July 08, 2026

On June 26, 2026, the Twentieth Collegiate Court in Administrative Matters of the First Circuit (Vigésimo Tribunal Colegiado en Materia Administrativa del Primer Circuito) issued three nonbinding thesis (tesis aisladas) arising from amparo proceedings challenging provisions related to the Unified Identity Platform (Plataforma Única de Identidad), particularly the obligation to provide biometric data for its implementation.
Although these criteria do not constitute binding precedent under Mexican law, they represent a significant development in the constitutional interpretation of the rights to privacy, personal data protection, and informational self-determination in the context of the State’s increasing use of biometric identification technologies.
When read together, the criteria reflect judicial concern regarding the risks associated with the mandatory, centralized, and large-scale collection of biometric data. The Court recognizes that current technological capabilities to collect, interconnect, process, and analyze personal information require an evolution of traditional data protection concepts and, within that framework, develops the notion of “personal digital sovereignty” (soberanía digital personal), understood as an enhanced expression of an individual’s right to retain effective control over their biometric and behavioral information, as well as its present and future uses.
From this perspective, the Court emphasizes that the constitutional protection of personal data extends beyond formal compliance obligations relating to data processing and information security. Rather, it requires preserving a genuine sphere of individual control over data capable of enabling identification, tracking, or profiling. The Court further examines the constitutional risks arising from the aggregation of biometric information with other categories of personal data capable of revealing behavioral patterns, habits, or individual movements. In doing so, it expressly references scholarly discussions surrounding “surveillance capitalism” as a framework for understanding the challenges that these technologies pose to fundamental rights.
Based on this reasoning, the Court concludes that government measures involving the mandatory collection and processing of biometric data must be subject to strict constitutional scrutiny, given both the particularly sensitive nature of such information and the potential impact that its use may have on fundamental rights. Because biometric data are unique, permanent, and intrinsically linked to an individual’s identity, any measure requiring their collection or mandatory disclosure must withstand a particularly rigorous analysis of necessity, suitability, and proportionality.
The same rationale underlies the Court’s position regarding the availability of preliminary injunctive relief (suspensión provisional) in amparo proceedings. The Court held that temporarily allowing an individual to refrain from providing biometric data pending resolution of the merits does not, in and of itself, undermine public order or the public interest, since the authorities retain the legal powers necessary to conduct identification and investigative activities. Accordingly, the Court considered interim judicial protection appropriate where a measure may potentially restrict fundamental rights while its constitutionality is being reviewed.
Implications
These decisions suggest a potential evolution in the manner in which Mexico’s Federal Judiciary may assess legislative and technological initiatives involving digital identity, biometric authentication, and large-scale personal data processing.
Particularly noteworthy is the introduction of the concept of personal digital sovereignty, which may become increasingly influential in future constitutional debates concerning privacy, surveillance, artificial intelligence, digital identity, and data governance.
Rather than challenging the legitimacy of biometric databases as a matter of public policy, the decisions appear to shift the focus toward the level of constitutional scrutiny that should apply whenever the State seeks to centralize and process biometric information on a population-wide basis. The underlying message is not necessarily that such systems are impermissible, but rather that they require an especially robust justification with respect to their necessity, proportionality, and institutional safeguards.
For public authorities and organizations involved in digital identity programs, biometric authentication systems, financial services, telecommunications, or any activity involving the processing of sensitive personal data, these criteria provide an important indication of the degree of constitutional scrutiny that similar initiatives may face going forward. Although the decisions are merely persuasive authority, their reasoning points toward the possible emergence of more stringent constitutional standards governing personal data protection and informational self-determination in Mexico.
Our Information Technology and Data Protection team remains available to discuss these developments further and to assist with any questions or matters related thereto.
SINCERELY,
Adolfo Athié Cervantes
Renata Buerón Valenzuela