On March 20, 2025, the “DECREE enacting the General Law on Transparency and Access to Public Information; the General Law for the Protection of Personal Data held by Obligated Entities; the Federal Law on the Protection of Personal Data held by Private Parties; and amending 37, Section XV of the Organic Law of the Federal Public Administration” (the “Decree”) was published in the Official Gazette of the Federation (“DOF”).

The Decree abrogated the Federal Law for the Protection of Personal Data held by Private Parties (“LFPDPPP”, by its acronym in Spanish), and extinguished the National Institute for Transparency, Access to Information and Protection of Personal Data (“INAI”, for its acronym in Spanish).  The Anti-Corruption and Good Governance Ministry will be the authority in charge of assuming the functions of the extinct bodies.

Some of the most important changes are highlighted below:

1.         Consent.  Consent must be obtained in a free, specific and informed manner; as a general rule, its tacit expression will suffice.

2.         Privacy notice.  The notice must distinguish between necessary and voluntary purposes.  When personal data is acquired through electronic, optical, audio, visual, or other technologies means, a simplified privacy must be provided.

3.         Transfer of data.  As a general rule, it will not be necessary to notify the transfer of data to third parties.  However, in the event that a data controller undertakes processing that diverges from the originally specified purpose, the re-acquisition of the owner’s consent is mandatory.

4.         Self-regulation.  Individuals may implement binding self-regulatory schemes, in order to complement the provisions of the law.

5.         ARCO rights.  The definition of ARCO rights (access, rectification, cancellation, and opposition) is included, specifying the scope of the rights of cancellation and opposition.

The scope of cancellation shall extend to all files, records, and systems wherein personal data are stored.

The legitimacy of a data holder to exercise the right of opposition is established when their data are subjected to automated processing devoid of human intervention, notably when such processing evaluates personal attributes, including professional performance, health condition, sexual preferences, reliability, or conduct, and generates undesirable consequences or prejudices the data holder’s interests, rights, or liberties.

6.         Means of defense.  The indirect amparo proceeding is the designated legal tool for contesting resolutions from the Anti-Corruption and Good Governance Ministry, and these proceedings will be handled by specialized District and Collegiate Circuit Courts that are to be created.

7.         Autonomy.  The Anti-Corruption and Good Governance Ministry, by virtue of its integration into the executive branch, will relinquish the autonomous status formerly attributed to INAI.  Moreover, the statutory obligation to present an annual report on its activities to the Congress will also be abolished.

The entry into force of the new LFPDPPP represents a substantive reconfiguration of the personal data protection regime in Mexico.  Although the law incorporates elements in line with international standards (such as the inclusion of the right to oppose automated decisions or the strengthening of informed consent), it also raises relevant questions about the effectiveness of the new institutional model.

One of the aspects that has generated the greatest concern is the extinction of INAI and the centralization of functions in an administrative authority attached to the executive branch.  The diminution of technical and operational autonomy may jeopardize the impartiality of monitoring and the adjudication of sanctions pertaining to legal obligations, consequently attenuating the mechanisms for controlling the improper processing of personal data by both private and public entities.

Likewise, the new scheme of means of defense, which restricts the challenge of acts of authority to the indirect amparo trial before jurisdictional bodies not yet constituted, could generate legal uncertainty in the short term.  In this context, it is imperative to observe the regulatory evolution, institutional deployment, and the judiciary´s reaction in order to evaluate whether the implemented modifications facilitate the consolidation of an efficacious and dependable personal data protection system that honors the fundamental rights recognized within the Federal Constitution and international treaties.