Cedric Laurant

Mexico Implements APEC’s Cross-Border Privacy Rules

In Opinions on 26 February, 2013 at 02:12

Mid-January, the APEC (Asia-Pacific Economic Cooperation), announced that Mexico had become the second formal participant in the APEC’s Cross-Border Privacy Rules (“CBPR”) framework, following in this the United States, which became the first formal participant in July 2012.  (More details at “International: APEC and EU bodies discuss regional interoperability”, Data Guidance, 15 February 2013).  A bit earlier the same month, the Secretaría de Economía, Mexico’s Ministry of Economy, published guidelines on a voluntary self-regulatory certification system (Parámetros para el correcto desarrollo de los esquemas de autorregulación vinculante a que se refiere el artículo 44 de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares), as part of implementing the CBPR framework into its national regime.

"US & Mexican Flags" by chrissam42.  Available at http://www.flickr.com/photos/chrissam42/) Licenced under a Creative Commons Attribution-NonCommercial 2.0 Generic (CC BY-NC 2.0) licence.

“US & Mexican Flags” by chrissam42

Here is my take on how I see the APEC’s CBPR system evolving in Mexico in the coming months.  And what could be its potential impact on businesses, and its interoperability with other systems, such as in the United States and the European Union.

How the CBPR framework could be moving forward in the next few months in Mexico is hard to say, but a couple of elements can be taken into account to assess how its implementation process could shape up in Central America’s biggest economy.  Companies can file their applications for binding self-regulatory rules (e.g., codes of conduct, privacy trustmarks, compliance certifications or capacity-building programs) with the IFAI from October 2013.  As to how fast the process could evolve, depends on objective but also subjective elements.

Three main factors may slow down the implementation of the CBPR system in Mexico: an uncertain transitional political landscape, uncertain institutional developments at the country’s data protection authority, and the actual lack of a ‘culture of data protection’ among users and companies

On the ‘half-empty glass’ perspective, I can see three main factors slowing down the implementation of the CBPR system in Mexico:

  1. the current uncertain transitional political landscape because of the new political majority that might take away the data protection portfolio from the IFAI’s hands, and either transfer it to another governmental institution (the Ministry of Economy (Secretaría de Economía)? PROFECO (Procuraduría Federal del Consumidor)? Another entity?), or decide to shelve it for the time being;
  2. the current uncertain institutional developments at the IFAI, the authority in charge of enforcing the data protection law and the CBPR’s certification mechanism, due to recent intestine disputes among its commissioners and a possibility for all their commissioners to be replaced; and
  3. the actual lack of a ‘culture of data protection’ among users or consumers (data subjects) and companies (data controllers), which is a factor that will take years to improve.  Many companies are still not aware of the law and its obligations a year and a half after it became enforceable; users even  less.

All three factors could slow down the path toward the adoption of self-regulatory frameworks by companies doing business in Mexico.  Indeed, few Mexican companies have incentives to adopt self-regulatory schemes as data subjects’ level of awareness about their data protection rights is very low and the Mexican data protection authority has until now been focussing most its efforts on awareness rather than enforcement.

Being an optimist, I would see the glass ‘half-full’ and bet on three factors to influence the take off of the CBPR certification system in Mexico

Being an optimist, I would see the glass ‘half-full’ and bet on these three factors to influence the take off of the CBPR certification system in Mexico:

  1. the willingness the Mexican Ministry of Economy (Secretaría de Economía) has demonstrated thus far to use the CBPR system to promote e-commerce between Mexico and neighbouring countries – the United States in the first place – and brandish the country as a top destination for the IT offshoring industry;
  2. chambers of commerce, trade associations, and their member companies could see the potential of the CBPR system to enhance commercial relationships between Mexico and foreign countries, the United States in the first place; then
  3. the speed at which Mexican subsidiaries of US companies embrace the new rules for their Mexico-United States transborder data flows could have a positive impact on its adoption by Mexican companies doing business with the US.

The impact of the CBPR’s on Mexican and US businesses is minimal as complying with the Mexican binding self-regulatory parameters is only voluntary.  However, should those companies, especially foreign ones, wish to implement them, it could help them do business in the country by positioning themselves as early adopters and using it as a competitive advantage in the local market.  Impact on businesses also depends on the company that must comply with the new rules: if the company is from the United States and already doing business with Mexico, complying with the rules may only require it to have their current self-regulatory framework  approved by a Mexican “certifier” (the equivalent to the “Accountability Agent” in the APEC’s CBPR system) as complying with the Mexican data protection law – starting in Oct. 2013.  With respect to Mexican companies, the learning curve will be much higher as many local companies, unless they already operate globally, do not have yet a self-regulatory framework in place, and it will probably cost them more to adapt to the new rules than their US counterparts.

As to how the Mexican version of the APEC’s CBPR’s may become interoperable with other systems is too early to assess.  It will depend on how the system is actually implemented later this year, and enforced in practice by the IFAI.  Recent discussions between European data protection authorities, their US counterparts and the International Chamber of Commerce have shown interest in making the CBPR system interoperable with the EU’s Binding Corporate Rules (“BCR’s”).  In the case of Mexico, if EU authorities had to decide whether binding self-regulatory rules of Mexico-based companies are considered compatible with BCR’s, their decision would depend on a number of factors, the strongest of which is the relative similarity between its data protection framework and the one of the EU data protection directives and the OECD Privacy Guidelines.

How the Mexican-US CBPR model will develop will prove to be a test case that could influence how other APEC economies might want to implement the CBPR system into their own national data protection legal framework.

Share

Nueva “Guía de Privacidad para Hispanohablantes 2012″

In News, Spanish on 9 January, 2012 at 21:40

Cedric Laurant Consulting y Privacy International se complacen en presentar la Guía de Privacidad para Hispanohablantes 2012.

Este documento es una traducción del inglés al español de una selección de las partes más relevantes y más actuales de dos informes: la ultima edición de Privacy & Human Rights 2006 (Privacidad y Derechos Humanos 2006) y European Privacy and Human Rights 2010 (Privacidad y Derechos Humanos en Europa 2010).

Privacy & Human Rights es un informe anual publicado por el Electronic Privacy Information Center (EPIC) y Privacy International que proporciona una vista general de temas claves de privacidad y protección de datos y revisa el estado de la privacidad en más de 75 países alrededor del mundo. El informe resume las protecciones legales, nuevos desafíos, los asuntos y los acontecimientos importantes que relacionan a la protección de la intimidad y datos. Publicada anualmente desde 1998, esta investigación ha llegado a ser el análisis más completo sobre la intimidad global jamás antes publicado.

European Privacy and Human Rights 2010 es un proyecto realizado en el año 2010 por Privacy International, EPIC y el Centro de Medios de Comunicación y Ciencias de la Comunicación (CMCS) de la Central European University (CEU) de Budapest en Hungría, financiado por el Programa Especial “Derechos Fundamentales y Ciudadanía” de la Comisión Europea (2007-2013).

La Guía de Privacidad para Hispanohablantes 2012 incluye los capítulos siguientes:

  • Información general sobre privacidad (definición, facetas, modelos de protección, derecho a la privacidad, evolución de la protección de datos, supervisión y comisionados de privacidad y protección de datos, etc.)
  • Temas sobre privacidad (sistemas de identificación y cédulas de identidad, privacidad en el centro laboral, sitios de redes sociales y comunidades virtuales, vigilancia de las comunicaciones, autenticación y revelación de la identidad, registros públicos)
  • Privacidad y Derechos Humanos en Europa 2010 (hallazgos principales, investigación y análisis, criterios e indicadores, resultados y metodología)
  • Unión Europea
  • España
  • Anexo: fuentes sobre privacidad.

Guía de Privacidad para Hispanohablantes 2012 [pdf - 6,5 MB]

Guía de Privacidad para Hispanohablantes 2012

Guía de Privacidad para Hispanohablantes 2012

Share

The New “Privacy Guide for Spanish Speakers 2012″ Is Out

In News on 9 January, 2012 at 21:37

Cedric Laurant Consulting and Privacy International (“PI”) are pleased to present the Privacy Guide for Spanish Speakers 2012 (Guía de Privacidad para Hispanohablantes 2012).

This report is made up of a translation into Spanish of the most current and relevant sections of the Privacy and Human Rights 2006 and European Privacy and Human Rights 2010 reports.

Privacy and Human Right is an annual report by Privacy International and the Electronic Privacy Information Center (EPIC) that reviews the state of privacy in over 75 countries around the world. It outlines legal protections for privacy, new challenges, and summarizes important issues and events relating to privacy and surveillance. The report provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. Published since 1998, this document has become the most comprehensive report on privacy and data protection ever published.

European Privacy and Human Rights 2010 was a project undertaken in 2010 by PI, EPIC and the Center for Media and Communications Studies of the Central European University. It was funded by the European Commission’s Special Programme “Fundamental Rights and Citizenship” 2007-2013. The report investigates the European landscape of national privacy and data protection laws and regulations in 33 countries in Europe, as well as any other laws or recent factual developments with and impact on privacy. The study consists of country reports, an overview presenting a comparative legal and policy analysis of main privacy topics and a privacy ranking for all the countries surveyed.

The Privacy Guide for Spanish Speakers 2012 (Guía de Privacidad para Hispanohablantes 2012) includes the following chapters:

  • Overview of privacy (definition, aspects, models of privacy protection, right to privacy, evolution of data protection, oversight and privacy and data protection commissioners, etc.)
  • Privacy topics (identification systems and identity cards, workplace privacy, social networking and virtual communities, surveillance of communications, authentication and identity disclosure, public records)
  • European Privacy and Human Rights 2010 (key findings, research and analysis, criteria and metrics, results and methodology)
  • European Union
  • Spain
  • Appendix: privacy resources

Privacy Guide for Spanish Speakers 2012 (Guía de Privacidad para Hispanohablantes 2012) [pdf - 6,5 MB]

Privacy Guide for Spanish Speakers 2012

Privacy Guide for Spanish Speakers 2012 (Guía de Privacidad para Hispanohablantes 2012)

Share

Follow

Get every new post delivered to your Inbox.

Join 531 other followers

%d bloggers like this: