Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Mexico: Data Protection in the Automotive Sector

Krzysztof12 / Essentials collection / istockphoto.com

Change is happening faster than ever, and to stay ahead, the automotive industry must anticipate what is next. Legal challenges come from all directions and the automotive industry is no exception. Modern cars are becoming increasingly connected and personal data is a crucial component of this type of technology. While connectivity enhances the vehicle's functionality and the user experience, there are potential privacy and data protection issues and requirements that the stakeholders must be aware of.

Nonetheless, privacy concerns should not be an impediment in the context of connected vehicles, considering that the world has widely adopted other data gathering technologies, such as social media and smart phones. Learning how to navigate this environment (taking into account existing and pending regulations) is fundamental to take advantage of what connected vehicles have to offer.

1. GOVERNING TEXTS

1.1. Key acts, regulations, directives, bills

In Mexico, there are no specific rules or guidance for processing personal data in the context of connected vehicles, autonomous driving, telematics, and vehicle geolocation. Considering that there are no specific rules or guidance, the general data protection legal framework would apply.

In particular, the following legislation is applicable:

In Mexico, the cybersecurity legal framework is currently applicable only to financial institutions. A general cybersecurity legal framework has been long expected, but is still pending.

1.2. Regulatory authority guidance

The following guidelines issued by the Ministry of Economy are applicable:

  • Guidelines for Privacy Notices (only available in Spanish here) ('the Guidelines').

Additionally, the National Institute for Access to Information and Protection of Personal Data ('INAI') has issued the following non-mandatory guidelines and recommendations that are relevant for the automotive sector:

  • Guidelines for Implementing a Personal Data Security System (only available in Spanish here);
  • Guidelines for the Secure Deletion of Personal Data (only available in Spanish here);
  • Guidelines for Processing Biometric Data (only available in Spanish here);
  • Recommendations for Managing Personal Data Security Incidents (only available in Spanish here);
  • Minimal Criteria Suggested for Contracting Cloud Computing Services when Personal Data Processing is Involved (only available in Spanish here);
  • Adhesion Contracts for Cloud Computing Services vs. Minimal Criteria Suggested for Contracting Cloud Computing Services when Personal Data Processing is Involved (only available in Spanish here);
  • Recommendations to Recognise Main Threats to Personal Data Based on Risk Assessment (only available in Spanish here);
  • Guidelines for Privacy Impact Assessments (only available in Spanish here); and
  • Risk Analysis Methodology (only available in Spanish here).

2. KEY DEFINITIONS

  • Vehicle Information Number: No applicable definition under Mexican law.
  • Geolocation data: No applicable definition under Mexican law.
  • Telematic data: No applicable definition under Mexican law.
  • Personal data: Any information concerning an identified or identifiable individual.
  • Sensitive personal data: Personal data that requires special protection because it could create significant risks to an individual's fundamental rights by putting them at risk of discrimination. Examples of such data include race, ethnic origin, politics, religion, union membership, genetics, health, and sexual orientation.
  • Financial data: Although this is not defined under the regulations, personal financial data was defined in a precedent issued by INAI as the credit history, revenues, expenses, bank accounts, insurance, bonds, bank services or any other data that is part of an individual’s estate [Docket PS.0004/13].
  • Biometric data: Refers to physical or behavioural characteristics of a data subject. Depending on its use, biometric data could be considered sensitive personal data.
  • Metadata: No applicable definition under Mexican law.
  • Voice data: No applicable definition under Mexican law.
  • Video data (inside/outside the vehicle): No applicable definition under Mexican law.
  • Data subject: Individual to whom the personal data pertains.
  • Data controller: An individual or private entity that decides on the processing of personal data.
  • Data processor: An individual or private entity that, individually or jointly with other individual(s) or entities, processes the personal data on behalf of the data controller.
  • Anonymisation: The Law does not define anonymisation, but provides for the similar concept of 'dissociation' which is defined as the 'procedure that converts personal data into information that cannot be associated with the data subject or does not allow the identification of the data subject'.
  • Pseudonymisation: No applicable definition under Mexican law.
  • Processing: The collection, use (including access, management, exploitation, transfer, or disposal), disclosure, or storage of personal data by any means.
  • Data transfer: Any communication of personal data made to an individual or private entity other than the data controller or data processor.
  • Manufacturer: No applicable definition under Mexican law.

3. SUPERVISORY AUTHORITY

3.1. Who is the relevant supervisory authority overseeing compliance applicable to the automotive sector?

The supervisory authority for overseeing compliance on processing personal data in the context of connected vehicles and other automotive related privacy topics in Mexico is the INAI.

So far, the INAI has only issued a press release to raise awareness among the population regarding the use of Internet of Things ('IoT') devices. Other than that, the INAI has not issued a specific guidance related to the IoT.

4. CONNECTED VEHICLES

4.1. What are the practical data protection and cybersecurity implications for connected vehicles and how can organisations manage them in practice?

As mentioned above, there are no specific rules or existing guidance in terms of data protection and cybersecurity applicable to connected vehicles; thus, the general framework for data protection and cybersecurity is applicable.

Data protection principles and duties

The processing of personal data must comply with the following principles and duties:

Principles

  • Consent: As a general rule, consent is the basis for any processing of personal data. Consent may be implied, explicit, or express and written. Implied consent is given when data subjects do not object to the level of data privacy that was made available to them. Explicit consent must be very clear and unequivocal and is required to process financial data. Explicit, written consent requires an identity authentication and is required to process sensitive personal data. In the case of connected vehicles, if financial data is not being processed, implicit consent would suffice. It may seem that connected vehicles would not collect sensitive personal data, but the geolocation functionality, which is the basis for this technology, raises some questions in that regard. Geolocation generates a precise, comprehensive record of an individual's movements potentially revealing a number of details about their professional, political, religious, or sexual associations. Assembling that data may reveal aspects of identity susceptible to abuse. However, the use of geolocation in connected vehicles does not differ from the use of other applications and software that also have access to that particular personal data.
  • Information: The data controller must inform data subjects about the purposes of the processing of their personal data through a privacy notice.
  • Quality: Personal data must be correct, complete, relevant, accurate, and updated. It is possible to assume that all the personal data collected by connected vehicles would comply with the quality purpose, unless there is a fault in the system.
  • Purpose: Personal data can only be processed for the purposes expressly stated in the privacy notice. Purposes may either be considered primary or secondary purposes. Secondary purposes are those that are not required for originating or preserving the legal relationship between data subject and data controller (e.g. marketing). Data subjects have the right to object and opt-out to the processing of their personal data in relation to secondary purposes.
  • Loyalty: Personal data must be treated prioritising the protection of the data subjects' interests and respecting a reasonable expectation of privacy. Additionally, the reasonable expectation of privacy means that the personal data will be processed as agreed between the data subject and the data controller.
  • Proportionality: Personal data must be processed only if it that is necessary, adequate, and relevant to the processing purposes. This principle is clearly related to the data minimisation principle. Data minimisation implies that collected personal data must be the minimum needed to comply with the processing purposes.
  • Responsibility: The data controller is responsible for the processing of personal data under its custody and must implement appropriate security measures to comply with data protection rules and to safeguard personal data processed.
  • Legality: Personal data must be only processed for legal purposes.

Duties

  • Confidentiality: The data controller must not share personal data, unless the data subject consents to the transfer or the controller is legally required to transfer the data.
  • Security: The data controller must implement technical, administrative, and organisational security measures to protect personal data from any breach.

Privacy notice

There are three types of Privacy Notices: (a) full, (b) simplified, and (c) short. The applicable type depends on how the data is collected (personally, directly, or indirectly).

Below are the minimum content requirements for full privacy notices:

  • identity and address of the data controller;
  • detailed list of personal data (or categories of personal data) that will be processed, specifying whether sensitive personal data will be collected;
  • detailed list of processing purposes and their classification as primary or secondary purposes;
  • opt-out for secondary purposes;
  • options available to the data subject to limit the use or disclosure of their personal data;
  • options to revoke consent;
  • options and procedure to exercise the rights of access, cancellation, rectification, and objection;
  • disclosure of cookies, web beacons, or other automated processing means;
  • conditions of data transfers;
  • data transfers clause, if applicable; and
  • how the data subject is able to find out about changes to the privacy notice.

In case the data controller displays a short or simplified privacy notice, these notices must include details on how the data subject is able to access the full version of the privacy notice.

As mentioned above, the personal data collected by connected vehicles raises questions about its potential sensitivity. The Law does not establish an exhaustive list of personal data that is considered sensitive, but rather defines it as personal data that, if misused, could create significant risks to an individual's fundamental rights by putting them at risk of discrimination. That definition is so broad that it probably has started to seem outdated in the context of the digital age.

Data transfers

As a general rule, data transfers are subject to the consent of the individuals, unless an exception applies. Such exceptions apply when the transfer is:

  • permitted by law or an international treaty signed by Mexico;
  • necessary for certain medical and sanitary purposes;
  • made to companies under the same group of the data controller;
  • necessary as part of a contract between the data controller and a third party in favour of the data subject; and
  • necessary or legally required to protect the public interest or to exercise a right during a judicial process.

Personal data transfers require for the data importer to comply with the same obligations of the data exporter. The data exporter and the data importer must execute contractual clauses with the data importer to prove that the latter is aware of:

  • the data controller obligations regarding the personal data; and
  • the conditions accepted by data subjects to process their data.

Where the data transfer is subject to consent, the privacy notice must include a clause indicating whether the data subject accepts the transfer. In the case of domestic data transfers, the data importer will be considered a data controller.

Sharing personal data between data controllers and data processors (domestic or cross-border) is not considered a data transfer and is not subject to consent. However, the Law imposes several contractual requirements on the data processor to abide by the instructions of the data controller.

Transferring and sharing data is at the heart of connected vehicles by means of improving the user experience or to offer specifically tailored products and services to the individuals. Data generated from connected vehicles includes driving habits, such as acceleration, speed, and breaking. All that data may qualify as biometric data and could be used for individualised car insurance rates. The Law and its Regulations are not stringent in this regard as they allow the free flow of personal data as long as the basic legal requirements are met.

But considering that one vehicle could, and usually is, used by more than one individual, one of the most interesting challenges in this regard is how to link the driving habits to one specific individual. Although users can set up different profiles in the same vehicle, there is no impediment for a driver to use a another driver's profile.

Individual rights regarding personal data

Data subjects have the following rights regarding their personal data:

  • Access: Right to obtain a copy of their personal data, as well as data processing conditions (e.g. data transfers).
  • Rectification: Right to rectify whenever their personal data is incomplete, outdated, or inaccurate.
  • Cancelation/Deletion: Right to ask for the deletion of their personal data. In many cases, the exercise of this right implies the termination of the legal relationship or the provision of the services.
  • Objection: Right to object to the processing of their personal data.

Other rights include the right to revoke consent at any time and limit the use and processing of personal data.

In the context of connected vehicles, the right of access may refer to a significant volume of data that data controllers must be prepared to provide.

Data security

Data controllers must adopt information security measures at least equivalent to those implemented to protect their own information. In addition to the data security duty, data controllers and data processors are required to implement information security measures considering the following aspects:

  • inherent risk;
  • sensitivity;
  • technological advances;
  • possible consequences in case of a data breach;
  • number of data subjects; and
  • previous breaches.

To establish and maintain information security systems, the data controllers and data processors must consider the following actions:

  • creating and maintaining an inventory of personal data and processing systems;
  • establishing functions and obligations of vendors involved in the data processing;
  • carrying out a risk assessment;
  • assessing which information security measures have been effective;
  • carrying out a breach assessment considering existing and missing security measures;
  • conducting periodic audits;
  • training vendors involved in the data processing; and
  • creating and maintaining an internal registry of personal data storage units.

Retention periods

Personal data must be kept only for the period needed to comply with the processing purposes (which should be stated in the privacy notice). Once the processing purposes have concluded, the personal data must be blocked (which means stop processing the personal data and only store it for the period during which a liability or a legal requirement may arise) and afterwards deleted.

The total period of retention would be the period needed to comply with the processing purposes plus the legal period needed to comply with the relevant legal obligations and to respond to liabilities that may arise regarding the processing of the personal data.

The data controller must establish procedures for blocking and destroying the data and is responsible for presenting evidence in case of any investigation. Although there are no legal requirements regarding the destruction of personal data, the INAI has issued recommendations to securely destroy physical or digital personal data.

Such recommendations include, in relation to digital data:

  • physical destruction of the storage device;
  • demagnetisation; and
  • overwriting.

Personal data breaches

Personal data breaches are security incidents that affect the confidentiality or integrity of personal data. They occur when the personal data is:

  • lost or destroyed without authorisation;
  • stolen or copied without authorisation;
  • used, accessed, or processed without authorisation; or
  • corrupted or damaged.

Data subjects possibly affected by data breaches must be notified immediately in case the breach may significantly affect their moral or economic rights, once the breach has been confirmed and actions to make a comprehensive examination of the incident have been identified.

Data breaches may have a significant impact on the individuals depending on quantity and sensitivity of the data collected. The potential impact depends on the data that was breached. In these cases, a Privacy by Design approach comes helpful. However, Privacy by Design is still not described, required, or included as best practice in the Mexican data protection legal framework.

Sanctions

Failure to comply with data protection rules can be sanctioned with fines that could range from 100 to 320,000 days of unit measures (currently equivalent to MXN 96.22) (i.e approx. €459 to €1.4 million). Sanctions may be doubled in the case of sensitive personal data.

5. AUTONOMOUS DRIVING

5.1. What are the practical data protection and cybersecurity implications for autonomous driving and how can organisations manage them in practice?

Autonomous driving is yet to be regulated in Mexico; however, the same framework set forth in section 4 above is applicable when handling personal data.

In addition, data security incidents are particularly significant in the context of autonomous vehicles considering not only the amount and type of data that can be potentially compromised, but the possible consequences of an incident. The consequences of an incident are inversely proportional to the vehicle's autonomy, as the remote hijacking of fully autonomous vehicles would present a more serious risk in comparison with security incidents of vehicle with limited autonomy.

Although existing general regulations regarding civil and criminal liability could be applicable in these cases, a carefully crafted cybersecurity legal framework is urgently required in Mexico prior to the deployment of autonomous vehicles.

6. TELEMATICS

6.1. What are the practical data protection and cybersecurity implications for telematics and how can organisations manage them in practice?

Considering in particular GPS tracking and on-board diagnostics ('OBD') from a data protection and cybersecurity perspective, vehicle telematics are regulated under the legal framework set forth in section 4 above, when third parties are collecting and monitoring personal data related to the use of the automotive vehicle.

7. VEHICLE GEOLOCATION

7.1. What are the practical data protection and cybersecurity implications for vehicle geolocation and how can organisations manage them in practice?

There are no specific regulations for vehicle geolocation from a data protection and cybersecurity standpoint. However, as in the case of telematics, when third parties are collecting and monitoring personal data related to the location of the automotive vehicle, the legal framework set forth under section 4 above should be observed.

8. MANUFACTURING

8.1. What are the practical data protection and cybersecurity implications for manufacturing and how can organisations manage them in practice?

Compliance with data protection and cybersecurity guidelines are applicable to manufacturers when processing or handling personal data.

9. OTHER

9.1. Please outline any other additional data protection and/or cybersecurity requirements for the automotive sector, if applicable:

No further information.

Juan Francisco Torres Landa Ruffo Partner
[email protected]
Ana Paula Rumualdo Senior Associate
[email protected]
Pablo Corcuera Senior Associate
[email protected]
Hogan Lovells, Mexico City

Feedback