In brief
On 20 March 2025, the decree enacting the General Law of Transparency and Access to Public Information, the General Law for the Protection of Personal Data in Possession of Obligated Entities, the Federal Law for the Protection of Personal Data in Possession of Private Parties, and the amendment to Article 37, Section XV, of the Organic Law of the Federal Public Administration was published in the Official Gazette of the Federation ("DOF").
On 21 March 2025, amendments to the Internal Regulations of the Anti-Corruption and Good Governance Secretariat were published in the DOF and the Internal Regulations of Transparency for the People were issued.
Among other things, the new legal framework eliminated the National Institute of Transparency, Access to Public Information and Protection of Personal Data as the autonomous guarantor body in this area, incorporated new criteria to restrict access to public information, and recognized tacit consent as a general rule for the processing of personal data.
Finally, in two draft amendments to the Law of Acquisitions, Leases and Services of the Public Sector and the Public Works and Related Services Law, the Congress would eliminate the tool created in 1996 to make government purchases transparent, CompraNet. All that is missing is their publication in the DOF, which is expected soon.
Detailed
In practice, the reforms to these laws, in combination with recent reforms to the amparo law, limits effective recourse against government lack of transparency because of the incorporation of the Transparency for the People entity, which is part of the executive branch of government. In addition, the reforms create broad and vague new bases on which the government can keep information secret, such as “social peace,” “harm to the interests of the State” among others.
Regarding the transparency law, the reforms to the law also limit effective recourse, and broaden the categories of agencies protected by this law, to include unions and government contractors.
Finally, the data privacy law applicable to private industry has been amended to allow for self-regulation. It also established that the data controller is the person who processes personal data, not the person who "decides" on its processing, and it changes some of the requirements for simplified privacy notices.
The main provisions of the new legal framework are as follows:
1. General Law of Transparency and Access to Public Information
- Establishes the principles, bases and procedures to guarantee access to information held by any public entity, which must proactively make relevant and updated information available to the public.
- Determines that the human right of access to information includes requesting, researching, disseminating, seeking and receiving information.
- Eliminates the power to file unconstitutionality actions or constitutional controversies regarding acts that violate the rights and principles established in the law.
- Regulates the National System of Access to Information (formerly the National Transparency System, in charge of coordinating and evaluating the transversal public policy of transparency and access to public information.
- Creates specialized courts and tribunals to hear amparo proceedings against acts of guarantor authorities. To implement this measure, the deadlines and procedural terms of the amparo proceedings in process were suspended for 180 calendar days.
- Determines new causes for reserving public information such as social peace, if the damage that may be caused by the publication of the information is greater than the public interest in knowing it, if the information may cause damage to the State's interest, information on Federal Government programs, among others.
2. General Law for the Protection of Personal Data in the Possession of Obligated Parties
- Establishes the bases, principles and procedures to guarantee the right of all persons to the protection of their personal data in possession of obligated parties (public entities), ensuring their confidentiality and security.
- Gives a new definition of obligated subjects, in which it establishes that unions and any private party or legal entity that receives public resources or performs acts of authority, are no longer subject to this Law.
- Eliminates the non-conformity appeal for the defense of the rights of private parties, being the amparo the only means of challenge against the actions of the authorities.
- The regulated entities must create internal policies for the management and treatment of data, clearly establish the functions and obligations of the personnel involved in the treatment of data, carry out risk analysis of personal data and periodically monitor the security measures implemented.
- Establishes a catalog of security breaches with respect to the processing of data, which are unauthorized loss or destruction, theft, loss, use, access, processing, damage, alteration or unauthorized modification.
3. Federal Law for the Protection of Personal Data in Possession of Private Parties
- Regulates the principles and procedures to guarantee the right of private parties to the protection of their personal data.
- Empowers private parties to agree among themselves or with civil or governmental, national or foreign organizations, binding self-regulation schemes on the matter, with mechanisms to measure their effectiveness in data protection, as well as consequences and effective corrective measures in case of non-compliance.
- Self-regulatory schemes may take the form of codes of ethics or good professional practice codes, seals of confidence or other mechanisms; they may contain specific rules or standards to harmonize the processing of data and facilitate the exercise of the rights of data subjects.
- Defines "controller" as the private parties that manages personal data, broadening the spectrum of obligations to any private party who handles data, even as "data processors".
- Eliminates the obligation to inform in the simplified privacy notices which data will be used, does not establish the way private parties may be informed about changes in the privacy notices and modifies the requirements that such notices must contain.
Regarding the development and chronology of this law, see "Mexico: From 2010 to 2025 – Evolution of the new Federal Law on the Protection of Personal Data held by Private Parties".
4. Internal Regulations of the Anticorruption and Good Governance Secretariat
- The Anti-Corruption and Good Governance Secretariat will have a deconcentrated administrative body called "Transparency for the People", in charge of the transparency of information of the federal public administration.
- 18 transparency authorities are incorporated, one for each power and autonomous bodies at the federal level, as well as for political parties and unions.
- The National System of Access to Public Information and the National Transparency Platform will be under the Anti-Corruption and Good Governance Secretariat.
- At the local level, the authorities in charge of transparency will be the state and/or municipal comptrollers.
5. Internal Regulations of Transparency for the People
- Created as a decentralized body of the Anti-Corruption and Good Governance Secretariat, with technical and operational autonomy.
- Its purpose is to guarantee transparency and access to public information, coordinate and technically support the bodies of the National System of Access to Public Information, propose and execute policies and practices in transparency matters, and legally represent the decentralized administrative body in different areas.
- Its head will be appointed by the head of the Federal Executive. The head of the body has non-delegable powers.
- It suspends for a period of 45 working days all the formalities, procedures and other means of appeal established in the Laws regarding access to public information and protection of personal data.
