Disappearance Of The National Institute For Transparency, Access To Information And Personal Data Protection And New Federal Law For The Protection Of Personal Data In Possession Of Individuals

The New Law marks a profound institutional shift by disappearing INAI and transferring its functions to the Ministry, a body with no constitutional autonomy or collegiate structure.

Background

On March 20, 2025, it was published in the Official Gazette of the Federation (“DOF”) - the decree enacting, among other regulations, the new Federal Law for the Protection of Personal Data in Possession of Individuals (the “Decree”). The Decree entered into effect on March 21, 2025, and abrogated the previous law of the same name, published on July 5, 2010 (the “Former Law”), as well as other laws regarding transparency and access to public information.

The Decree was issued in compliance with the constitutional reform published on December 20, 2024, by means of which several provisions of the Political Constitution of the United Mexican States regarding organic simplification were amended, added and repealed (the “Constitutional Reform”). This reform, whose objective was the disappearance of the autonomous bodies of the Mexican State, was promoted since the beginning of the six-year term of office of former President Andrés Manuel López Obrador.

Six years later, and after obtaining a qualified majority in Congress, current President Claudia Sheinbaum finalized the extinction of the National Institute for Transparency, Access to Information and Protection of Personal Data (“INAI”), as well as other autonomous bodies such as the Federal Economic Competition Commission and the Federal Telecommunications Institute.

New Data Protection Authority

As of March 21, 2025, INAI - the agency that until then served as the regulatory authority on access to public information and protection of personal data - officially disappeared. All its authorities, as well as its material and financial resources, were transferred to “Transparency for the People”, a deconcentrated body dependent on the newly created Ministry of Anticorruption and Good Governance (the “Ministry”).

Regardless of the political objectives that motivated the Constitutional Reform, the analysis of the new Federal Law for the Protection of Personal Data in Possession of Individuals (the “New Law”) must be carried out independently. Only in this way will it be possible to adequately understand the new regulatory framework applicable to individuals and legal entities that process personal data (the “Regulated Subjects”) and, above all, to effectively adapt to the new rules of the game.

Key Regulatory Changes

In principle, it might appear that the New Law does not contain significant changes, since it retains several of the fundamental principles contained in the Former Law; however, it is necessary to perform a detailed analysis in order to identify certain modifications that could significantly change the way in which the processing of personal data is regulated in Mexico.

1. Changes in Definitions

One of the most relevant changes in the New Law is the modification and expansion of definitions in Chapter 1, which has significant practical implications. The definition of “processing” of data now includes any person involved in the data life cycle. This generates a broadening of the spectrum of regulated entities, including all those who intervene during the data life cycle, regardless of who originally obtained the personal data.

Likewise, the new law redefines the term “holder” as the person to whom the personal data corresponds. We consider this wording to be ambiguous and inaccurate, since it could be understood that legal entities could also be considered as holders of personal data.

This conceptual redesign broadens the scope of the regulation, but without providing clear guidance on the degree of responsibility of each player, which could lead to legal uncertainty for companies and professionals who collaborate in the process but are not directly responsible for the processing of data.

2. Consent

The New Law expands the exceptions to the need to obtain the consent of the holder for the processing of personal data. Previously, only through a law it was possible to authorize the processing of personal data without the consent of the data subject; now, processing without consent could be authorized through any legal norm, including regulations or administrative agreements.

Likewise, previously it was possible to exempt obtaining the consent of the data subject by virtue of resolutions of competent authorities; now, in the New Law, the exception is extended to orders, mandates and resolutions duly grounded and motivated, which expands the authorities to exempt the consent requirement.

Finally, the New Law establishes that, if a data controller processes personal data for a purpose different from that set forth in the privacy notice, even if it is compatible or analogous to the purposes established in the privacy notice, as provided in the Former Law, the consent of the data owner must be requested again. Although this seems to strengthen the protection of the data owner, in practice it may obstruct the operation of legitimate processing that evolves with the business models, imposing new administrative and legal burdens for the Regulated Entities.

3. Privacy Notice

In an unexpected change, the New Law removes the requirement to inform about personal data transfers in the privacy notice. Although the Regulations of the New Law still require this information, the omission in the legal text could be interpreted as a relaxation in the transparency of data flow, which generates uncertainty about the real scope of the obligation in the short and medium term. In this regard, it will be important to monitor the issuance of the secondary legislation to verify if this same position is reflected.

The content of the simplified privacy notice is also redefined. It shall now contain the identity and address of the data controller; the personal data processed, including express mention of sensitive data; the purposes of the processing, differentiating those that require consent; the means to limit the use or disclosure of the data; and the email address where the complete privacy notices may be consulted. These requirements, although not new in practice, imply a formal obligation of updating the privacy notices for all Regulated Parties. Likewise, several deficiencies are observed in the wording of the requirements that the simplified privacy notice must contain, since the type of personal data collected is what defines the type of consent required and not the purposes.

4. Procedural Aspects

The New Law establishes the indirect amparo trial as the only means of defence against acts of the Ministry of Anticorruption and Good Governance. This must be resolved by specialized judges and courts that do not yet exist, and whose creation must be completed within 120 days after the entry into force of the New Law. In the meantime, the procedural terms of ongoing cases will be suspended for up to 180 days.

5. Sanctions

The last change refers to the sanctioning regime. Apparently, there are no changes to the penalties, but the economic parameter for calculating them does change; the minimum wage is replaced by the Unit of Measurement and Updating (UMA, as per the Spanish acronym).

Implications and recommendations

The New Law marks a profound institutional shift by disappearing INAI and transferring its functions to the Ministry, a body with no constitutional autonomy or collegiate structure. This redesign not only undermines the independence necessary to protect fundamental rights but also weakens institutional counterweights by concentrating oversight in a dependency of the Executive branch, which poses clear risks of political capture and discretion in the enforcement of law.

At the operational level, companies face an adaptation process. It will be important to review internal policies, contracts and data management systems to comply with the new legal standards.

Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.