got privacy?  Musings on the state of Privacy in a connected world.
 
By Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.
On the 29th of this month, IAPP will have a webcast regarding the newly enacted Mexican privacy law.  The speakers will have a more in depth discussion.

THE UNITED STATES OF MEXICO’S PRIVACY LAW

On April 27th, 2010, the Senate for the Republic of the United States of Mexico (Mexico) enacted their first Personal Privacy Protection Law.  It is entitled Ley Federal de Proteccion de Datos Personales en Posesion de los Particulares (Law).[1]    According to Professor Lina Ornelas, General Director for Classified Information and Personal Data (IFAI, Mexico)[2], the law is the culmination of restless efforts.[3]   

THE GOAL

The law’s goal is to provide individuals with the tools needed to enforce their right to protect their personal data.  The right to protect one’s Personal data is considered a Third Generation right.[4]   Third Generation Rights emanate from a framework of multi-national Human Rights declarations and treaties.  Examples are: The Declaration of the United Nations Conference on the Human Environment (Stockholm Declaration)[5]  and the 1992 Rio Declaration.[6]

The concept of Third Generation Right was coined in Europe and is considered “Soft Laws” by many.  Experts and scholars in the Human Rights field disapprove of the term “Soft Laws.”   They are called “Soft Laws” because they are not formally part of any written Statute.  However, countries have actually codified some Third Generation Rights.  Privacy is the perfect example of former “Soft Law” which has been codified.

THE RIGHT TO PROTECT ONE’S PERSONAL DATA

Mexico, just like the European Union, has codified the privacy rights of individual persons.  There are two concepts which are included in the right to protect one’s Personal Data:

1)     Protection of the fundamental right of individuals to protect their own person in the context of the processing of personal data.

2)     The power of determining who is able to receive and access one’s personal data, where the Personal Data will be stored, and for what reason.[7]

The European Union Privacy Directives and the Privacy Law in Mexico aim at including the above mentioned concepts.  It could be said that countries that adequately protect an Individual’s Privacy share these concepts.     

THE MONTEVIDEO MEMORANDUM

One of the major driving forces in the shaping and forming of the Privacy Law in Mexico may be attributed to the commitment of Professor Lina Ornelas.  Professor Ornelas obtained her Law Degree from the Faculty of Law at the University of Guadalajara, Mexico. She then obtained her Masters in Law and International Cooperation from the Vrije Universiteit Brussel in Belgium.  Professor Ornelas has also developed her professional skills in the public sector in Mexico and Europe.  She has successfully held positions in the Ministry of Economy, the State Department in Mexico and in the European Commission.[8]  Due to her educational background and professional experience, one may state that she is an expert in the field of Personal Privacy Data Protection and International Human Rights.  Additionally, she is in agreement with the protection of Third Generation Privacy Rights.

 

On March 2010, Professor Ornelas, published an article in the Privacy Advisor for the International Association of Privacy Professionals.  In this article, Professor Ornelas discussed many issues regarding the Montevideo Memorandum.[9]  Professor Ornelas was one of the creators of the memorandum.

The Montevideo Memorandum is a project sponsored by the Canadian Government through an agency called Centro Internacional de Investigaciones para el Desarrollo and the Agencia Canadiense de Desarrollo Internacional, Ottawa, Canadá.[10]  The Memorandum composed of  recommendations.[11]   The recommendations are meant to increase the protection of children who use Social Networks on the internet.

 

Other memorandum participants included Brazil, Spain, Uruguay, Ecuador, Chile, Colombia, Argentina and Mexico.  Neither the FTC nor any agency of the U.S. sponsored or participated in the drafting of the Memorandum.  However, representatives for Microsoft and Google and other members of the industry attended the workshop. 

 

According to Professor Ornelas,  Microsoft and Google pledged that they fully supported any initiative that ensured the creation of a safer internet for children.  She also indicated that the Congress of the Republic of Mexico, at the time, emphasized that Mexico needed a Federal Law which protected personal data.  The Congress expressed that the Federal Law would include the Montevideo Memorandum's principles  and it would include other international privacy standards.

 

Thus, it could be said that the protection of children may had been one of the many catalyst which made Congress create the Privacy law.  The framework is one that seeks to protect children and adolescents within a larger general law a Lex Generalis.  A perfect example of such generalized law is the European Union Privacy Directive.[12]

THE EUROPEAN INFLUENCE

On page 27 of the Montevideo Memorandum, under the heading "General Considerations,"  it states that in order to find consensus, rationality and a balance of privacy rights, and the risks involved in the information and knowledge society, it considered the following documents:

1)     Settlement of the judicial conflict between the Federal Public Ministry of Brazil and Google (dated July 1st, 2008);

2)     the Child Online Protection Initiative of the International Telecommunication Union (dated 18 May, 2009);

3)     Opinion 5/2009 on online social networking, by the Article 29 of the European Working Group (dated June 12th, 2009);

4)     the Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. (dated July 16th, 2009).[13]

COPPA was not included as one of the documents considered. 

MADRID RESOLUTION

On November the 6th, 2009, fifty DPA's from around the world announced the Madrid Resolution.  The resolution was created in a closed door meeting.  All country's DPA's agreed with the resolution.  Additionally ten different Multi National corporations agreed to implement the resolution.[14]  The Mexican Privacy Law is almost a mirror image of the Madrid Resolution.  Presumably, all 50 members will have to make their laws support the resolution. 

The Working party has called upon the European Union Commission to reform the European Union Privacy Directives.  The Working Party expressed that "[t]he basic principles for data protection, as laid down in the ‘Madrid Resolution’, should be the universal basis for such legislation."[15]  It is fair to conclude that the Madrid Resolution will eventually become the standard for Privacy throughout the world.  In theory, if ad networks, software makers and hardware makers create products, which comply with the Madrid Resolution, there will be no conflict.

SIMILARITIES BETWEEN THE MEXICAN LAW AND THE EUROPEAN UNION PRIVACY DIRECTIVE

When the Mexican Privacy Law and the European Union Directives are compared, there are many similarities present.  For example; Chapter 1, Article 3. V, defines personal data in the same manner the European Union Privacy Directives define personal data.  Under the same chapter and article VI, Sensitive Personal Data is defined in the same manner it is defined in the European Union Privacy Directives.

Additionally, the promotion of an “Information Society” is of great importance.  The Law's concern for the “Information Society” appears to be as consistent as it is in the European Union Directives.  Unfortunately, the definition of  an "Information Society" is not included in the Law or the European Union Privacy Directives.

Article 1 commences by describing the purpose of the Law.  The last sentence of Article 1 indicates that one of the objectives of the Law is to ensure privacy.  Privacy is not defined in the law, and it is mentioned thirty four times.  The European Union Directives also fail to provide a definition for privacy.

One other similarity is the Corporate Binding Privacy Rules.  The law allows the use of Corporate Binding Privacy Rules for the transfer and sharing of Protected Data.  Data controllers are not required ask for permission from the Data Protection Authority when using Corporate Binding Privacy rules.  The flow of information within a corporation and third parties may take place freely, as long as the corporation and third parties adhere to the Law and the Privacy Notice provided and authorized by the user.  The user must be fully informed and must agree by his own volition to the dissemination, use and storage of his Personal Data.

After reviewing the Law, one may conclude that the Privacy Law of Mexico is influenced by human rights opinions and treaties, the Madrid Resolution, the European Union Privacy Directives, Working Party’s opinions, Working Party’s adopted documents, and case law developed in the European Union.

Presumably, Mexico’s privacy law will be applied just as consistently as it has been applied today by the European Union and governments who have decided to protect privacy as a fundamental right.

EXPECTATIONS FROM THE DATA CONTROLLERS AND DATA PROCESSORS

The Privacy law requires strict adherence to the following principles:

  • legality
  • consent
  • notice
  • quality
  • purpose
  • fidelity
  • proportionality
  • Accountability under the law
 Under these principles, all Data Controllers and Processors must promote full transparency.  When transparency is used as a core concept, Data Controllers and Processors may be considered to be in the right path to full compliance.

I found some of the principles to be more problematic than others.  For example, there is a need to have a written document if Sensitive Data will be processed.  This document may be a physical document with the signature of the User, but it is also acceptable to use an electronic signature or any other method of authentication.

When sensitive personal data is processed, there has to be a justification for the processing.  There have to be concrete and lawful reasons for the processing of the data.  Data Controllers and processors shall afford users the same level of protection data Controllers and Processors use for their own data.

WHAT MAY BE ENCOURAGING ABOUT THE LAW

I do not believe that this law may be more restrictive than laws currently used by some of the European Union Members.  Most importantly, THERE IS NO COOKIE DIRECTIVE.[16]  However, it remains to be seen if the Law assumes that the cookie directive is already built into the Law as written.

As stated above the exchange of information may be seamless when Data Controllers and processors adhere strictly to the privacy policies authorized by the user.  Corporations may communicate data with all other branches located in Mexico or abroad if they subject themselves to Binding Corporate Rules, but there is no need to request approval or file any document with the Institute.  Whether or not this will be allowed under the administrative rules, it is not known.

Additionally, the law supports self regulation.  It encourages industry to create rules and regulations that may be adopted into a deontological code.  Copies and issuance of symbols of conformity may be issued and communicated to the authorities.

RIGHTS OF THE USERS

Users shall have the right to access, rectification, cancelation and objection of the data which is held by a controller.   Nonetheless, this is subject to verification of identity.  The rights of users are also extremely similar to the Madrid resolution.[17]

PENALTIES

CIVIL penalties are varied and the law lists a total of nineteen possible infractions.  Whether or not the violations are all inclusive, I am not sure.  What I know with certainty is  the possible fines that may be imposed.  Fines will vary between 100 minimum daily wages and 640,000 minimum daily wages.  The minimum wage rate used shall be the one applied in Mexico City.   The current minimum wage is about $6.00 dollars a day.  Thus, the minimum fine is $600.00 dollars and the maximum is $3,880,000.00 dollars.

When it come to criminal penalties, the grid below explains the possible criminal sanctions for violations of the law.  The only criminalized offense is the illegal processing of protected data.  The actual processing must take place for guilt to be found.
Picture
CONCLUSION

All things considered, the Mexican Privacy Law is not as strict as some of the European Union member's privacy law.   One benefit is that nothing has to be kept in file with the Institute.  The only instance when something must be filed is when a complaint is launched, or there is an action taken by any authority.  
Currently, it is difficult to make accurate predictions how the law will be enforced since rules and regulations are yet to be known by the public in general.  Let's just hope that other countries, who choose to follow the Madrid Resolution, will enact laws that are not stricter.  If you want to contact me, you may email me at raulmendez1@earthlink.net or call 206.264.0849. 

[1] http://www.ifai.org.mx/pdf/pot/marco_normativo/LFPDPPP.pdf

[2]Federal Institute of Access to Public Information (IFAI)

[3] Ms. Lina Ornelas is general director of classified information and data protection at the Federal Institute of Access to Public Information in Mexico. https://www.privacyassociation.org/publications/2010_04_30_mexico_passes_federal_data_protection_act/

[4] http://www.youtube.com/watch?v=zE0G7q7DrbA

[5] http://www.unep.org/Documents.multilingual/Default.asp?DocumentID=97&ArticleID=1503

[6] http://www.un.org/geninfo/bp/enviro.html

[7] Supra, Footnote 3.

[8]As Deputy General Director of the Unit for Legislative Studies at the State Department, she was part of the group that first wrote the initiative of the Access to Information Act presented by President Fox to Congress, and then negotiated for its approval. She was later Deputy General Director for the Promotion and Defense of Human Rights at said State Department. Since 2003, Mrs. Ornelas is the General Director of Classified Information and Personal Data at the Federal Institute of Access to Public Information (IFAI), where she jointly drafted with the National Archives the general archival standards that apply to the federal government in Mexico. She currently is member of the Ibero-American Net for the Protection of Personal Data.

[9] http://www.iijusticia.org/esp_port_eng_fran.pdf

[10] Id..

[11]Memorandum sobre la protección de datos personales y la vida privada en las redes sociales en Internet, en particular de niños, niñas y adolescentes

[12] Directive 95/46/EC

[13] Supra, Footnote 1 at 27

[14]www.gov.im/lib/docs/odps//madridresolutionnov09.pdf

[15]The Future of Privacy Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, WP 168

[16] http://www.chiefprivacyofficers.com/1/post/2010/07/analysis-of-the-ec-cookie-directive.html

[17] Supra Footnote 14
 


Comments




Leave a Reply