The new data protection law revises a number of definitions and makes several important changes to how the data protection rules will be administered and enforced. Below are some of the key modifications. 

The new law mandates that consent for data processing must be free, specific, and informed. Tacit consent remains valid as a general rule (a principle previously outlined in the regulations for the prior data protection law, but now explicitly incorporated into the new legislation).  

Other key changes to the consent requirements include: 

• The law now allows consent exemptions if authorised by any legal provision, including regulations and decrees. 

• The scope of authority-based exemptions has expanded to include court orders, resolutions, or rulings from competent authorities. 

• If personal data is processed for purposes other than those specified in the Privacy Notice, new consent must be obtained, even if the new purpose is compatible with the original intent. 

The new law adds the following requirements for Privacy Notices: 

• The Notice must explicitly set out the personal data subject to processing. 

• It must distinguish between mandatory and voluntary purposes. 

• The requirement to inform data subjects about third-party transfers in the Privacy Notice has been eliminated (however, disclosure obligations remain under current regulations). 

The new law expressly grants rights of access, rectification, cancellation, and opposition (the so called ‘ARCO’ rights) to data subjects. Additionally, under the new law: 

• The right to cancellation now explicitly applies to files, records, and systems where the personal data is stored. 

• The right to object applies when personal data is subjected to automated processing that significantly affects the data subject’s rights, freedoms, or interests without human intervention. 

The Ministry of Anticorruption and Good Governance will replace the National Institute of Transparency, Access to Information, and Protection of Personal Data (INAI) as the primary regulatory authority. Additionally, the Ministry of Economy will no longer oversee privacy regulations. 

Under the new law, the Federal Judiciary must establish specialized courts for personal data protection cases within 120 days of the law’s enactment. The Federal Executive has 90 days to align regulatory frameworks with the new law. 

The new law also recognizes Mexico’s special process for enforcing fundamental and constitutional rights (the so called ‘Indirect Amparo trial’) as a means of challenging administrative actions related to data protection. However, it is questionable whether the Amparo process is appropriate, rather than proceedings before the Federal Court of Administrative Justice, which has jurisdiction to review the actions of federal public administration bodies, including the Ministry of Anticorruption and Good Governance. 

Employers and other organisations handling personal data must update their internal policies and practices to align with the new data protection law. Recommended actions include: 

• Review and adjust internal policies in accordance with the new requirements. 

• Provide training programs for employees on compliance with the new law and forthcoming regulations. 

• Monitor regulatory developments from the Ministry of Anticorruption and Good Governance, as its interpretations and enforcement criteria will differ from the now-dissolved INAI. 

Effective March 21, 2025, the Ministry of Anticorruption and Good Governance now oversees data protection regulations. Although procedural aspects remain largely unchanged from the previous data protection law, the structural and jurisdictional differences of the new Ministry warrant close attention. Unlike the INAI, which was an autonomous body, the new Ministry is part of the Federal Executive, raising concerns about potential shifts in enforcement and regulatory discretion.