On March 20, 2025, a amendment decree was published in the Official Journal of the Federation that introduces several amendments, as well as new laws regarding transparency and protection of personal data (the “Decree”), including the issuance of a new General Law of Transparency and Access to Public Information, a new General Law on the Protection of Personal Data Held by Obligated Entities, and a new Federal Law for the Protection of Personal Data Held by Private Parties.
Federal Law for the Protection of Personal Data Held by Private Parties (“LFPDPPP”).
Since this is the most relevant law for the private sector, this analysis focuses exclusively on the new LFPDPPP, comparing its content with the previous version of the law. Although most amendments to the LFPDPPP correspond to form and style adjustments, as well as to certain clarifications or technical precisions, such as replacing the reference to days of minimum wage with Units of Measurement and Update (“UMA”) for fine calculation, the amendment also modifies and introduces new concepts that must be carefully considered.
Key Changes to the LFPDPPP
- Dissolution of the INAI.- The National Institute for Transparency, Access to Information and Personal Data Protection (“INAI”) disappears, and its functions related to personal data protection will be assumed by the Ministry of Anticorruption and Good Governance (the “Ministry”).
The INAI’s human and material resources, as well as its records, registries, and systems, will be transferred to the Ministry.
- Update to the LFPDPPP Regulations.- All references to the INAI in the LFPDPPP Regulations shall be understood as references to the Ministry.
Additionally, under transitory Article Twelfth of the Decree, the federal executive branch will have 90 calendar days from the amendment’s effective date to issue the corresponding regulatory adjustments, which are expected to clarify certain imprecisions in the amendment.
- Changes in definitions and concepts.- As a result of the amendment, several key definitions and concepts of the LFPDPPP were modified. Among the most relevant is the broadening of the definition of “Processing” to now includes the registration, organization, storage, creation, use, communication and dissemination of personal data, and the elimination of the reference to “union membership” in the definition of “Sensitive Personal Data”.
While some changes improve the clarity and comprehension of the law, others may generate confusion and deviate from best practices or international recommendations regarding personal data processing.
- Elimination of analogous purposes.- Data controllers may no longer process personal data for purposes that, although compatible or analogous, differ from those specified in the privacy notice. Consequently, privacy notices must be more detailed and precise regarding the specific purposes for which personal data is collected and processed.
- Privacy Notice Requirements.- The amendment concentrates in article 15 the information that must be contained in the privacy notice, which was previously dispersed in different articles, thus facilitating its consultation and application.
However, it is important to note that, although article 15 no longer expressly mentions the obligation to disclose data transfers, article 35 of the LFPDPPP still requires this information to be included in the privacy notice, if applicable.
- Simplified Privacy Notice.- The amendment introduces new requirements for simplified privacy notices. Before the amendment, it was only mandatory to include the name and address of the data controller, as well as the purposes of the data processing.
Now, as a result of the amendment, in addition to these elements, the simplified notice must include the personal data that will be processed, identifying such that are considered sensitive data, as well as the alternatives and means available to limit the use or disclosure of such data.
- Confidentiality mechanisms.- Data controllers are obliged to establish controls and mechanisms to ensure that all persons involved in the processing of personal data maintain the confidentiality of such data, even after the termination of their relationship with the data controller, which includes the termination of the employment relationship with its employees.
- Automated Processing.- The amendment introduces the concept of automated processing of personal data, which is particularly relevant regarding the use of cookies and web beacons, and the use of artificial intelligence technologies.
Notwithstanding the above, the possibilities to oppose to the processing of personal data using this type of technologies are limited, since according to the text of the amendment, the data subject may only do so when there are legitimate causes, the processing produces adverse legal effects or significantly affects his rights, liberties or interests, and the processing is carried out without human intervention.
- Legal Challenges.- The amendment eliminates the option to challenge resolutions through a nullity proceeding. Instead, the Ministry’s resolutions may only be challenged through an amparo proceeding, which must be filed before specialized judges and courts.
Pursuant to transitory Article Twentieth of the Decree, Mexico’s federal judicial branch must designate specialized judges in access to information and personal data protection within 120 calendar days from the Decree’s entry into force.
CCN is prepared to provide advisory services to ensure compliance with the new LFPDPPP and offer comprehensive support in all areas related to privacy and personal data protection in Mexico.
