Subscribe to regular updates:

Share

DPA Digital Digest: Mexico [2024 Edition]

A close-up of Mexico’s regulatory approach to data governance, content moderation, competition, artificial intelligence, and more.

Report Image

The “DPA Digital Digest” series provides concise summaries of each G20 nation’s digital policy. Based on the Digital Policy Alert database, we outline rules and enforcement cases in data governance, content moderation, competition, artificial intelligence, and domestic points of emphasis.

Authors

Tommaso Giardini, Nils Deeg, Tania Pierotic

Date Published

18 Dec 2024

Mexico’s digital economy is growing rapidly. In 2023, the e-commerce market of Latin America’s second-largest economy reached 65 million consumers. 40% of them made weekly purchases, according to the Mexican Association for Online Sales. McKinsey estimates that increased digital maturity could boost Mexico’s GDP by 7-15% by 2025. The Mexican data centre market is estimated to reach a value of USD 1.1 billion by 2027, according to Oxford Business Group

Mexico’s new government is keen to advance the digital transformation. It recently unveiled a new Agency for Digital Transformation and Telecommunications. The Agency will be responsible for digitising government procedures and developing digital public infrastructure. 

But what do Mexico’s domestic digital policies stand for? Our DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Mexico-specific points of emphasis.

  • Data governance: Mexico is overhauling data protection oversight, participated in international coordination initiatives, and engaged in a joint investigation into ChatGPT.

  • Content moderation: Mexico is deliberating a law to prohibit the dissemination of sexual content without consent and previously adopted rules on advertisements.

  • Competition policy: Mexico is overhauling competition oversight and has pursued enforcement in digital markets, including the e-commerce, digital payments and mobile application markets.

  • Artificial Intelligence: Mexico is considering comprehensive AI legislation and participates in several international coordination efforts.

  • Mexico’s points of emphasis include the gig economy, the taxation of the digital economy, and telecommunications.

 

Jump directly to the section that interests you most:


Discover the details of Mexico’s regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service

Written by Tommaso Giardini, Nils Deeg and Tania Pierotic. Edited by Johannes Fritz.


Data governance

Policy developments

Data protection, a human right under the Mexican constitution, is regulated by the 2010 Federal Law on the Protection of Personal Data Held by Private Parties (federal data protection law) and state-level laws. The federal data protection law establishes data subject rights, including access, rectification, erasure and opposition (“ARCO rights”). The law further establishes a complaint mechanism with the National Institute for Transparency for Access to Information and Protection of Personal Data (INAI), responsible for overseeing data controllers’ compliance. In July 2024, Mexico introduced a law for neurotechnologies, which would establish a legal framework governing the collection of neural data through such technology. The framework emphasises the importance of consent, the protection of personal identity, and security measures. 

The federal data protection law requires data controllers to implement security measures to protect personal data from damage or unauthorised use. Security measures may not fall below those used to protect controllers’ own information, and must take into account risks, data sensitivity, and technological advancements. Mexico’s parliament has rejected amendments to the federal data protection law requiring data breach reporting to both the data subject and the INAI within 72 hours. In addition, the amendments would have required any company processing data of individuals in Mexico to designate a local legal representative. 

In the international context, Mexico has signed a declaration on data scraping and privacy, a joint declaration on ransomware, and a statement on data protection in age assurance alongside other data protection bodies. Mexico also signed memoranda of understanding on cooperation, both as part of the Ibero-American Data Protection Network and bilaterally, with Singapore. Finally, Mexico is a member of the United Nations, which finalised the cybercrime convention in August 2024. 

Data localisation/transfer developments

Mexico imposes sectoral data localisation obligations. Electronic payment institutions must store transaction records locally in order to ensure continuity of operations, while telecommunication providers’ data processing and storage systems must be located on national territory to enable collaboration with authorities.

Mexico’s data transfer regime is enshrined in the federal data protection law, and further elaborated in its implementing regulation. The implementing regulation distinguishes between transmissions, which are between controllers and processors, and transfers, which are between controllers and controllers. Transmissions do not require data subject consent, although the processor may only process the data for the specified purpose and may not make further transfers against the controller’s instructions. Transfers require data subject consent and notification via privacy notice, while the recipient is subject to equivalent protection duties. No consent is required in certain cases, for example where mandated by law, or necessary for healthcare, contractual or public interest purposes.

Two of Mexico’s free trade agreements, the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) and the United States-Mexico-Canada Agreement (USMCA), contain provisions on cross-border data transfers. In addition, the Ibero-American Data Protection Network issued guidance on standard contractual clauses for data transfers within and outside of the Network.

Guidelines and enforcement developments

In December 2024, Mexico’s federal legislature approved a constitutional reform to dissolve the INAI and the National Institute of Telecommunications (IFT), which collaborates with the INAI regarding the protection of consumer data in the telecommunications sector. The November 2024 amendment of the Organic Law of the Federal Public Administration gives the newly created Ministry of Anti-Corruption and Good Governance responsibility for public information and data protection, while the Agency of Digital Transformation and Telecommunications will become responsible for digital governance and telecommunications policies. Until the reforms take effect, the existing agencies continue to exercise their oversight powers.

The INAI elaborates on the statutory data protection requirements, including by publishing interpretation criteria of data protection rules, focusing on the rights of data subjects, covering recourse options and the handling of requests. In addition, the INAI has published a compliance guide for the federal data protection law, recommendations on data security, and guidelines for certification in the area of personal data protection.

The INAI has been the primary enforcement agency for data protection, supported by other institutions both domestically and regionally.

  • In July 2024, the INAI initiated an investigation into ticket sales platform Ticketmaster for the alleged disclosure of personal data.

  • In April 2024, the IFT published a report concluding the investigation into the cybersecurity of IoT devices, assessing 348 brands, 8% of which lacked any cybersecurity information.

  • In May 2023, the Ibero-American Data Protection Network adopted coordinated measures regarding the investigation of ChatGPT’s data processing practices. The investigation assesses the legal basis for data processing, compliance with transparency requirements, as well as age verification and data security measures.

  • In 2022, the INAI imposed a total of over MXP 60 million (approx. USD 2.9 million) in fines for violations of the federal data protection law across different sectors, often for processing without consent and insufficient privacy notices. 

Content moderation

Policy developments

The 2014 Federal Telecommunications and Broadcasting Law prohibits Internet Service Providers from proactively obstructing, interfering, inspecting, or filtering content. Two proposals to amend the law failed to pass before the Congress closed in August 2021. 

  • A 2021 proposal would have targeted social media providers with over one million users in Mexico. The proposal would have required such providers to remove harmful content, including (undefined) categories such as "hate speech" and "fake news" as well as any content deemed to be harmful by the Federal Telecommunications Institute (IFT). At the same time, social network providers’ ability to moderate content and block users would have been restricted, including by empowering IFT to overrule moderation decisions. 

  • A 2020 proposal would have imposed a local content quota of 30 percent on online streaming platforms. 

Since 2020, the amended Federal Copyright Law states that internet service providers “may” actively monitor content that is contrary to human dignity, affects rights and freedoms, or encourages violence or crimes. 

In February 2024, Mexico introduced a decree establishing penalties for the creation and dissemination of sexual content without consent. The decree would amend the law on women's access to a life free from violence and the penal code. It also focuses on the misuse of digital technology such as AI to create falsified content.

In April 2021, Mexico adopted rules on advertising transparency, including for advertising on digital platforms. Advertising agencies are prohibited from buying advertising space and reselling it to advertisers, receiving additional compensation from advertising mediums and providing services to advertisers and mediums at the same time. Advertising mediums must disclose the date, place, format, price and rates of advertisements to advertisers.

Guidelines and enforcement developments

In the international context, Mexico has signed a statement calling for the proactive removal of content relating to sexual abuse and exploitation of children. Mexico is also a member of the United Nations – UNESCO adopted guidelines for the governance of social media platforms.

There are no public, official sources on the Mexican government’s online content enforcement.

Competition

Policy developments

Mexico has not adopted rules specific to digital competition and instead applies the 2014 Federal Law on Economic Competition. The law aims to promote, protect and guarantee free market access and economic competition, imposing rules to tackle monopolistic practices, unlawful concentrations and market entry barriers. In March 2020, the Federal Economic Competition Commission (COFECE), the current main competition authority, published its Digital Strategy outlining the challenges to efficient competition in digital markets. The Strategy sets out the COFECE’s intention to investigate digital markets, and establish a Digital Markets Unit. The COFECE has also signed an international statement on strengthening coordination among competition authorities in the digital sector.

Both the COFECE and the IFT, who share responsibility for overseeing competition rules in digital markets, are set to be dissolved by the December 2024 constitutional reforms. According to the transitional measures, a new competition agency with operative independence will be established. COFECE and the IFT continue to oversee competition until the reforms and the transitional measures take effect. Previously, following a jurisdictional dispute in 2021, the Federal Judicial Power established that the COFECE oversees online search services, social networks and cloud computing services, while the IFT has jurisdiction over mobile operating systems (in addition to the telecommunications and broadcasting sectors). In July 2024, the COFECE consulted on a proposal that would facilitate the conduct of procedures through the use of an electronic system.

Enforcement developments

Regarding unilateral conduct, COFECE conducts investigations into the state of competition in entire digital markets. 

  • In February 2024, the COFECE found, on a preliminary basis, that there is an absence of effective competition in the e-commerce market and identified possible barriers to entry and corrective measures.

  • In July 2023, the COFECE initiated an investigation into the market for the development and sale of digital goods and services, including e-books, software, video games, photographs, music, and online movies, among others. 

  • In September 2022, the COFECE and the IFT announced investigations into the market for the development and distribution of mobile applications, scrutinising app developers and app stores, focusing on payment mechanisms and practices such as tied selling, price discrimination, and exclusivity agreements. The IFT also investigated the distribution of online audiovisual content.

  • In June 2022, the COFECE initiated a study on digital financial services, examining electronic payments and crowdfunding services.  

In mergers, the COFECE authorised the acquisition of delivery service Cornershop by Uber in 2020, after concluding that the transaction did not adversely affect competition in the online grocery shopping market. The COFECE had previously blocked the acquisition of Cornershop by Walmart after concluding that Walmart’s increased market power could hinder competition.

Artificial Intelligence

Policy developments

In February 2024, Mexico introduced a comprehensive law regulating Artificial Intelligence (AI). The law would mandate authorisation prior to the commercialisation of AI systems, requiring technical documentation for compliance. It would classify AI systems into "unacceptable", "high", and "low" risk categories. Unacceptable risk systems, defined as causing serious harm or using biometric data without consent, would be prohibited. High-risk systems, such as those affecting security, human rights, or public services, would have to implement risk management, human oversight, technical assessments, and comply with testing requirements. Furthermore, providers and developers would have to disclose AI interactions and ensure transparency for AI-generated or manipulated content. In addition, copyright provisions would require the explicit declaration of AI-generated content and mandate agreements with intellectual property holders for AI training. The law would designate the IFT as the competent authority and would establish the advisory National Commission on AI.

Several bills proposing AI-related amendments to existing laws have also been introduced. An amendment to the General Law on Humanities, Science, Technology, and Innovation would aim to advance knowledge and train professionals in AI, with an emphasis on ethical use. An amendment to the General Law  of Education would require the inclusion of AI-related content in curricula and programmes, and serve as a basis for further policy.

Mexico is engaged in various international initiatives to address the opportunities and challenges of AI. Mexico has adopted a commitment to address severe AI risks and participates in the Hiroshima International Code of Conduct for developing advanced AI systems. In addition, Mexico is a founding member of the Global Partnership on AI, to support research and applied activities on AI-related priorities. As a member state of the United Nations (UN), Mexico is involved in the UN AI Resolution, the UN Advisory Body on AI, and the OECD-UN enhanced collaboration on AI.

Guidelines and enforcement developments

There are no public, official sources on the Mexican government’s enforcement relating to AI.

Further points of emphasis

Gig Economy

Mexico is implementing and developing a series of regulations pertaining to digital platforms, with a particular focus on labour requirements. 

  • In December 2024, the Chamber of Deputies passed an amendment to the Federal Labor Law to recognise the social security rights and employment status of platform workers.

  • In December 2023, Mexico enacted a teleworking regulation that requires maintaining a list of teleworkers, which must include a detailed set of information. Additionally, the regulation mandates the creation of a telework policy and annual training on health and safety conditions.

  • In November 2023, Mexico proposed a law that would extend the social security provisions set out in labour law to encompass digital platform workers, while also establishing a framework for the calculation of work hours. 

  • Another bill relating to delivery services through digital platforms would require insurance coverage for workers and establish clear contractual conditions for salary.

In addition to labour regulations, Mexico has implemented an amendment to the Tourism Law to regulate accommodation platforms. The amendment introduces a host registry, which is designed as a database to track and monitor hosts operating in the respective city. Furthermore, hosts must submit semi-annual occupancy reports, and provide financial and property documentation for tax compliance.

Taxation

Since June 2020, the amended Value Added Tax (VAT) Law levies a 16% VAT on foreign providers of digital services related to the download or access to images, movies, text, information, video, audio, music, and games, among others. Foreign digital service providers must further register in the Federal Taxpayers Registry and appoint a legal representative before the Tax Administration Service. In January 2021, a further amendment introduced a ”kill-switch” mechanism for tax authorities to block access to foreign digital service providers that do not comply with the obligations to pay the tax, register or appoint a legal representative

In the international sphere, Mexico is part of the OECD/G20 Inclusive Framework, which has agreed to implement Pillar Two and announced a convention to implement Amount A of Pillar One. The Framework establishes rules for taxing multinational profits based on market jurisdiction profitability rather than physical location, with provisions for scope, profit allocation, safeguards against double taxation, and ratification procedures. Mexico has also adopted the framework for the reporting of crypto assets, thereby enabling the automatic exchange of information between tax authorities with a focus on submissions from crypto platforms. 

Telecommunications

The 2014 Federal Telecommunications and Broadcasting Law regulates net neutrality and requires Internet Service Providers to guarantee users access to any type of content, application or service offered within the applicable legal framework. Since July 2021, the IFT’s Traffic Management and Network Administration Guidelines enables Internet Service Providers to include sponsored access to data in packages, which raised net neutrality concerns. A June 2024 bill would require the IFT to develop a tool for users to report net neutrality violations and to publish an annual report on net neutrality and related guidelines.

In August 2021, a proposal to amend the Federal Telecommunications and Broadcasting Law was rejected by Congress. The proposal would have required social network providers with over one million users in Mexico to obtain a licence and approval for changes to their terms and conditions from the IFT. More recently, the IFT held a consultation on guidelines to establish mechanisms designed to safeguard user rights in instances where a virtual mobile operator permanently ceases services without ensuring the migration of users to an alternative provider. 

When the December 2024 constitutional reform takes effect, the IFT will be dissolved and its powers transferred to the Federal Executive.