Government-owned entities, including public hospitals, research centers, financial and banking institutions, among others, will now be required to implement privacy controls and measures to protect citizens’ data under the new General Law for the Protection of Personal Data held by the public entities (the "Law"). Compliance can be achieved through procurement of cloud-based services and host personal data abroad, which may provide business opportunities for cloud and IT service providers in Mexico.
Where do we see potential opportunities?
We anticipate that local and foreign-based software and/or cloud-based service providers, as well as cybersecurity and data storage providers, will be required to confirm with their prospective government clients that their software products, services and solutions comply with the new rules. Companies may find it difficult to ensure that their existing compliance regimes for Mexican public entities can be updated. However, they may also leverage the new regime to implement entrepreneurial solutions and explore new market opportunities in this field.
What is the new law about?
Effective as of January 27, 2017 the Law will harmonize the different levels of privacy and cybersecurity protection applicable to the public sector over the years and create a single regulatory, interpretative and technical standard for the Mexican government. The range of entities that will be affected by the Law is substantial and includes entities at the federal, state and municipal levels, across the executive, legislative and judicial branches, including unions, universities and state-owned companies (the "Public Entities").
Some key provisions of the Law that will be of particular interest for tech companies include:
- Data Localization. Public Entities are entitled to transfer personal data abroad and store such data offshore as long as certain safeguards and controls are met, including appropriate contracts.
- Procurement Regime for Cloud-Services. Public Entities are entitled to procure cloud services, so long as the cloud services provider meets certain contractual and organizational requirements.
- Privacy Impact Assessments (PIAs). Before incorporating public policies, systems, tech platforms, applications and other technologies relating to a "substantial or relevant" processing of personal data, a Public Entity must conduct a PIA and implement mitigation measures.
- Privacy by Design. Public entities will be responsible for developing policies, programs, services, platforms and applications that are compliant with the law, including a requirement to incorporate privacy by design principles.
- Data Portability. The Law implements, for the first time, a regime designed to facilitate data portability and handling. The government will be issuing guidelines with respect to which formats are considered as "structured and commonly used data formats."
Our action items for tech companies
Companies interested in selling tech solutions to any Mexican Public Entities should prioritize the following:
- Familiarization with the Law. Gain knowledge and understanding of the new privacy framework and its potential ramifications.
- Assess company's readiness to sell products and services to Mexican government. This includes determining the company's familiarity with government procurement rules; assessing potential registration of the company's as a vendor at B2G portals (Compranet); assess potential adherence to federal programs for software companies that seek to reduce steps and regulatory burdens of tech companies selling products to federal public entities.
- Get in touch with your client. It is important to discuss whether the new requirements may pose challenges or cause delays to new product acquisitions or open new market opportunities.
Contributor: Carlos Vela-Trevino