On March 20, 2025, a decree was published in the Diario Oficial de la Federación (Official Gazette of the Federation) introducing significant reforms in the areas of transparency and data protection. This decree includes the enactment of the General Law on Transparency and Access to Public Information, the General Law on the Protection of Personal Data Held by Obligated Entities, and the Federal Law on the Protection of Personal Data Held by Private Entities. Additionally, it amends Article 37, Section XV, of the Organic Law of the Federal Public Administration.
This law aims to guarantee the human right to access information while promoting transparency and accountability. Its most relevant provisions include:
The most significant changes compared to the repealed law include the dissolution of the National Institute for Transparency, Access to Information, and Personal Data Protection (INAI) and the transfer of its functions to the newly created Secretariat of Anti-Corruption and Good Governance. The new law promotes socially responsible transparency, encouraging the publication of useful information on priority topics and fostering its reuse. Additionally, it emphasizes digitalization and the use of information technologies to facilitate access to public information. The administration of the National Transparency Platform will now be handled by the Secretariat of Anti-Corruption and Good Governance, with specific modules for managing access requests, appeal mechanisms, and communication between oversight authorities and obligated entities.
In terms of enforcement, the law details sanctions and corrective measures for non-compliance, including fines and the possibility of filing complaints with the relevant authorities in cases of alleged criminal offenses.
This law aims to protect personal data held by obligated entities (government authorities) while ensuring individuals' right to data protection. Key provisions include:
The most significant changes compared to the repealed law include mandatory data protection impact assessments to identify and mitigate potential risks. Additionally, ARCO rights are expanded to include data portability and the right to obtain a copy of personal data in a structured electronic format. The Secretariat of Anti-Corruption and Good Governance assumes the functions previously held by INAI, including law interpretation, appeal resolution, and enforcement of sanctions.
This law regulates the lawful, controlled, and informed processing of personal data by private entities, ensuring individuals' privacy and their right to information self-determination. Key provisions include:
The most relevant changes compared to the repealed law include updated definitions related to the privacy notice, consent, sensitive personal data, and data processing. The definition of data processing is expanded to cover both manual and automated processes, with specific criteria for determining when a person is identifiable. Additionally, public access sources are redefined to exclude information of illicit origin, and data transfers are now explicitly allowed both within and outside Mexico.
Regarding core principles, the scenarios in which data subject consent is not required have been modified, broadening exceptions to include any applicable legal provision and recognizing the exercise of rights as a valid exemption. The law also strengthens the obligation for data controllers to provide clear and accessible information about the main characteristics of personal data processing, enabling data subjects to make informed decisions. Additionally, organizations must implement internal controls to guarantee data confidentiality.
In terms of data subject rights, the right of access is expanded to include not only personal data in possession of the controller but also information on the general conditions of its processing. The right to rectification now includes cases of outdated data, while the right to opposition introduces the "legitimate cause" as a new justification, although its definition remains vague, potentially leading to subjective interpretations. The law also grants data subjects the right to oppose automated data processing without human intervention when it produces undesirable effects.
Under the new ARCO rights framework, organizations may charge a fee for processing ARCO requests unless the data subject provides the necessary means. The law also formalizes self-regulation, requiring organizations that adopt such mechanisms to notify the authorities. Furthermore, regulatory bodies have been restructured, with the Secretariat now responsible for data protection oversight and enforcement, including ordering the release of personal data when necessary. The law also introduces new grounds for dismissing ARCO requests, mandates that organizations cover the cost of delivering requested information, and allows administrative decisions to be challenged through amparo lawsuits before specialized courts.
Finally, regarding violations and sanctions, the new law expands the list of punishable offenses, including negligence or willful misconduct in processing ARCO requests, which may pose challenges in terms of legal enforcement.
The amendment to Article 37, Section XV, of the Organic Law of the Federal Public Administration grants the Secretariat of Anti-Corruption and Good Governance authority over transparency, access to public information, and data protection, as well as responsibility for handling compliance procedures, oversight, and sanctioning.
Implications for Private Entities
The new legal framework imposes stricter regulations on transparency and data protection, requiring private sector organizations to strengthen their compliance programs. To mitigate risks and ensure adherence to the new legal requirements, organizations should focus on:
For further guidance on how these reforms impact your organization and the steps required to achieve compliance, please feel free to contact our expert team.
Awards