Cross-Border Privacy Rules System Melissa Higuera Pérez Director for

Cross-Border Privacy Rules System Melissa Higuera Pérez Director for Privacy Policies and Agreements Federal Institute for Access to Information and Data Protection, Mexico

Data Protection in Mexico. overview A fundamental right (arts. 6, 16 and 73 of Mexican Constitution) FEDERAL LOCAL Government Mexican FOIA Private sector Federal Law on Protection of Personal Data held by Private Parties (DPL), its regulations and Parameters Several local Laws Binding Selfregulation

Mexican PEA IFAI Is the Privacy Enforcement Authority in Mexico for: i) The federal public sector and ii) The private sector, with the following powers: Conduct investigations Solve cases issued by data subjects regarding ARCO rights Impose fines Regarding the Binding Self- Regulation Parameters, IFAI authorizes, oversees and revoke accrediting entities that approve certifiers (AA) Ministry of Economy is a personal data regulatory entity involved in, among other things, the issuance of the SelfRegulation Parameters.

Self-Regulation Parameters They provide the rules governing: i) Binding Self- Regulation mechanisms and ii) The DP Certification System, including specific conditions to become an accrediting entity or a certifier (AA) Current status: The Ministry of Economy and IFAI are waiting for the final opinion of the Mexican Federal Regulation Agency. CBPR’s System & Certification Scheme Anyone who wants to apply to be an AA recognized by APEC and operate in Mexico, must comply with the parameters. This guarantees the correct operation of the system, in both the national and AP region environments.

Certification System vs. CBPRs System LEVEL I II CBPR’s SYSTEM DPS (JOP) Administrative functions to maintain the CBPRs System. Economies and PEAs that supervise the correct functioning of the System in their jurisdictions. II.1 CERTIFICATION SYSTEM IFAI authorizes, oversees and revokes Accrediting Entities Accrediting Entities approve, oversee and revoke certifiers (AA) III AAs that validate the privacy policies developed by data controllers and data processors. Certifiers (AA): Certify the correct processing carried out by data controllers/ processors. IV Data controllers and data processors. Data controller or the data processor.

Benefits for Mexico’s Participation 1. Protects the fundamental right for personal data protection Binding Self-Regulation mechanisms such as the CBPRs System provide minimum standards for PDP in the region needed because the: Rapid technology changes Territorial limitations of common privacy regulation (the CBPR System allows interoperability and international cooperation) 2. Benefits business’s efficiency in the region and user’s convenience. Ensures a free and SECURE flow of information across borders and provides regional recognition of better service providers (cloud services providers) investment

Cross-Border Privacy Rules System Thank you!