Mexico Enacts New Data Protection Regime

On March 20, 2025, the evening edition of the Federal Official Gazette published a decree (the "Decree") enacting the General Law on Transparency and Access to Public Information ("LGTAIP"), the General Law on the Protection of Personal Data Held by Public Sector Entities ("LGPDPPSO"), the Federal Law on the Protection of Personal Data Held by Private Parties ("LFPDPPP"), and amending Article 37, Section XV, of the Organic Law of the Federal Public Administration ("LOAPF"). The Decree entered into force on March 21, 2025, and aims to align transparency and data protection laws in light of the dissolution of the National Institute for Transparency, Access to Information and Personal Data Protection ("INAI") and its counterparts at the state level.

Key Changes to the LGTAIP

• At the federal level, Transparency for the People (Transparencia para el Pueblo), a decentralized administrative body under the Secretariat of Anti-Corruption and Good Governance (the "Ministry"), will replace the INAI as the authority responsible for guaranteeing the right of access to public information.
• At the local level, constitutionally autonomous bodies specialized in access to information and data protection will be replaced by internal control bodies or their equivalents within the executive branches of the states, which will also handle transparency matters concerning municipalities or boroughs.
• The right of access to public information will also be guaranteed by the oversight and disciplinary body of the Judiciary; internal control bodies or equivalents of autonomous constitutional bodies; internal oversight offices of the Federal Congress; the National Electoral Institute (with respect to public information held by political parties); the Federal Center for Labor Conciliation and Registration; and the Federal Court of Conciliation and Arbitration (in relation to information held by labor unions), as well as internal oversight bodies or their equivalents within the legislative and judicial branches and autonomous constitutional bodies at the state level.
• The new LGTAIP expressly requires obligated entities to document every act arising from the exercise of their powers, authorities, or functions.
• Information may be classified as restricted if its disclosure:
  • Would cause greater harm than the public interest in accessing the information, provided it is directly related to administrative or judicial proceedings that have not been concluded with finality; or
  • Would jeopardize the operation or integrity of technological, energy, space, satellite, telecommunications, or defense systems developed, acquired, or operated directly or indirectly by the Federal Government, as well as facilities, infrastructure, projects, plans, or services that are strategic, high-priority, or related to national defense.
• Statements regarding the existence or non-existence of complaints, reports, or administrative proceedings against public servants or private individuals that are still pending or have not resulted in a final sanction shall be considered confidential information.
• Appeals before Transparency for the People against decisions issued by guarantor bodies will only be admissible in relation to information requests concerning federal public funds.
• Unlike the INAI, Transparency for the People will not have the authority to file constitutional challenges or actions in constitutional controversy related to transparency and access to information.

Key Changes to the LGPDPPSO

• The Ministry shall not be authorized to review decisions issued by oversight bodies of the federative entities regarding the protection of personal data held by obligated entities.
• The Ministry shall not have the authority to file constitutional challenges or actions in constitutional controversy concerning the protection of personal data held by obligated entities.

Key Changes to the LFPDPPP

While the new LFPDPPP retains several of the core principles established under the previous legal framework,¹ it introduces substantial changes that reshape the country's approach to data protection: 

• The powers previously held by the INAI have been transferred to the Ministry, which now fully assumes the functions of oversight, investigation, enforcement, and public outreach in this area.
• The scope of the LFPDPPP now expressly includes data processors, meaning that anyone involved in the processing of personal data (regardless of whether they determine the purposes or means of such processing) is directly subject to the law.
• The law mandates the creation of a National Registry of Data Controllers, requiring all individuals and legal entities in the private sector that process personal data to register. This registry will include key information such as the types of data processed, purposes of processing, data retention periods, and data transfers. Specific requirements will be detailed in secondary regulations.
• The definitions of key terms such as "consent,"² "personal data,"³ "privacy notice,"⁴ and "publicly accessible sources" have been updated. Express consent remains required for the processing of sensitive and financial data. Furthermore, information that has been obtained unlawfully or originates from illegal sources will not be considered a publicly accessible source, in accordance with the LFPDPPP and other applicable legal provisions.
• The LFPDPPP incorporates the principles of data minimization, purpose limitation, and proactive accountability, and clarifies the meaning of each.
• Anyone involved in the processing of personal data (including employees and external service providers) will be required to maintain confidentiality even after their relationship with the data controller ends. To comply with this obligation, organizations must implement internal policies, provide training programs, and include appropriate contractual clauses.
• Data subjects will retain their rights of access, rectification, cancellation, and objection ("ARCO Rights"). The right to rectification of inaccurate data and the right to object will also extend to automated decision-making processes that produce significant effects. Additionally, the procedure for revoking consent has been clarified to ensure greater control by data subjects.
• The transitory regime provides for the creation of specialized federal courts for data protection matters within 120 calendar days from the LFPDPPP's effective date. Ongoing amparo proceedings will be suspended for 180 days, and those initiated before the law's entry into force will be resolved under the prior legal framework, now under the Ministry's jurisdiction.
• The transitory regime also establishes a 90-calendar-day suspension period, starting from the effective date of the Decree, for all proceedings, legal remedies, and procedures under the responsibility of the now-defunct INAI, except for information requests submitted through the National Transparency Platform.
• The LFPDPPP is grounded in a human rights–based approach and incorporates the pro persona principle, which requires data protection rules to be interpreted in the manner most favorable to the data subject.

Implementation Challenges and Legal Risks

The LFPDPPP incorporates several provisions from the public sector data protection framework. While this harmonization aims to enhance coherence, it also poses significant compliance challenges for the private sector, including:

• The effective implementation of the LFPDPPP will largely depend on the issuance of technical standards and complementary regulatory guidelines, which are expected to address key issues such as complaint handling procedures, data interoperability mechanisms, and general compliance frameworks.
• The LFPDPPP still does not establish clear criteria or specific mechanisms for international transfers of personal data, leaving companies without defined guidance on how to ensure the legality of cross-border data flows, thus creating uncertainty for multinational operations.
• The transitory regime only provides for specialized courts in amparo proceedings. Since this authority now stems from secondary legislation and not from an autonomous constitutional body, nullity proceedings may be interpreted as an alternative remedy.
• The reaffirmation of implied consent expands the scenarios in which a data subject's authorization may be presumed, potentially weakening transparency and making it more difficult to enforce personal data protection rights.
• The LFPDPPP allows for the processing of personal data without consent in a broader range of situations, including those based on general legal provisions or non-binding mandates. This could create uncertainty regarding the boundaries and exceptions to the consent requirement.
• Simplified privacy notices are no longer required to inform data subjects of the categories of personal data being collected, nor to notify them of their ARCO rights or of changes to privacy practices. This may impair individuals' ability to make informed decisions about the use of their information.
• New compliance obligations are imposed on private entities (such as the requirement to provide information to the Ministry upon request), while institutional oversight mechanisms appear to have been weakened, as the Ministry's is no longer required to report to Congress—raising potential concerns regarding accountability.
• The LFPDPPP does not require privacy impact assessments for processing activities that involve high risks, despite their proven usefulness in cases involving sensitive or large-scale data.
• Strict deadlines and formal requirements remain in place, which may continue to limit the accessibility and effectiveness of mechanisms for data subjects to exercise their rights.
• The LFPDPPP significantly broadens the range of administrative sanctions for non-compliance. However, until the relevant regulatory provisions are issued, significant uncertainty will persist regarding the criteria, scope, and proportionality of such sanctions in practice.
• The second paragraph of Article 6 states that the data controller must prioritize to the protection of the data subject's interests. This language is ambiguous and may lead to varied legal interpretations and additional obligations for data controllers.
• The definition of "consent" as an "informed" expression of will may create confusion with the concept of "informed consent" used in other contexts—such as the healthcare sector—where the term entails additional, specific requirements.

In general terms, while this reform represents a structural shift in Mexico's data protection landscape, its successful implementation will depend on clear supplementary regulation, practical guidance, and careful interpretation—particularly for companies that handle sensitive data, large-scale processing, or international data transfers.

_{1 Such as lawfulness, consent, purpose, proportionality, and accountability.
2 Consent: A free, specific, and informed expression of will by the data subject through which the processing of their personal data is carried out.
3 Personal Data: Any information relating to an identified or identifiable individual. An individual is considered identifiable when their identity can be determined, directly or indirectly, through any information.
4 Privacy Notice: A document made available to the data subject—physically, electronically, or in any other format by the data controller at the time their personal data is collected, for the purpose of informing them about the intended purposes of the data processing.}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}