In the frame of the International Data Privacy Day celebrated around the world every January 28, it is worthy to remember the relevance gained worldwide by this subject matter as time goes by, as well as to briefly examine the developments occurred in this field of law in Mexico.
Although Mexican Data Privacy Law for the private sector enacted in 2010 certainly requires by now some enhancement for making it adequate to the most advanced international standards, it also has to be recognized that it provides an integral scope of this subject matter, from a human rights perspective, and including the most relevant data privacy principles recognized internationally, which provides data subjects who are more and more aware of the value of their personal information, with useful tools for the protection thereof.
As token of this are the increasing surveillance and enforcement activities carried out by the Mexican Data Privacy Regulator (for its initials in Spanish INAI), which during the year 2022 imposed fines corresponding to a sum of 60 million Mexican Pesos. This according to Official Communication number INAI/008/23, issued in January 2023.
The most sanctioned sectors were those corresponding to "other services"; mass media information; financial and insurance services; and waste management and remediation services.
The most frequently sanctioned activities were collecting personal information in contravention to the principles set forth in Mexican Data Privacy Law; collecting and transferring personal information without the express consent of data subjects, as well as omitting in the Privacy Notice some of the requirements established in the Law.
In the same official communication INAI informed that in 2022, 119 proceedings for the imposition of sanctions were started, being the case that 78 of them were resolved, thus deriving in the imposition of fines. Likewise, in 2022, 249 ARCO rights violation proceedings were filed, while only 50 proceedings of this nature were started in 2012.
Another interesting disclosure made by INAI is that during 2022, 1068 complaints were filed, in connection with the illegal use of personal information in the private sector, and 101 complaints were filed in connection with the public sector. INAI resolved 901 out of those 1068 complaints in the private sector, while 167 remain under prosecution; and in the public sphere, INAI resolved 87 out of the 101 complaints, while 14 remain under prosecution.
As you can see from these statistics, INAI is increasingly gaining traction showing the relevance that data privacy gains year after year in the regulatory landscape in Mexico, and the relevance that this subject matter must have in any company that collects personal information.
However, assessing the significance of the compliance with Mexican data privacy legal framework, by only considering the need of avoiding the possible imposition of fines by INAI, would represent a very limited and shortsighted business vision.
The agenda discussed throughout this week in celebration of International Data Privacy Day, consists of the relevance that this subject matter has in the frame of the 2030 Sustainable Development Goals (SDG's) established by the United Nations.
By now it should be clearly understood by every single company that the 17 SDGs of the UN 2030 agenda goes beyond a mere political speech, or a utopian ideal aimed at eradicating poverty, protecting the planet and securing welfare for everyone.
Just to give an example, one decade ago there were no serious discussions among Mexican entrepreneurs about inclusivity, gender equality or
sustainable development, but now these are the topics leading the agendas of many companies and the ones that determine the reputational value thereof, being the achievement of these SDG's the ones that will ensure the permanence, growth, and transcendence of companies in the present and for the future.
It is in this context that Data Privacy as a human right has a vital relevance for the achievement of UN SDG's. Perhaps this significance is more noticeable in connection with SDG's numbers 3 (GOOD HEALTH AND WELL BEING) and 5 (GENDER EQUALITY); however, a deeper analysis of each SDG will show in a clear manner that if a data protection management program is not in place in every company, it will be impossible for them to attain these SDG's.
Let me finish by saying that although year 2030 may still seem to be far away in the future, the deadline fixed for the attainment of these SDG's will arrive sooner than we think and companies failing in complying with them will not be able to conduct their business as they have been doing it until today, thus suffering a remarkable competitiveness lose, reason why implementing an adequate data protection management program must be at the top of the Governance agenda of every company, and actions aimed at achieving this goal must be taken with all seriousness and readiness.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.