Mexico: Federal Law on the Protection of Personal Data Held by Private Parties including cybersecurity regulation was signed by president

On 20 March 2025, the President signed into law the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), following its adoption by the legislature. The publication is part of a broader legislative package that includes three different laws: the General Law on Transparency and Access to Public Information, the General Law on the Protection of Personal Data Held by Obligated Parties and the Federal Law on the Protection of Personal Data Held by Private Parties. The proposed legislation requires data controllers to implement administrative, technical and physical measures to ensure the security of personal data, taking into account the nature of the data, the risks associated with its processing and current technological developments. Security breaches that affect the legal rights of individuals must be reported immediately to the competent authority. The Secretariat for Anti-Corruption and Good Governance (SABG) is designated as the authority responsible for imposing administrative sanctions for non-compliance with data security obligations. Fines for violations can range from 100 to 320'000 times the value of the Unit of Measurement and Update (UMA). The initiative also defines criminal offences related to the improper processing of personal data. These include imprisonment from 3 months to 3 years for intentionally causing a security breach in databases containing personal data. Fraudulent or deceptive processing of personal data is punishable by 6 months to 5 years imprisonment, with the penalties doubled if the offence involves sensitive personal data.