Mid-January, the APEC (Asia-Pacific Economic Cooperation), announced that Mexico had become the second formal participant in the APEC’s Cross-Border Privacy Rules (“CBPR”) framework, following in this the United States, which became the first formal participant in July 2012.  (More details at “International: APEC and EU bodies discuss regional interoperability”, Data Guidance, 15 February 2013).  A bit earlier the same month, the Secretaría de Economía, Mexico’s Ministry of Economy, published guidelines on a voluntary self-regulatory certification system (Parámetros para el correcto desarrollo de los esquemas de autorregulación vinculante a que se refiere el artículo 44 de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares), as part of implementing the CBPR framework into its national regime.

“US & Mexican Flags” by chrissam42

Here is my take on how I see the APEC’s CBPR system evolving in Mexico in the coming months.  And what could be its potential impact on businesses, and its interoperability with other systems, such as in the United States and the European Union.

How the CBPR framework could be moving forward in the next few months in Mexico is hard to say, but a couple of elements can be taken into account to assess how its implementation process could shape up in Central America’s biggest economy.  Companies can file their applications for binding self-regulatory rules (e.g., codes of conduct, privacy trustmarks, compliance certifications or capacity-building programs) with the IFAI from October 2013.  As to how fast the process could evolve, depends on objective but also subjective elements.

Three main factors may slow down the implementation of the CBPR system in Mexico: an uncertain transitional political landscape, uncertain institutional developments at the country’s data protection authority, and the actual lack of a ‘culture of data protection’ among users and companies

On the ‘half-empty glass’ perspective, I can see three main factors slowing down the implementation of the CBPR system in Mexico:

1. the current uncertain transitional political landscape because of the new political majority that might take away the data protection portfolio from the IFAI’s hands, and either transfer it to another governmental institution (the Ministry of Economy (Secretaría de Economía)? PROFECO (Procuraduría Federal del Consumidor)? Another entity?), or decide to shelve it for the time being;
2. the current uncertain institutional developments at the IFAI, the authority in charge of enforcing the data protection law and the CBPR’s certification mechanism, due to recent intestine disputes among its commissioners and a possibility for all their commissioners to be replaced; and
3. the actual lack of a ‘culture of data protection’ among users or consumers (data subjects) and companies (data controllers), which is a factor that will take years to improve.  Many companies are still not aware of the law and its obligations a year and a half after it became enforceable; users even  less.

All three factors could slow down the path toward the adoption of self-regulatory frameworks by companies doing business in Mexico.  Indeed, few Mexican companies have incentives to adopt self-regulatory schemes as data subjects’ level of awareness about their data protection rights is very low and the Mexican data protection authority has until now been focussing most its efforts on awareness rather than enforcement.

Being an optimist, I would see the glass ‘half-full’ and bet on three factors to influence the take off of the CBPR certification system in Mexico

Being an optimist, I would see the glass ‘half-full’ and bet on these three factors to influence the take off of the CBPR certification system in Mexico:

1. the willingness the Mexican Ministry of Economy (Secretaría de Economía) has demonstrated thus far to use the CBPR system to promote e-commerce between Mexico and neighbouring countries – the United States in the first place – and brandish the country as a top destination for the IT offshoring industry;
2. chambers of commerce, trade associations, and their member companies could see the potential of the CBPR system to enhance commercial relationships between Mexico and foreign countries, the United States in the first place; then
3. the speed at which Mexican subsidiaries of US companies embrace the new rules for their Mexico-United States transborder data flows could have a positive impact on its adoption by Mexican companies doing business with the US.

The impact of the CBPR’s on Mexican and US businesses is minimal as complying with the Mexican binding self-regulatory parameters is only voluntary.  However, should those companies, especially foreign ones, wish to implement them, it could help them do business in the country by positioning themselves as early adopters and using it as a competitive advantage in the local market.  Impact on businesses also depends on the company that must comply with the new rules: if the company is from the United States and already doing business with Mexico, complying with the rules may only require it to have their current self-regulatory framework  approved by a Mexican “certifier” (the equivalent to the “Accountability Agent” in the APEC’s CBPR system) as complying with the Mexican data protection law – starting in Oct. 2013.  With respect to Mexican companies, the learning curve will be much higher as many local companies, unless they already operate globally, do not have yet a self-regulatory framework in place, and it will probably cost them more to adapt to the new rules than their US counterparts.

As to how the Mexican version of the APEC’s CBPR’s may become interoperable with other systems is too early to assess.  It will depend on how the system is actually implemented later this year, and enforced in practice by the IFAI.  Recent discussions between European data protection authorities, their US counterparts and the International Chamber of Commerce have shown interest in making the CBPR system interoperable with the EU’s Binding Corporate Rules (“BCR’s”).  In the case of Mexico, if EU authorities had to decide whether binding self-regulatory rules of Mexico-based companies are considered compatible with BCR’s, their decision would depend on a number of factors, the strongest of which is the relative similarity between its data protection framework and the one of the EU data protection directives and the OECD Privacy Guidelines.

How the Mexican-US CBPR model will develop will prove to be a test case that could influence how other APEC economies might want to implement the CBPR system into their own national data protection legal framework.