What you need to know
New law in forcé
On March 20, 2025, Congress approved the new Federal Law on the Protection of Personal Data Held by Private Parties.
It was published that same day and entered into force on March 21, repealing the previous law.
Broader definitions.- A person is now considered identifiable if their identity can be determined directly or indirectly through any information.
Expanded definition of processing.- “Processing” includes any manual or automated action on personal data—from collection and storage to disclosure or deletion.
Binding self-regulation.- Organizations may adopt binding self-regulatory schemes in collaboration with civil society groups, as long as they notify the authorities and the Secretary of Anti-Corruption and Good Governance.
New privacy notice requirements.- Controllers must inform individuals—clearly and fully—about how their personal data will be processed, enabling informed decisions.
End of broad consent.- The exception allowing data to be used for compatible or analogous purposes has been eliminated.
Processing must now be necessary, relevant, and appropriate in relation to the stated purpose in the privacy notice.
Minimum processing duration.- Controllers must make reasonable efforts to limit the duration of data processing to the minimum necessary.
Confidentiality with controls.- The new law requires the implementation of mechanisms and controls to ensure confidentiality at every stage of processing.
Previously, confidentiality was only required on an individual basis, without mandatory structural controls.
Specialized courts.- Resolutions may be challenged before specialized courts in data protection and access to information.
The Federal Judiciary must create these courts within 120 calendar days from March 21, 2025.
Suspension of timelines.- All ongoing administrative procedures, legal proceedings, and appeal mechanisms will be suspended for 90 days, except for the reception and processing of information requests, starting March 21, 2025.
All ongoing amparo proceedings related to personal data and access to information are suspended for 180 calendar days, starting March 21, 2025.
Authors:
Rafael Amador, Senior Associate
Email: ramador@rrs.com.mx
Daniela Márquez, Associate
Email: dmarquez@rrs.com.mx
Sofía Castañeda, Associate
Email: scastaneda@rrs.com.mx
Rafael Soriano
Email: rsoriano@rrs.com.mx
Andrea Ramos
Email: nramos@rrs.com.mx