-DATA PROTECTION AND PRIVACY-
Mexico Will Not Rush to Compliance Review, Enforcement of New Law, DPA Chief Assures
Mexico’s data protection authority will not rush to carry out compliance inspections or take enforcement actions when rules implementing the country’s new data protection law begin taking effect in July, the head of the DPA, the InstitutoDeral De Acceso a la InformaciónPública (IFAI), said March 10 at a conference.
As soon as the final rules are published in July, the government expects businesses and other covered entities to begin following the basic requirements that they appoint an individual to be in charge of data protection and establish written data security and privacy policies, IFAI President Commissioner Jacqueline PeschardMariscal said.
But the government will not immediately begin verification activity, she said. Instead, the IFAI will focus on training and education of covered entities in the requirements of the rules, Mariscal said at a session of the International Association of Privacy Professionals Global Privacy Summit.
Mexico’s Federal Law Protecting Personal Data in Private Possession regulates for the first time on a federal level how businesses and individuals handle personal data. It technically took effect July 6, 2010 (9 PVLR 1016, 7/12/10), but the implementing rules are not expected before this July, according to the IFAI (10 PVLR 368, 3/7/11).
Enforcement of the new law is slated to begin in January 2012, Mariscal confirmed at the conference panel entitled “Privacy: What You Need to Consider When Doing Business in North America.”
Mexico Issues Privacy Regulations for Public Comment
On July 6, 2011, Mexico’s Secretary of Economy, in conjunction with the Federal Institute for Access to Information and Data Protection (“IFAI”), released wide-ranging privacy regulations for public comment. The regulations establish rules and guidelines for the implementation of Mexico’sFederal Law on the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de DatosPersonales en Posesión de los Particulares), which became effective one year ago. Among the topics covered are jurisdictional issues, details regarding notice and consent, the relationship between data controllers and data processors, data transfers, data security, self regulation, data subjects’ rights, automated processing and enforcement.
Regulators Disagree About Approach To Online-Privacy Rules
Data and privacy regulators from governments around the world met in Mexico City last week for the 33rd International Conference of Data Protection and Privacy Commissioners to discuss online privacy issues. The topic of debate centered on big databases and how their benefits can be tapped into without the costs of discrimination and invasion of privacy and whether or not all of this big data is being used to observe general patterns of online behavior, or being used to target and identify specific individuals. Many commissioners, especially those from Europe and Latin America, believe their countries must enact very tough privacy laws that tightly restrict what can be collected, how long it can be held and what can be done with it. Yet others advocate a more flexible approach of requiring consumers to consent to “cookies” being place on their computers by Web sites. While everyone does not necessarily deem cookies as bad, it is widely agreed upon that people should know if they are being tracked, and also have the ability to turn the tracking off.
Final Version of Data Protection Law In Effect Today
Mexico has released the final version of its Regulations of the Federal Law for the Protection of Personal Data Held by Private Parties, which includes minor changes to the prior draft, reports Hunton& Williams’ Privacy and Information Security Law Blog. The final version includes “clarification of notice and consent requirements, changes to restrictions on cloud computing, updates to requirements regarding data transfers and clarifications regarding data subjects’ rights,” according to the report.
Essential Practices for Conducting Background Checks in Mexico
Potential candidates may be required to consent to background checks in Mexico, including requests about their criminal history, consumer credit, and motor vehicle records, as a condition of employment. If consent is not provided, an employer may legally refuse to hire a potentially qualified candidate. An employer must request the background check of an applicant prior to extending an offer of employment. The applicant must then decide if they will consent to undergo the background check process. Employers must be able to demonstrate proof of consent. In order to substantiate valid consent was obtained it must include specific language indicating that the candidate agrees to the background check.
There is no one specific law governing background screening in Mexico, however various pieces of legislation do cover parts of the screening process. These areas include the following: