• Insights

Mexico – The impact of the GDPR outside the EU

Written by
Basham, Ringe y Correa S.C., drawing on more than a century of experience helping clients to conduct business in Mexico.
The Mexican Data Protection legal framework is likely to be amended as a result of the implementation of the GDPR in Europe.

Before the GDPR became enforceable, and since then, many companies in Mexico worried about their compliance with data protection legislation, not only with regard to GDPR but also with local laws, as the intense media coverage that accompanied the GDPR created alarm in Mexico.

As a result of many changes in organisations’ compliance programmes and data protection practices worldwide, subsidiaries in Mexico had to adapt to new processes or practices implemented by their parent companies, even if it meant setting higher standards of data protection than those set out in Mexican laws.

Additionally, companies in Mexico that do business in the EU or that offer their services and goods there, and also companies that do not directly do business in the EU, were first interested in finding out to what extent, or if at all, the GDPR would apply to them.

To dissipate doubts, various forums and events were held in the country, mainly in Mexico City, where debate regarding the extra-territorial scope of application of the GDPR was a trending topic, as there was a lot of confusion on the subject.

Even though some companies are still adapting to the GDPR, especially as they deal with new European clients, providers or individuals, there seems to be more awareness regarding its applicability and the obligations set out in the GDPR.

On the legislative side, it is expected the Mexican Data Protection legal framework will be amended to resemble the GDPR or to include certain concepts and obligations that are not currently regulated in the country. A couple of topics that could change are the inclusion of the concept of ‘legitimate interest’, as in Mexico consent is the only legal ground for processing data, and the need to require opt-in consent for marketing activities.

Unfortunately, however, it is uncertain when data protection legislation will be amended, as it does not seem a pressing matter for the current (new) Government and administration.