Data protection & privacy laws in Mexico (2026)

The Secretariat of Anti-Corruption and Good Governance (SABG) launched industry and civil-society dialogues in January 2026 to draft secondary regulations for the new data protection framework. As of mid-2026 no revised regulations have been published in the Official Gazette, leaving significant compliance gaps unresolved.

A new specialized federal court began adjudicating all data-protection rights disputes, replacing INAI's quasi-judicial function. This was the final element of the March 2025 institutional overhaul, channeling all pending and new ARCO-rights litigation to a single federal circuit.

A single decree published in the Official Gazette enacted a rewritten Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and a new General Law on Protection of Personal Data Held by Obligated Subjects (public sector), both effective 21 March 2025. The reform abolished INAI, transferred enforcement to SABG, and introduced mandatory data-processor obligations, stricter granular-consent rules, and explicit regulation of automated decision-making.

In one of its final major cases before dissolution, INAI initiated formal sanctioning proceedings against the Federación Mexicana de Fútbol concerning the Fan ID app's collection of biometric and personal data from stadium attendees without adequate consent. The case highlighted persistent enforcement gaps around biometric data and proportionality.

President Claudia Sheinbaum signed a constitutional reform eliminating seven autonomous bodies, including INAI, with data-protection provisions effective 23 December 2024. Congress was given 90 days to enact enabling legislation transferring INAI's functions to executive ministries, ending a decade of independent data-protection oversight and drawing sharp criticism from transparency advocates.

The LGPDPPSO extended full data-protection obligations—ARCO rights, data minimization, purpose limitation, security measures, and data-processor agreements—to all government bodies at federal, state, and municipal levels for the first time. It also introduced data portability in the public sector and designated INAI as the national supervisory authority across both public and private domains.

The LGTAIP replaced the 2002 federal transparency law and extended access-to-information obligations to all three branches of government and autonomous bodies at every level of the federation. It drew the critical boundary between citizens' right to access public information and government duties to protect personal data held by obligated subjects.

A constitutional amendment transformed the Federal Institute for Access to Information (IFAI) into the National Institute for Transparency, Access to Information and Personal Data Protection (INAI), granting it full constitutional autonomy: its own budget, commissioners with fixed non-removable terms, and decisions binding on all federal entities. This was the high-water mark of independent data-protection governance in Mexico.

The implementing regulation, effective 22 December 2011, specified detailed requirements for privacy notices, consent mechanics, data-security standards, cross-border transfer procedures, and how controllers must respond to ARCO-rights requests. It provided the practical compliance rulebook that companies needed to give effect to the 2010 statute.

The Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), published 5 July 2010 and effective 6 July, created Mexico's foundational private-sector data-protection regime. It established ARCO rights (access, rectification, cancellation, objection), mandatory privacy notices, consent requirements, and the IFAI as enforcement authority for all private organizations processing personal data in Mexico.

Reforms to Articles 16 and 73 of the Political Constitution of the United Mexican States explicitly recognized data protection as a fundamental autonomous right—separate from privacy—and empowered Congress to legislate on private-sector data processing. This constitutional foundation was the direct legal basis for the 2010 LFPDPPP and all subsequent data protection legislation.

President Vicente Fox signed the Federal Law on Transparency and Access to Public Government Information, creating the Federal Institute for Access to Information (IFAI)—Mexico's first independent data-oversight institution, initially focused on government transparency. IFAI later became the primary enforcer of the 2010 private-sector data protection law, making this the origin point of Mexico's modern data governance architecture.