Mexico: Initiative with Draft Decree on the Protection of Personal Data Held by Private Parties including cybersecurity regulation was introduced to Senate of the Mexican Congress

On 25 February 2025, the initiative with the draft decree on the Protection of Personal Data Held by Private Parties was submitted to the Senate of the Mexican Congress. The proposed legislation would require data controllers to implement administrative, technical and physical measures to ensure the security of personal data, taking into account the nature of the data, the risks associated with its processing and technological developments. Security breaches affecting the rights of individuals would have to be reported immediately to the competent authority. The Secretariat for Anti-Corruption and Good Governance (SABG) would be designated as the authority empowered to impose administrative sanctions for non-compliance with data protection obligations. Fines for non-compliance would range from 100 to 320'000 times the value of the Unit of Measurement and Update (UMA). The initiative would also establish criminal offences related to the improper processing of personal data. These would include imprisonment from 3 months to 3 years for intentionally causing a security breach in databases containing personal data. Fraudulent or deceptive processing of personal data would be punishable by 6 months to 5 years imprisonment, with the penalties doubled if the offence involves sensitive personal data.