The regulations of Mexico’s Federal Law for the Protection of Personal Data entered into force on 22 December 2011. The regulations deal with data subjects’ rights, security and breach notification provisions, cloud computing, consent and notice requirements, and data transfers.
Data subjects can exercise their rights from January 2012. With regard to cloud computing, Article 52 of the regulations states that cloud providers must comply with the data protection law and the regulations, and clearly inform the data controller of any subcontracting.
“Therefore, the data controllers will be the ones with the de facto power to make the cloud providers comply with the provisions of the Regulations, by having the obligation to only hire cloud services which comply with the same”, said Adolfo Athié at law firm, Basham, Ringe y Correa, S.C. in Mexico.
According to Basham at Ringe y Correa, security measures to protect personal data held by private parties are required to be implemented within eighteen months following the effective date of the Regulations, and self-regulation arrangements may be implemented by private parties.
The regulations are at http://dof.gob.mx/nota_detalle.php?codigo=5226005&fecha=21/12/2011 (in Spanish). Read more about this topic in the April issue of Privacy Laws & Business International Report.