Foreign multinational companies doing business in Mexico, or with Mexican companies, and wishing to streamline their international data transfer flows should take note of a recent development. A sophisticated self-regulatory system is being implemented, and will be deployed from the end of this year. This will benefit all companies seeking a flexible way to comply with the Mexican data protection legal framework from next year's first quarter.
In January of this year, Mexico's Ministry of Economy, published the Parameters for a Binding Self-Regulatory Certification System, as part of efforts to help companies doing business in Mexico comply with the country's data protection legal framework. It is also part of promoting compliance with the law among Mexican companies, and implementing the Asia Pacific Economic Co-operation's (Apec) Cross-Border Privacy Rules (CBPR) framework into the national legal system. In the same month, Apec announced that Mexico had become the second formal participant in the CBPR framework, following the United States, which became the first formal participant in July 2012. In September, the Mexican Data Protection Authority (IFAI) established the Operating Rules of the Registry of Binding Self-Regulatory Data Protection Schemes.
The binding self-regulatory certification scheme
Mexico has adopted two complementary ways for companies processing personal data to abide by its data protection legal requirements: by following the law, and by voluntarily adopting so-called binding self-regulatory data protection schemes, thanks to which they will be able to demonstrate to the IFAI that they not only comply with the letter of the law, but also intend to comply with its spirit. The Mexican Data Protection Law itself (the so-called Ley Federal de Protección de Datos Personales en Posesión de los Particulares, or LFPDPPP) is considered as the bare minimum to comply with: it may be complemented by self-regulation – which we cover in this article – or sectoral regulations. This is why the system should actually be called "co-regulatory" rather than "self-regulatory" since it must comply with the current data protection legal framework.
Companies established in Mexico, or otherwise subject to the LFPDPPP, may decide to voluntarily develop flexible ways to comply with the law through binding data protection self-regulatory schemes, or to make sure what they implement internally (codes of conduct, corporate privacy policies, binding corporate rules, training programs or privacy trustmarks) is recognised as complying with the law. For this, they must abide by certain minimum requirements before the IFAI can validate their schemes. The Parameters establish the framework through which it will be possible to correctly develop and implement binding self-regulatory data protection schemes in Mexico, with a view to getting them approved by the IFAI.
The principal objectives of the Parameters are to:
- enable data controllers to demonstrate to the IFAI their compliance with the data protection legal framework;
- harmonise their data processing operations;
- adapt and complement what the law prescribes to their specific sector or industry; and
- facilitate the exercise by data subjects of their rights under the law.
The Parameters also:
- encourage data controllers to obtain certifications that demonstrate compliance;
- promote accountability by data controllers and their adoption of company policies that are consistent with external criteria (such as through privacy maturity analysis grids);
- promote mechanisms aimed at implementing privacy policies, tools, continuous internal supervision, risk assessments, external and internal verifications and remediation systems; and
- publicise data controllers' self-regulatory schemes to the public through their registration in a registry.
Among the benefits of a self-regulatory scheme for a company are the following:
- the scheme will be taken into account by the IFAI in order to determine to what extent fines will be diminished against the infringing company, should the company that would have implemented and registered the scheme with the authority violate the law in the future;
- it reflects or enhances a company's good reputation to clients and customers;
- it offers a system by which a company can document and register its compliance with the data protection authority, which it can also show to clients and customers;
- it facilitates international data transfers; and
- it enables companies to use alternate dispute resolution mechanisms, thereby possibly save on litigation expenses.
It is worth noting that although registration of a data controller's self-regulatory scheme with the IFAI's registry is compulsory – to make public the characteristics of the scheme to all data subjects – the certification is not: companies are free to seek it via consulting or law firms offering certification and compliance services. However, a data controller can only maintain its registration up to date through a certification process, which ensures that registration is always current.
The Parameters' certification process for certifiers and accreditation companies has been designed with a 4-tier scheme (see graphic opposite) in which the IFAI is at the top of all certification entities, with accreditation entities next, then certifiers, and data controllers at the bottom.
The various stakeholders of the self-regulatory certification system are:
- The IFAI: the Mexican Data Protection Authority will verify the effectiveness of the level of compliance of the schemes with the data protection legal framework. It will authorise, suspend or revoke their registration in its registry, but also accredit the accreditation entities themselves. It also has the power to validate evaluation instruments and accreditation procedures; mandate accreditation entities or certifiers to suspend or revoke accreditations; verify compliance, request information from all actors involved, and organise visits at their premises. The IFAI will also maintain all relevant information about the schemes and its stakeholders (accreditation entities, certifiers, data controllers and data processors) in its public registry.
- Accreditation entities: in order to be authorised by the IFAI to operate, the most important requirement is that they demonstrate through various operational measures that they will be able to work with impartiality, independence and integrity, and avoid conflict-of-interest situations. They will be in charge of accrediting certifiers in their role and make sure they do their job correctly, suspending or revoking them if necessary. As an impartial entity, they will not be able to provide consulting services that may affect their impartiality where, as an example, advising certifiers and data controllers or processors may generate conflicts of interest. The entity that is most likely to be designated in charge of that role is the Mexican Institute of Normalisation and Certification.
- Certifiers (known as accountability agents in Apec's parlance): are in charge of determining whether data controllers and data processors can get their data processing operations, policies, programs and procedures approved as a self-regulatory data protection scheme in compliance with the data protection legal framework, and awarding that certification. They are accredited by the accreditation entities. They will be in charge of attending certification requests from data controllers and processors; and renovating, maintaining, suspending or revoking the scope of the certification they award. Similar to accreditation entities, certifiers will have to demonstrate that they are able to work with impartiality, independence and integrity, and avoid conflict-of-interest situations with data controllers and processors. As a result, they may not provide consulting services for data controllers or processors if it may generate conflicts of interest.
The self-regulatory data protection schemes companies could seek, get certified for, and register with the IFAI in Mexico, can be as diverse as the following:
- Privacy trustmarks or seals: certification marks or guarantees issued by a certifying entity that verifies an organisation's compliance with certain specified privacy standards that aim to promote consumer trust and confidence in e-commerce.
- Corporate privacy policies: companies' privacy policies which main purpose is to inform consumers about the kind of information companies may collect from them and how this information may be used. It may, for example, consist of a notice to the data subject about a company's data processing practices; information to the data subject with regard to the use and dissemination of personal data collected from or about them; the possibility for the data subject to obtain access to the personal data collected and stored about them by the company; and the measures taken by the company to ensure the security and integrity of any personal data collected and further processed.
- Codes of conduct: commitments or general guidelines made voluntarily by businesses, organisations, associations or other entities that put forth standards of behaviour, standards or practices aimed at conducting business activities in the marketplace and that guide the decisions, procedures and systems of an organisation in a way that contributes to its key stakeholders' welfare, and respects the rights of all constituents affected by its operations.
- Data protection certifications: independent verification or certification by a reputable third party in order for a data controller to demonstrate its compliance with its data protection obligations. Such certification would, as a minimum, indicate that data protection controls have been subject to audit or review against a recognised standard meeting specific requirements by a reputable third party organisation.
|Figure 1: Four-tier certification scheme |
The IFAI's Registry Operating Rules
In September, the IFAI published the Operating Rules of the Registry of Binding Self-Regulatory Data Protection Schemes. These rules define and prescribe the operational aspects and procedures necessary for the Registry to function; list the general characteristics of the Registry and the procedures to follow to register a binding self-regulatory certification scheme, an accreditation entity, an accredited certifier or a certification awarded to a data controller or data processor for its self-regulatory data protection scheme.
The Registry will include all self-regulatory data protection schemes approved by the IFAI, as well as all accreditation entities, certifiers, and all data controllers and processers whose schemes will have been approved. Its aim is to make available to the public information that is relevant for them to know about the companies, data controllers or data processors, that will have obtained certifications, their scope and type, as well as the criteria and procedures used by certifiers to certify companies.
The IFAI will start receiving applications from companies wishing to become accreditation entities from late October or early November of this year, and from organisations that wish to establish themselves as certifiers from March 2014.
1. Mexico's new self-regulatory certification system will soon become operational. It will help foreign companies comply with the country's data protection legal framework.
2. The new self-regulatory certification system in Mexico is a way for companies to avoid sectoral regulations in the future. We therefore recommend it as an opportunity to establish self-regulatory data protection schemes and adapt to the specific sector or industry.
3. The data protection schemes can be any of the following: codes of conduct, corporate privacy policies, binding corporate rules, training programmes or privacy trustmarks or seals.
4. Such schemes have advantages for data controllers:
- they are a way to demonstrate compliance to the Mexican Data Protection Authority;
- any fines the Authority might impose will be diminished, should they be found to have violated the law;
- they promote the company's good reputation with its clients; and
- they facilitate international data transfers between their subsidiaries based in Mexico or with Mexican business partners.
5. Key dates to remember:
- for companies wishing to become accountability agents (certifiers) in Mexico: filing becomes first available in March 2014;
- for companies that intend to establish a self-regulatory data protection scheme: start the process now; file a bit after March 2014.
Are the self-regulation rules relevant for other countries?
The Mexican Binding Self-Regulatory Data Protection Schemes have relevance for foreign companies outside Mexico for several reasons:
- In cases where a company is from a country that does not belong to the Apec region: any company of such a country that intends to develop business with Mexico will probably need to start transferring personal data between its head office and Mexican business partners. In such cases, it is that country's regulations that will dictate how such transfers need to be protected. It will be easier for those companies to transfer their personal data if the business based in Mexico is able to demonstrate that they have obtained a certification for their self-regulatory scheme that demonstrates they have reached a more mature state of compliance by having gone through a self-regulatory certification process.
- In cases where a company is from the United States (an Apec economy): a US company is generally not subject to any restrictions with respect to its transborder data flows to Mexico. It can transfer personal data to its Mexican business partners or other data recipients without legal obstacles. However, should that same company wish to receive data from a company established in Mexico, the Mexican law restricts such transfers, and the recipient company will have to sign the adequate data transfer agreements. Since both the United States and Mexico have recently been recognised as complying with the CBPR, once the Department of Commerce in the United States and the Ministry of Economy in Mexico have finalised the gap analysis of their respective CBPR, it should be possible for companies from both countries, certified by accountability agents from either country, to have their international transfers automatically authorised, without the need to review international data transfers on a case-by-case basis.
|Cédric Laurant |
Cédric Laurant is an attorney-at-law with Dumont Bergman Bider in Mexico City, where he is in charge of the areas of IT, data privacy and copyright law. He advises local, US, European and other foreign companies doing business in Mexico about Mexican IT law, global data privacy issues, and related information security and information governance matters.
Cédric has been working for more than 15 years in the US, Europe and Latin America on data privacy issues as a lawyer, public policy expert, academic and consultant on international projects in the areas of internet law, e-commerce, social media, telecommunications, information governance and information security for international organisations, governments, private companies, trade associations and public interest organisations.
Between 2002 and 2004, Cédric participated in the drafting of negotiations of Apec's Privacy Framework as a representative of civil society in the US delegation.
Cédric participates in, and frequently speaks at, conferences around the world as an expert on international data privacy and public policy issues. He has testified in these areas before the US Congress and the European Parliament.
He is a member of the District of Columbia Bar and a graduate of the Université Catholique de Louvain Law School (Belgium), with a Master of Laws from Columbia Law School (New York).