Mexico Takes Step Toward Data Privacy Interoperability
Jules Polonetsky
CEO @ Future of Privacy Forum | Advancing Responsible Data Practices
One of the challenges for data protection is figuring out how personal information can be sent abroad while ensuring responsible privacy commitments are ensured. The Future of Privacy Forum works with companies, governments and civil society groups to develop and support models that advance this important goal.
Last week, the Mexican Institute for Federal Access to Information (IFAI) hosted an event in Mexico City to discuss the recently-announced “Parameters of Self-Regulation for the Protection of Personal Data.” FPF participated in this workshop along with representatives from the Mexican government, TRUSTe, EuroPriSe and the Better Business Bureau.
As described in opening remarks by the Secretary for Data Protection, under the new regulation, IFAI now has the authority to recognize codes of conduct for data protection and has developed a process through which an organization can be recognized as a certifying body for these codes. Under the new regulation, the Mexican Accreditation Agency will make a determination on applicant organizations against a set recognition criteria. Successful applicants will then receive formal recognition as certifying entities from the Ministry of the Economy.
This approach mirrors the process developed as part of the Asia Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules (CBPR) system in several key ways. First, the certifying organizations contemplated under this approach serve the same function as “Accountability Agents” under the CBPR system. In addition, both approaches require a formal recognition based on established criteria. And second, the standards to which these organizations will be certifying companies are both keyed to Mexico’s Federal Law on the Protection of Personal Information (the legal basis for Mexico’s participation in the CBPR system). Given these parallels in both process and substance, a company that receives CBPR certification in Mexico should also be able to attain recognition under this approach. But perhaps most importantly, CBPR certification should allow a company to avail itself of the incentives offered under Mexican law.
Article 68 of the implementing regulations of the privacy law encourages the development of self-regulatory frameworks and states that participation in a recognized framework (such as the CBPR system) will be taken into account in order to determine any reduction in sanctions determined by IFAI in the event of a violation of the privacy law.
What makes this development so critical to global interoperability is that it serves as a model for other APEC member economies to consider how an enforceable code of conduct based on an international standard can be successfully incorporated into a legal regime – including extending express benefits to certified companies. It remains to be seen how other APEC economies will manage this task – but Mexico’s approach offers a promising start.
Jules Polonetsky is executive director of the Future of Privacy Forum, a think tank focused on advancing responsible data practices.
Photo: Christian Frausto Bernal / Flickr
Global Data Privacy Attorney & Public Policy Expert
10 年Hi Jules, to add to your comments, I'd point out that the recent Mexican co-regulatory scheme should make it easier for foreign companies to carry out international personal data transfers. And I'm talking about US companies here as the United States have become the first participant to the CBPR system since July 2012. Other foreign companies should follow once their country adopt the CBPR system. (More information about this in https://cedriclaurant.com/2013/11/07/mexico_s_new_self-regulatory_certification_system/. Although these comments are still based on the earlier version of Mexico's “Parameters of Self-Regulation for the Protection of Personal Data” of Jan. 2013, they are still valid for the most part). One little correction: you refer to Art. 68 of the implementing Mexican Regulations, but it should be Art. 81 (see English translation of the final version of the Regulations of Dec. 21, 2012 at https://inicio.ifai.org.mx/English/2%20Regulations%20to%20the%20FLPPDHPP.pdf), which has slightly changed in language and provides now, in addition to what you wrote that "the [IFAI] may decide upon other incentives for the adoption of self-regulation arrangements, as well as mechanisms to facilitate administrative proceedings before it". For Spanish speakers, also check more information at: https://cedriclaurant.com/2014/02/25/autorregulacion_y_proteccion_de_datos_ventajas_competitivas_para_su_empresa/.