A close-up of Mexico’s regulatory approach to data governance, content moderation, competition and more.
This is the seventeenth issue of the “DPA Digital Digest” series based on the Digital Policy Alert database. This series provides concise summaries of each G20 nation’s recent policy changes in data governance, content moderation, competition and further domestic focal points.
Tommaso Giardini, Tania Pierotic
27 Jul 2023
Mexico’s digital economy is growing rapidly. Since 2019, Mexico’s e-commerce market ranks in the top five countries for growth, boasting 63 million consumers and a yearly growth of 23 per cent in 2022, according to the Mexican Association for Online Sales. McKinsey estimates that increased digital maturity could boost Mexico’s GDP by 7-15 per cent by 2025. Oxford Business Group expects the Mexican data centre market to reach a value of USD 1.1 billion by 2027. Mexico has adopted the Digital National Strategy 2021-2024 to improve its policy framework, promote technological sovereignty and increase connectivity.
But what do Mexico’s domestic digital policies stand for? The seventeenth DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Mexico-specific points of emphasis.
In data governance, Mexico did not adopt a proposal to revise its federal data protection law, imposed sectoral data localisation and launched a joint investigation into ChatGPT.
In content moderation, Mexico adopted rules on online content and advertisements, but rejected proposals regulating social media providers and imposing local content quotas.
In competition, Mexico did not adopt digital-specific rules but started investigating digital markets, including e-commerce, digital payments and mobile application markets.
Mexico’s points of emphasis include international digital trade, the taxation of the digital economy, and telecommunications.
Jump directly to the section that interests you most:
Discover the details of Mexico’s regulatory approach on our dedicated country page.
Remain up-to-date on new and upcoming developments with our free notification service.
Written by Tommaso Giardini and Tania Pierotic. Edited by Johannes Fritz.
Data protection, a human right under the Mexican constitution, is regulated by the 2010 Federal Law on the Protection of Personal Data Held by Private Parties (federal data protection law) and state-level laws. The federal data protection law lists data subject rights, including to access, rectification, erasure and opposition (“ARCO rights”). The law further establishes a complaint mechanism with the National Institute for Transparency for Access to Information and Protection of Personal Data (INAI), responsible for overseeing data controllers’ compliance. In August 2021, proposed amendments to the federal data protection law failed to pass before the Congress closed. The amendments would have required any company processing data of individuals in Mexico to designate a legal representative located in Mexico. In addition, the amendments would have required data breach reporting to both the data subject and the INAI, within 72 hours.
Mexico imposes sectoral data localisation obligations. The Provisions for Electronic Payment Fund Institution require electronic payment institutions to store transaction records locally in order to ensure continuity of operations. The guidelines for collaboration in security and justice matters require telecommunication providers’ data processing and storage systems to be located on national territory for collaboration with authorities.
Mexico’s data transfer regime is enshrined in the federal data protection law. Transfers are allowed only if the data subject consents and the recipient is subject to equivalent protection duties. To establish equivalence, the regime provides legal instruments including contractual clauses, but not governmental decisions on third countries’ legal regimes.
Mexico is also party to the Ibero-American Data Protection Network, comprising data protection authorities from Central and South America, the Caribbean, Mexico, Spain and Portugal, that promotes data protection regulation and cooperation. In September 2022, the Network issued guidance on standard contractual clauses for data transfers within and outside of the Network.
The INAI is responsible for the oversight of data protection at the national level, while there are also subnational data protection agencies. The National Institute of Telecommunications (IFT) collaborates with the INAI regarding the protection of consumer data in the telecommunications sector. The INAI regularly publishes secondary legislation, including the compliance guide for the federal data protection law, the recommendations on data security, the guidelines on privacy notices, and the guides for data subjects. In February 2023, INAI provided guidance interpretation of data protection rules, especially data subject rights, focusing on recourse options and the processing of requests.
In terms of enforcement, in 2022, the INAI imposed fines of over MXP 60 million (approx. USD 3.5 million) for violations of the federal data protection law, mainly for processing without consent and insufficient privacy notices. In May 2023, the Ibero-American Data Protection Network adopted coordinated measures regarding the investigation of ChatGPT’s data processing practices, assessing its legal basis for data processing, compliance with transparency requirements, as well as age verification and data security measures.
The 2014 Federal Telecommunications and Broadcasting Law prohibits Internet Service Providers from proactively obstructing, interfering, inspecting, or filtering content. Two proposals to amend the law failed to pass before the Congress closed in August 2021. A 2021 proposal would have targeted social media providers with over one million users in Mexico. The proposal would have required such providers to remove harmful content, including (undefined) categories such as "hate speech" and "fake news" as well as any content deemed to be harmful by the Federal Telecommunications Institute (IFT). At the same time, social network providers’ ability to moderate content and block users would have been restricted, including by empowering IFT to overrule moderation decisions. A 2020 proposal would have imposed a local content quota of 30 percent on online streaming platforms.
Since 2020, the amended Federal Copyright Law provides that internet service providers “may” actively monitor content that is contrary to human dignity, affects rights and freedoms, or encourages violence or crimes.
In April 2021, Mexico adopted rules on advertising transparency, including for advertising on digital platforms. Advertising agencies are prohibited from buying advertising space and reselling it to advertisers, receiving additional compensation from advertising mediums and providing services to advertisers and mediums at the same time. Advertising mediums must disclose the date, place, format, price and rates of advertisements to advertisers.
There are no public, official sources on the Mexican government’s online content enforcement.
Mexico has not adopted rules specific to digital competition and instead applies the 2014 Federal Law on Economic Competition. The law aims to promote, protect and guarantee free market access and economic competition, imposing rules to tackle monopolistic practices, unlawful concentrations and market entry barriers. In March 2020, the Federal Economic Competition Commission (COFECE), the main competition authority, published its Digital Strategy. The strategy outlined challenges to efficient competition in digital markets and announced that COFECE will investigate digital markets, create a Digital Markets Unit and strengthen international cooperation, among others.
The oversight of competition rules in digital markets is split between the COFECE and the Federal Telecommunications Institute (IFT). In 2021, following a jurisdictional dispute, the Federal Judicial Power established that the COFECE oversees online search services, social networks and cloud computing services, while the IFT has jurisdiction over mobile operating systems (in addition to the telecommunications and broadcasting sectors).
Regarding unilateral conduct, in 2022, the COFECE began investigating the state of competition in several digital markets (rather than single firms’ behaviours). The first such investigation, launched in March 2022, concerned the e-commerce market, for online purchases and sales of retail merchandise. In June 2022, the COFECE initiated a study on digital financial services, scrutinising electronic payments and crowdfunding services by financial technology firms. In September 2022, the COFECE announced an investigation into the market for the development and distribution of mobile applications. Specifically, the investigation scrutinises app developers and app stores, focusing on payment mechanisms and practices such as tied selling, price discrimination and exclusivity agreements. In July 2023, the COFECE initiated an investigation into the market for the development and sale of digital goods and services, including e-books, software, video games, photographs, music, and online movies, among others. In parallel, the IFT investigates operating system providers’ app stores and the mobile application market.
Regarding mergers, the COFECE authorised the acquisition of Cornershop by Uber in 2020, after concluding that the transaction did not adversely affect competition in the online grocery shopping market. The COFECE had previously blocked the acquisition of Cornershop by Walmart after concluding that Walmart’s increased market power could hinder competition.
Mexico is a signatory to two major free trade agreements with chapters dedicated to e-commerce: the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP), in force since 2018 and the United States-Mexico-Canada Agreement (USMCA), in force since 2020. Both chapters on e-commerce contain rules affecting the digital economy, including on data protection, cross-border data transfers and online consumer protection.
In addition to trade agreements, Mexico participates in novel international initiatives to foster digital trade. In March 2023, the European Union-Latin America and Caribbean Digital Alliance, including Mexico, was launched to enable regular high-level dialogue and cooperation on policy matters, including technology and digitalisation. In addition, Mexico is one of 15 founding members of the Global Partnership on Artificial Intelligence (GPAI), created in June 2020 to support cutting-edge research and applied activities on AI-related priorities.
Since June 2020, the amended Value Added Tax (VAT) Law levies a 16 per cent VAT on foreign providers of digital services related to the download or access to images, movies, text, information, video, audio, music, and games, as well as online clubs, dating sites, and distance learning services (excluding electronic books, newspapers and magazines). Foreign digital service providers must further register in the Federal Taxpayers Registry and appoint a legal representative before the Tax Administration Service. In January 2021, a further amendment introduced a ”kill-switch” mechanism for tax authorities to block access to foreign digital service providers that do not comply with the obligations to pay the tax, register or appoint a legal representative.
The 2014 Federal Telecommunications and Broadcasting Law regulates net neutrality and requires Internet Service Providers to guarantee users access to any type of content, application or service offered within the applicable legal framework. In August 2021, a proposal to amend the law failed to pass before the Congress closed. The amendment would have targeted “relevant” social network providers with over one million users in Mexico. Relevant providers would have been required to obtain a licence and obtain approval for changes to their terms and conditions from the Federal Telecommunications Institute (IFT). Since July 2021, the IFT’s Traffic Management and Network Administration Guidelines enable Internet Service Providers to include sponsored access to data in packages, which raised net neutrality concerns.