Skip to main content

Mexico. A new data protection law is on its way.

|

Before the first anniversary of Mexico’s “new” data protection law, its data protection authority announced that a new data protection law applicable to “private parties” was necessary. Available information indicates that Mexico will soon be closer to GDPR standards.

In 2025, the Anti-Corruption and Good Governance Secretariat (SABG, for its acronym in Spanish) assumed responsibility for enforcing the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP, for its acronym in Spanish) and for sanctioning violations thereof. In March of the same year, a “new” LFPDPPP was issued, which, in practice, did not represent a significant change from the provisions of the 2010 law it repealed. This “new” law has not been supplemented by implementing regulations, even though the deadline for issuing these regulations expired several months ago.

In this context, on January 28, 2026, the SABG organized a forum to discuss the updating of personal data protection legislation applicable to private parties, with the participation of business and social sectors. The head of the SABG emphasized the importance of including all stakeholders in the development of a modern, transparent law that is aligned with international standards. At the same event, the need to modernize the regulations, which have been frozen since 2010, was highlighted, and some components of the proposed amendment were presented. The event was attended by representatives of international and business organizations, who agreed that data protection is key to innovation and sustainable growth.

So far, it has not been made public whether the proposed amendment entails an amendment to the LFPDPPP of 2025 or whether there are plans to issue a complete and renewed law, including some of the new components that have been announced.

In any case, it is anticipated that, before the end of 2026, Mexico will have a personal data protection law that incorporates the following concepts or obligations that have already been mandatory in other countries for several years:

  1. Privacy by design,
  2. Privacy by default,
  3. Personal Data Protection Impact Assessments,
  4. Role, functions, and position of the DPO,
  5. Right to portability,
  6. Right to restriction of processing, and
  7. Right not to be subject to a decision based solely on automated processing.


At the same time, available information raises several questions about the scope of the new provisions that will govern personal data protection in Mexico. For example:

  1. Will Mexico adopt an extraterritorial model similar or identical to that which exists in the European Union or countries such as Brazil, Chile, or Panama?
  2. Will data subjects’ consent continue to be the sole basis for the processing of personal data, or will a model with broader legal bases be adopted?
  3. If more legal bases for the processinng of personal data will be included, will Mexico adopt the “legitimate interest” basis?
  4. Will legitimate interest assessments be adopted?
  5. Will credit reporting agencies be excluded from the exceptions to the application of the law?
  6. Will it be established that minors may give their consent for the processing of their personal data from a certain age (e.g., 15 or 16)?
  7. Will there be different rules for SMEs and other types of data controllers and processors?
  8. Will new obligations be included for data processors and will infringements against them be provided for?
  9. Will provisions on the use of artificial intelligence when processing personal data be included?


Clearly, these and many other issues could be addressed within the framework of an ambitious amendment, but, as with any legislative project, the final outcome is uncertain and negotiations between all stakeholders will be decisive in the final version of these amendments.

Finally, we would like to mention that there is an additional issue that is already beginning to be reviewed and raised as a concern at the business level: once the new provisions on personal data protection are published, how much time will data controllers and processors be given to update (or adopt) their compliance measures? The upcoming official version will give us the answer.

 

Article provided by INPLP member: Héctor Guzmán-Rodríguez (BGBG, Mexico)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}