Mexico City, March 21 2025
On March 20, 2025, the New Federal Law for the Protection of Personal Data in Possession of Private Parties (NLFPDPPP) was published in the Official Gazette of the Federation (DOF). The law will come into effect on March 21, 2025, superseding the Federal Law for the Protection of Personal Data Held by Private Parties (LFPDPPP), which is hereby repealed.
Key Modifications Introduced by the NLFPDPPP
1. Modification and Clarification of Definitions
The NLFPDPPP revises several definitions from the previous law. Below are some of the key modifications:
| Concept | LFPDPPP (Old Definition) | NLFPDPPP (New Definition) |
| Privacy Notice | A physical, electronic, or other format document generated by the data controller that is made available to the data subject prior to the processing of their personal data, in accordance with Article 15 of the law. | A document available to the data subject in physical, electronic, or any other format, generated by the data controller at the time their personal data is collected, informing them of the purposes of processing, in accordance with Article 14 of the law. |
| Databases | An ordered set of personal data concerning an identified or identifiable person. | An ordered set of personal data referring to an identified or identifiable person, subject to specific criteria, regardless of its form, mode of creation, storage type, processing, or organization. |
| Consent | The manifestation of the data subject’s will, enabling processing. | The free, specific, and informed manifestation of the data subject’s will, allowing personal data processing. |
| Personal Data | Any information concerning an identified or identifiable natural person. | Any information concerning an identified or identifiable person. A person is considered identifiable if their identity can be determined directly or indirectly through any information. |
| Sensitive Personal Data | Personal data that affects the most intimate sphere of its holder or whose improper use could lead to discrimination or pose a serious risk to them. In particular, data that may reveal aspects such as racial or ethnic origin, present or future health status, genetic information, religious, philosophical, and moral beliefs, trade union membership, political opinions, and sexual preference are considered sensitive. | Personal data that affects the most intimate sphere of the data subject or whose improper use could lead to discrimination or pose a serious risk to them. By way of example, but not limited to, personal data that may reveal aspects such as racial or ethnic origin, present or future health status, genetic information, religious, philosophical, and moral beliefs, political opinions, and sexual preference are considered sensitive. |
| ARCO Rights | No definition in the LFPDPPP. | The rights of Access, Rectification, Cancellation, and Opposition (ARCO) regarding personal data processing. |
| Public Access Sources | Databases that can be consulted by any person, subject to applicable fees, in accordance with the provisions of the Regulations of this Law. | Databases, systems, or files that, by law, may be publicly accessed without any prohibitive regulation, subject to applicable fees. Information obtained unlawfully is not considered a public access source. |
| Data Controller | A private individual or legal entity that decides on the processing of personal data. | Now explicitly referred to as Regulated Entities under section XVI of this article. |
| Regulated Entities | No definition in the LFPDPPP. | Individuals or private legal entities engaged in personal data processing. |
| Processing | The collection, use, disclosure, or storage of personal data by any means. Includes access, handling, use, exploitation, transfer, or disposal. | Any operation or set of operations applied to personal data, whether manual or automated, including collection, recording, organization, conservation, modification, retrieval, dissemination, and deletion. |
| Transfers | Any communication of data to a person other than the data controller or processor. | Any communication of personal data within or outside Mexico to a person other than the data subject, controller, or processor. |
2. Consent Requirements
The NLFPDPPP mandates that consent must be free, specific, and informed. Tacit consent remains valid as a general rule, a principle previously outlined in the Regulation of the LFPDPPP but now explicitly incorporated into the law.
Key changes include:
- The law now allows consent exemptions if authorized by any legal provision, including regulations and decrees.
- The scope of authority-based exemptions has expanded to include court orders, resolutions, or rulings from competent authorities.
- If personal data is processed for purposes other than those specified in the Privacy Notice, new consent must be obtained—even if the new purpose is compatible with the original intent.
3. Privacy Notice Changes
The NLFPDPPP adds the following requirements for Privacy Notices:
- It must explicitly state the personal data subject to processing.
- It must distinguish between mandatory and voluntary purposes.
- The requirement to inform data subjects about third-party transfers in the Privacy Notice has been eliminated, although disclosure obligations remain under current regulations.
4. ARCO Rights Clarifications
- The right to cancellation now explicitly applies to files, records, and systems where the personal data is stored.
- The right to object applies when personal data is subjected to automated processing that significantly affects the data subject’s rights, freedoms, or interests without human intervention.
5. New Data Protection Authority
The Ministry of Anticorruption and Good Governance will replace the National Institute of Transparency, Access to Information, and Protection of Personal Data (INAI) as the primary regulatory authority. Additionally, the Ministry of Economy will no longer oversee privacy regulations.
6. Legal Procedures
- The Indirect Amparo trial is now recognized as a means of challenging administrative actions related to data protection.
- The Federal Judiciary must establish specialized courts for personal data protection cases within 120 days of the law’s enactment.
It is, however, questionable whether the appropriate means of legal remedy should be the Indirect Amparo rather than the contentious-administrative proceeding before the Federal Court of Administrative Justice (TFJA), given that the latter, in principle, has jurisdiction to review acts issued by federal public administration bodies, including the Ministry of Anticorruption and Good Governance.
The Federal Executive has 90 days to align regulatory frameworks with the new law.
Recommendations for Compliance
Organizations handling personal data must update internal policies and practices to align with the NLFPDPPP. Recommended actions include:
- Review and adjust internal policies in accordance with the new requirements.
- Provide training programs for employees on compliance with the new law and forthcoming regulations.
- Monitor regulatory developments from the Ministry of Anticorruption and Good Governance, as its interpretations and enforcement criteria will differ from the now-dissolved INAI.
Conclusion
Effective March 21, 2025, the Ministry of Anticorruption and Good Governance will oversee data protection regulations. Although procedural aspects remain largely unchanged from the LFPDPPP, the structural and jurisdictional differences of the new Ministry warrant close attention. Unlike the INAI, which was an autonomous body, the new Ministry is part of the Federal Executive, raising concerns about potential shifts in enforcement and regulatory discretion.
Our firm’s Information Technology and Data Protection Department remains at your service for further inquiries and compliance assistance.
Sincerely,
Adolfo Athié Cervantes
Renata Denisse Buerón Valenzuela
Erika Itzel Rodriguez Kushelevich
Ivan Garcia Argueta
