BNA is reporting that Mexico’s data protection authority, the Federal Institute for Access to Information and Data Protection (IFAI), will issue a fine of $1 million against one of Mexico’s largest banks for violating the country’s Federal Law on the Protection of Personal Data in Possession of Private Parties. The action against the bank — whose name has not yet been revealed because the bank has not been notified about the fines — is reportedly one of several actions that have been (or are currently being) taken by the IFAI. The BNA article noted that a “big sports club” had recently been fined $100,000 for privacy violations and that another financial firm could also face fines.
Mexico’s framework data protection law was enacted in 2010, and implementing rules were approved in late 2011. Since then, regulators had been principally focused on educating businesses about the rules’ requirements and generally raising awareness about the importance of protecting personal data. Mexico’s regime is focused mainly on ensuring that businesses provide adequate notices to individuals about the collection, use, and disclosure of the information the business maintains.
Although not the first comprehensive privacy framework passed in Latin America, Mexico’s enactment of the Federal Law in 2010 spurred a large number of Latin American countries to establish their own frameworks in recent years, some of which impose very strict requirements on the processing of personal information. There has been some question as to whether some of the other countries in the region that have adopted new data protection laws will have the institutional infrastructure to enforce them. Given Mexico’s influence in the region, its decision to step up enforcement may lead other countries to do the same.