The new Free Trade Agreement between the United States of America, the Mexican United States and Canada (“T-MEC”) has been signed by the Presidents of the three countries, already ratified by U.S. and Mexican Senates. And since January it is in the process to be ratified by Canadian Parliament.

The Treaty will enter into force 90 days after it has been ratified by the three countries. However, it is important to consider the transition periods provided according to each chapter, and deadlines to implement the necessary regulatory modifications.

The T-MEC includes some provisions on data protection in Chapter 19 «Digital Commerce». It is worth to note that in order to achieve the strengthening and promotion of e-commerce between the three countries, the protection of personal data acquires a substantive relevance. This aims to improve consumer rights, build trust, make safer transfers and avoid differential or unfavorable treatment of participating economies. To specify the above, countries must adopt (or maintain) a legal framework that takes into account the nine principles of the “Asia Pacific Economic Cooperation (APEC), Privacy Framework” and the Organisation for Economic Co-operation and Development (OECD) “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”. Adopt security measures, develop cybersecurity capabilities, in order to guarantee security in cross-border flows of personal information, where restrictions shall be considered only under proportional risks.

Chapter 19 also provides for the cooperation of the parties, they shall communicate with each other the means they use for the regulatory adequacy, promoting compatibility between each of the regimes and thus promoting global interoperability. In this regard, APEC’s cross-border privacy rules (CBPRs) are recognized as a valid mechanism, as rules that seek to protect information flows between APEC economies, including Mexico since 2013, the United States in 2012 and Canada in 2015.

In our opinion, Mexican data protection regulation complies already with the provisions on personal data protection included in Chapter 19 “Digital Commerce”. What may be missing is to develop in practice the mechanism of the CBPRs, for example, in Mexico, we still don’t have accountability agents.



Adolfo Athié


Renata Buerón


Erika Rodríguez



Mexico City, March 6th, 2020.