Mexico: Federal Law on the Protection of Personal Data Held by Private Parties including cross-border data transfer regulation enters into force

On 21 March 2025, the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) entered into force. The publication forms part of a legislative package that includes three separate Laws: the General Law on Transparency and Access to Public Information, the General Law on the Protection of Personal Data Held by Obligated Parties, and the Federal Law on the Protection of Personal Data Held by Private Parties. The LFPDPPP regulates international transfers of personal data under specified conditions. Transfers require the prior consent of the data subject, except in cases outlined in the Law. These include transfers required by legal obligation, in the public interest, or for medical purposes. In all cases, the recipient must comply with the same obligations as the data controller. Transfers within a group of companies are permitted where all entities are subject to a uniform data protection policy. The Law sets out administrative fines for non-compliance ranging from 100 to 320'000 times the Unit of Measurement and Update (UMA). It also establishes criminal offences, including a prison term of 3 months to 3 years for intentionally compromising the security of a database containing personal data. Fraudulent processing of personal data is punishable by 6 months to 5 years of imprisonment, with penalties doubled if the offence involves sensitive personal data.