Mexico: From 2010 to 2025 – Evolution of the new Federal Law on the Protection of Personal Data held by Private Parties

In brief

On 20 March 2025, the Decree issuing a new Federal Law on the Protection of Personal Data Held by Private Parties was published in the Official Gazette of the Federation. According to the Decree, the new law came into effect on 21 March 2025, repealing the 2010 Federal Law on the Protection of Personal Data Held by Private Parties.

Although the new law is similar to the 2010 law, the updated text establishes the Secretariat of Anti-Corruption and Good Governance as the new authority, incorporates changes to the definitions from the 2010 law, and sets certain obligations that will require privacy notices, internal policies and data processing agreements to be more precise.


Contents

Key takeaways

The most relevant changes in the new Federal Law on the Protection of Personal Data Held by Private Parties include:

  • The functions of INAI are effectively transferred to the Secretariat of Anti-Corruption and Good Governance.
  • Definitions of "databases," "public access sources", and "data controller", "processing", among others, are modified.
  • The possibility of processing personal data for purposes similar or analogous to those informed in the privacy notice is eliminated.
  • Union membership is no longer considered sensitive personal data.
  • Specific conditions for exercising the right to object, including automated processing through artificial intelligence systems, are established.
  • The chapter on regulatory authorities is eliminated, removing the powers of the Ministry of Economy in matters of personal data protection.
  • Amparo proceedings will be the recourse against decisions of the Secretariat of Anti-Corruption and Good Governance.
  • To reflect inclusive language, the terms "data subject" and "data controller" have been replaced by neutral terms.

In the section below, you will find a more detailed description of the changes introduced in the new law on personal data protection.

In depth

On 20 March 2025, a new law on personal data protection for the private sector was published in the Official Gazette of the Federation ("Decree"). The new Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) came into effect on 21 March 2025, repealing the 2010 law.

The publication of this new law stems from the Decree reforming, adding, and repealing various provisions of the Political Constitution of the United Mexican States, in terms of organic simplification. This decree was published in the Official Gazette on 20 December 2024, with the aim of dissolving the National Institute of Transparency, Access to Information, and Protection of Personal Data (INAI) and transferring its functions to the Secretariat of Anti-Corruption and Good Governance (SABG). Now, with the publication of the new LFPDPPP as secondary law, the INAI is effectively dissolved.

The most relevant changes in the new LFPDPPP are as follows:

Definitions. The new law introduces changes to several definitions, including:

  1. Databases: The LFPDPPP applies to databases regardless of their creation form or modality, type of support, processing, storage, and organization.
  2. Public access sources: These will not be considered as such when the information contained is obtained unlawfully or has an illicit origin.
  3. Data Controller: The updated text refers to definition of "Regulated Subjects", being private individuals or entities that process personal data. The reference to the data controller as the one who "decides" on the processing of personal data is removed.
  4. Processing: A more extensive definition is provided, determining that processing is any operation or set of operations performed through manual or automated procedures applied to personal data. It also more clearly defines activities constituting personal data processing, including recording, organizing, storing, disseminating, possessing, among others.
  5. Personal Data: Notably, the definition of personal data no longer includes the reference to information belonging to a natural person, leaving only the term 'person'.

Authorities' Powers. The new LFPDPPP replaces references to the INAI with the SABG, effectively transferring the INAI's functions to the Executive Branch. Additionally, the powers of the Ministry of Economy in personal data matters are removed. The Ministry of Economy had been notable for issuing the Privacy Notice Guidelines.

Also, it provides that the decisions of the SABG can be challenged through amparo proceedings. Note that on 13 March 2025, amendments to the Amparo Law were published, which could affect the substantiation of this recourse.

Obligations for Data Controllers. The 2025 LFPDPPP reaffirms the obligation of data controllers to establish controls or mechanisms to ensure the confidentiality of personal data by those involved in processing. This obligation must continue even after the termination of the data controller and those individuals.

Additionally, the new law eliminates the possibility of processing personal data for purposes compatible or analogous to those stated in the privacy notice. In such cases, the data controller must obtain the data subject's consent for new purposes.

Data Subjects' Rights. The updated law includes a provision allowing data subjects to object to processing when (i) the processing is automated, (ii) without human intervention, (iii) causes undesired effects on the data subject, and (iv) the purpose of the processing is to evaluate, analyze, or predict behavior, reliability, professional performance, among other aspects.

It also establishes that exercising ARCO rights may have a cost unless the data subject provides the necessary means or mechanism to reproduce the personal data.

Sanctions. The law explicitly states that fines will be calculated in UMAS, replacing the reference to minimum wages. It is noteworthy that the new law reused the sanction scenarios established in the 2010 law, leaving without sanction the general infringement mentioned in subsection XIX of article 58 of the new law. This section presents as a sanctionable infringement any non-compliance by the data controller with the obligations established in the LFPDPPP.

Conclusion

While the new LFPDPPP does not differ significantly from the 2010 law, the updated text includes certain provisions and modifications that will require privacy notices to be more precise regarding the purposes of processing and the personal data required for achieving those purposes. Therefore, it is important for data controllers to review their privacy notices and internal policies on personal data protection and the use of artificial intelligence.

Additionally, due to the change in the definition of "data controller," it is important for data processors to have a contract clearly stating that they act as data processors. Otherwise, they could fall within the definition of "data controller" and thus be required to comply with the associated requirements.


Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.