Mexico has recently passed a federal law regulating the protection of personal data (LFPDPPP in Spanish). The process began in 2002 and required the shuffling of government departments as well as amendments to the 6th, 16th and 73rd articles of the Mexican Constitution. The result is seen by observers as harkening more towards the tightly controlled bureaucratic European model than the relatively laissez-faire structure adopted by equivalent legislation in the United States.
The Mexican regulations essentially cover the following topics:
ARCO Law – Procedural safeguards and guarantees are set so that any citizen may access, confirm, correct or request the complete deletion of online records regardless of whether they contain sensitive personal data or not.
Privacy Notices – Any information acknowledged as sensitive may only be collected online by obtaining physical, handwritten signed permission. Only data that is not deemed sensitive may be authorized by conventional online forms of permission. Prior to gathering any personal data of any kind, the online enterprise must clearly specify the reason why it is being collected, the name and address of the entity collecting the info and the potential destination of any element of that data, including subsidiaries of the same enterprise anywhere in the world or outsourcing partners.
Treatment of Data – The online enterprise is responsible for the handling of the data and guarantees that every element will be protected indefinitely against access by unauthorized parties, and is further held liable for such access even if it is granted by the corporate partners or collaborators it has passed the data along to.
To comprehend the new Mexican law in its most stringent application, let’s take the example of an email marketer with a subscriber in Nezahualcoyotl. This customer filled out your standard newsletter signup form and then proceeded to order a product, paying for it through their credit card. Your subsidiary in Germany shares your customer database and some Berlin hacker manages to get the Mexican client’s data file. The violations of the LFPDPPP in this case are staggering. First of all, you did not notify the customer that your database is shared with your subsidiaries in Germany (and Japan and Australia and Britain, etc.) If you can get past that problem you now have to acknowledge that their credit card information is sensitive (or is it… it’s up to future court challenges) therefore you had no right to collect it without getting the Mexican customer’s actual ink on paper signature (not faxed or scanned) in your hands first.Even if the hacker is unsuccessful and the customer does not provide any sensitive credit card or other information, the Mexican citizen might still request a complete deletion of their online records. Simply hitting Delete on your SQL file is not going to do much, as complete deletion is being interpreted as being erasure from all of your systems. This includes all your backups (and many servers back up several times a day) and all of the systems and backups in your subsidiaries in Berlin, Tokyo, Sydney, London and more. If your servers archive all their backups and they collect their data just once a day, you’re looking at making 365 deletions in each of your corporate and subsidiaries’ backup media for each year the client was on your systems.
Since this legislation is so new, it is certain to be challenged in the Mexican courts and may be modified along the way. As it now sits it seems to provide for a penalty of up to $3.2 million and ten years in prison for every single credit card number and/or bit of sensitive data that leaks out of your company about its Mexican customers. Given that the recent Sony Playstation breach may have exposed more than 77 million of these sensitive records, the repercussions in Mexico alone would be monumental.
Next time we’ll analyze the Mexican Robinson exclusionary lists and how they can present another layer of obstacles for email marketing south of the border.