Mexico ardently protects the privacy of its individual citizens' personal data and sensitive personal information (Information). This protection is enforced though the Federal Personal Information Protection Law ( Law) and its regulations (Regulations). The Federal Institute for Access to Public Information and Protection of Information (IFAI) is the agency in charge of enforcing the Law and its Regulations. The Law has the following eight main principles: i) Lawfulness, which requires using the Information in compliance with the Law; ii) Consent, meaning that consent should be obtained before handling the Information; iii) Information, prescribing instructions as to how Information should be handled; iv) Quality, seeking to maintain current and correct Information ; v) Purpose, tending to limit handling of the Information to the sole purpose described in the privacy notice (Notice); vi) Loyalty, which is the obligation to respect the terms in which the Information was issued to the responsible party; vii) Application, referring to the application of the Information solely for the strict purpose for which it was collected; and viii) Responsibility, adopting only those measures that are necessary in order to comply with the Law. Additionally, there are two duties that the responsible party should observe: a) Duty of Confidentiality, maintaining confidentiality of the Information; and b) Duty of Safeguarding, implementing the security measures of an administrative, physical and technical nature that guarantee the confidentiality and integrity of the Information. Among other things, the Law defines what constitutes Information and how such should be handled. As a result, companies should review and identify which types of Information they handle or will handle. Once the type of Information is identified, companies can take required measures and necessary actions to safeguard the integrity of the Information, being that the collection and protection of such varies according to the nature of the Information itself. Under the Law, companies must write, publish and issue the corresponding privacy notice, guidelines for which were briefly discussed in the February 2013 edition of this report.It is important that each person or company comply with the Law because any breach of such may result in an Information protection proceeding or in a verification procedure and, if applicable, fines of between 100,000 to 320,000 days of minimum salary in effect for the Federal District may be levied, with the possibility of being doubled in the event of a reoccurrence. For violations related to the handling of sensitive Information, fines can increase and even double, apart from applicable civil and/or criminal liability (including jail time), depending on the severity of the violation.
