms to prevent unauthorized access
• Encryption and pseudonymization techniques for sensitive data
• Periodic risk assessments and audits
• Data retention policies aligned with the principles of necessity and proportionality

These requirements mirror international standards and aim to mitigate legal risks associated with data breaches.

The new law also establishes specialized courts to resolve disputes related to personal data protection. Under the decree, federal district courts and circuit courts specializing in data protection must be operational within 120 days of the law’s entry into force to hear amparo proceedings and other appeals, replacing the previous route through the Federal Court of Administrative Justice. This structure is intended to expedite case resolution and provide legal certainty to data subjects and obligated parties.

Regulatory Compliance

Companies and organizations must comply with the new regulatory framework, ensuring that they handle personal data under the law. All entities that process personal data, from multinational corporations to SMEs, are considered obligated entities and must align their data processing activities with the general law and its implementing regulations.

Data controllers and processors must conduct a comprehensive audit to identify areas of non-compliance and implement corrective measures. This audit should cover:

• Personal data processed and mapping of data flows
• Data subjects’ information and profiles
• Security measures in place
• Existing privacy notices (both simplified and comprehensive)
• Self-regulation schemes and certification status

Organizations are encouraged to engage specialized legal counsel or data protection officers to guide this process and mitigate legal risks.

The law requires data controllers and processors to provide privacy notices to data subjects, informing them of their rights and how their personal data will be processed. Notices must be:

• Simplified privacy notice (for electronic or technological means), outlining essential information such as data categories, processing purposes, and ARCO rights
• Comprehensive privacy notice, detailing data transfers, retention periods, security measures, and channels for exercising rights

Both notices must be readily accessible and drafted in clear, plain language.

Companies and organizations must also establish procedures for handling data subject requests, including access, rectification, cancellation, and opposition. These procedures must guarantee:

• Timely response (within 20 days for ARCO requests and 15 days for execution)
• Free or minimal cost for data subjects
• Transparent channels, such as online portals or email

The new law introduces significant fines for non-compliance, which can be up to 320,000 Units of Measurement and Update (approximately MXN 48.5 million), depending on the severity and recurrence of violations.

Authority and Supervision

The new authority responsible for overseeing data protection is the Ministry of Anti-Corruption and Good Governance. As a federal public administration body, it inherits the INAI’s functions but within the executive branch, raising both efficiency and independence concerns.

The Ministry will be responsible for monitoring compliance with the new legal framework, providing guidance to data controllers and processors, and resolving disputes related to personal data protection. Its duties include:

• Issuing interpretative guidelines and best practice manuals
• Conducting inspections and audits of obligated parties
• Receiving and processing sanctioning procedures for infractions
• Coordinating with other public entities on cross-sector data protection issues

The Ministry will also be responsible for promoting awareness of personal data protection rights and ensuring that data subjects are informed of their rights through educational campaigns and the national transparency platform.

The new authority will have the power to impose fines and penalties for non-compliance with the regulatory framework, including administrative sanctions and orders to cease unlawful data processing activities. In extreme cases, the Ministry may refer matters for criminal investigation if bad-faith non-compliance is detected.

The Ministry will also establish a national transparency platform to provide information on personal data protection and promote good governance. This online portal will feature:

• Registries of privacy notices and self-regulation schemes
• Decision database for published resolutions and best practices
• Breach notification system for data processors to report security incidents

By centralizing information, the platform aims to enhance transparency and foster trust among data subjects.

Legal Considerations

The new law introduces significant legal considerations for data controllers and processors, including the need to ensure compliance with the regulatory framework. Legal entities must review their legal relationships, such as contracts with data processors, to embed data protection clauses, liability provisions, and audit rights.

Data controllers and processors must be aware of the rights of data subjects, including access, rectification, cancellation, and opposition. They must implement processes to guarantee these rights and avoid adverse legal effects, such as unauthorized disclosures or denial of ARCO requests, which could lead to sanctions.

The law requires data controllers and processors to implement measures to guarantee the security and confidentiality of personal data. Security measures should be proportional to the risk and may include:

• Material and financial resources allocation for cybersecurity controls
• Automated processing safeguards and risk mitigation for profiling activities
• Employee training programs on data protection

Companies and organizations must also be aware of the potential legal risks associated with non-compliance, including fines, reputational damage, and civil liability. Risk assessments should quantify financial exposure and identify high-risk processing activities, such as cross-border data transfers or handling of sensitive data.

The new law also introduces the concept of sensitive personal data, which requires additional protection measures. Processing sensitive data demands:

• Explicit and documented consent from data subjects
• Enhanced security measures, such as encryption at rest and in transit
• Periodic reviews of consent and processing purposes

Failure to handle sensitive data appropriately can produce adverse legal effects and trigger higher-tier sanctions.

Implementation and Enforcement

The new law will be implemented in a phased manner, with different deadlines for compliance depending on the type of organization. Large enterprises, political parties, and entities in regulated sectors face earlier deadlines, while SMEs have extended transition periods to align their processes and resources.

Data controllers and processors must develop and implement policies and procedures to ensure compliance with the regulatory framework. Key steps include:

• Appointing a data protection officer or a responsible person within the organization
• Drafting and publishing privacy notices (simplified and comprehensive)
• Establishing internal audit and risk management processes
• Designing self-regulation schemes and seeking Ministry approval

The Ministry of Anti-Corruption and Good Governance will be responsible for enforcing the new law, including conducting audits and inspections. It will use:

• On-site inspections and remote audits
• Review of privacy notices and registries
• Analysis of breach notifications and remediation reports

The new law also establishes a system for reporting data breaches and notifying data subjects in the event of a security incident. Controllers must:

• Notify the Ministry within 72 hours of discovering a breach
• Inform affected data subjects without undue delay
• Document remediation measures and ongoing risk assessments

Companies and organizations must also establish procedures for updating personal data and ensuring it is accurate and up-to-date. The right to rectification now explicitly includes the updating of data, and controllers must provide mechanisms for data subjects to submit updated information.

By embedding these comprehensive compliance, enforcement, and implementation measures, Mexico’s new legal framework on personal data protection seeks to align with global best practices, strengthen legal certainty, and uphold the fundamental rights of data subjects in an increasingly digital world.

Conclusion

Mexico’s new federal law on personal data protection represents a bold and necessary evolution in the country’s legal framework. By establishing a robust regulatory foundation, consolidating oversight under a new authority, and introducing comprehensive obligations for data controllers and processors, the law ensures that individuals’ rights are not only recognized but actively protected.

As personal data becomes an increasingly valuable and vulnerable asset in the digital economy, the law reinforces accountability and transparency at every level of data processing. It also sends a clear message that the misuse of personal data will no longer be tolerated, and that good governance, anti-corruption, and legal certainty are now integral to data protection in Mexico.

With the phased implementation strategy, organizations have the opportunity to modernize their data governance structures and embrace a culture of privacy by design. At the same time, data subjects in Mexico gain stronger rights and clearer channels to exercise control over their information.

In short, this new legal framework not only aligns Mexico with global privacy norms but also empowers its citizens, strengthens public trust, and sets a high standard for data protection in the region.