Mexico: Draft Decree on the Protection of Personal Data Held by Private Parties including cross-border data transfer regulation was passed by Senate

On 4 March 2025, The Draft Decree on the Protection of Personal Data Held by Private Parties was passed by the Senate of the Mexican Congress. The proposed legislation would impose conditions on international data transfers, requiring prior consent unless specific exceptions apply. Valid exceptions would include transfers necessary for legal obligations, public interest or medical emergencies. Recipients would have to comply with the same obligations as the original data controller, ensuring continuity of data protection. Transfers within a group of companies would be permitted, as long as the entities adhere to a uniform data policy. Failure to comply could result in fines ranging from 100 to 320'000 times the unit of measurement and update (UMA). Criminal offences relating to the improper processing of personal data would carry severe penalties, including imprisonment from three months to three years for intentionally causing security breaches in databases containing personal data. Fraudulent or deceptive processing would be punishable by 6 months to 5 years imprisonment, with the penalties doubled in cases involving sensitive personal data.