Mexico: Federal Law on the Protection of Personal Data Held by Private Parties including cross-border data transfer regulation was signed by president

On 20 March 2025, the President of Mexico signed into law the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), following its approval by the legislature. The publication is part of a broader legislative package that includes three different laws: the General Law on Transparency and Access to Public Information, the General Law on the Protection of Personal Data Held by Obligated Parties, and the Federal Law on the Protection of Personal Data Held by Private Parties, each with its own article structure and scope of application. The LFPDPPP allows international transfers of personal data under certain conditions. Transfers require the prior consent of the data subject, except in cases provided for by the law. Exceptions include transfers required by legal obligation, in the public interest or in situations of medical necessity. In all cases, the recipient must undertake to protect the data under the same obligations as the controller to ensure continuity of protection. Transfers within a group of companies are permitted if all entities are subject to a uniform data protection policy. The law provides for fines for non-compliance ranging from 100 to 320'000 times the UMA. It also defines criminal offences, including a prison sentence of 3 months to 3 years for intentionally compromising the security of a database. Fraudulent processing of personal data is punishable by 6 months to 5 years imprisonment, with the penalties doubled if the offence involves sensitive personal data.