Legal Reforms on Transparency and Data Protection in Mexico: New Obligations and Risks for Companies

‍

Introduction: A new regulatory landscape for companies and institutions

‍

On March 20, 2025, three major laws were published in Mexico’s Official Gazette, redefining the country’s legal framework on access to public information and personal data protection. These are accompanied by a reform to Article 37 of the Organic Law of the Federal Public Administration.

The reforms are not just administrative; they involve structural, operational, and compliance-related shifts for both public institutions and the private sector. In particular, they establish new legal obligations for companies, expand oversight powers, and increase the potential for sanctions in cases of non-compliance.

This article outlines the most relevant changes, the legal implications of the new laws, and the transparency compliance risks for companies operating in Mexico—particularly those required to manage large volumes of sensitive information.

‍

Overview of the legislative changes

‍

Three new laws and a structural reorganization

‍

The reforms include:

• General Law on Transparency and Access to Public Information
• General Law on Personal Data Protection Held by Public Authorities
• Federal Law on Personal Data Protection Held by Private Parties
• A reform to Article 37, Section XV of the Organic Law of the Federal Public Administration
  
  

These instruments replace earlier laws and transfer the responsibilities previously held by the National Institute for Access to Information (INAI) to a new institution: the Ministry for Anti-Corruption and Good Governance.

‍

General Law on Transparency and Access to Public Information

‍

Guiding principles and procedural unification

‍

This law guarantees the right to access public information and strengthens proactive transparency. It establishes:

• Maximum disclosure as a guiding principle
• Free access without requiring justification of interest
• Clarity and accessibility of information, regardless of user profile
• Uniform procedures across all branches of government, autonomous bodies, political parties, and entities managing public funds
  
  

Timeframes for response and procedures for appealing denied requests are standardized, improving the enforceability of access rights.

‍

Open data as public infrastructure

‍

The law defines open data as digital, structured, machine-readable information that is freely accessible and reusable.

Key characteristics include:

• No registration or identification requirement
• Availability in formats such as .csv, .json, or .xml
• Descriptive metadata
• Regular updates and free public access
  
  

The goal is to turn public data into a resource for innovation, research, and accountability.

‍

National Access to Information System

‍

The National System is the coordinating mechanism for institutions across the country. Under the reform:

• It includes federal, state, and municipal authorities
• It mandates use of the National Transparency Platform
• It provides modules for requests, appeals, and interagency communication
• It is now under the supervision of the new Ministry
  
  

This system aims to improve coordination, reduce discrepancies between entities, and enhance the transparency infrastructure.

‍‍

General Law on Personal Data Protection Held by Public Authorities

‍

Public entities’ new data responsibilities

‍

This law governs the processing of personal data by public institutions. It reaffirms key data protection principles:

• Lawfulness and purpose limitation
• Loyalty, consent, and transparency
• Data quality and proportionality
• Institutional responsibility

All government institutions must justify the need for personal data and ensure secure processing from collection to deletion.

‍

Data protection impact assessments

‍

Public entities are now required to conduct Data Protection Impact Assessments (DPIAs) for projects involving high-risk data processing. DPIAs must:

• Identify potential risks to data subjects
• Establish safeguards before implementation
• Be documented and auditable by the supervising authority
  
  

Expanded ARCO rights

‍

In addition to the traditional ARCO rights—Access, Rectification, Cancellation, and Opposition—the law introduces:

• Portability of personal data
• Structured digital copies of user data
• Clear rights in cases of automated processing without human intervention
  
  

New supervisory powers

‍

The Ministry now has the authority to:

• Interpret the law and issue guidelines
• Resolve appeals and impose sanctions
• Monitor and audit public institutions’ compliance
  
  

These expanded powers increase the transparency compliance risks for non-conforming agencies.

‍

Federal Law on Personal Data Protection Held by Private Parties

‍

New legal obligations for companies

‍

This law applies to all private entities that process personal data, with particular attention to those collecting, storing, or sharing sensitive or large-scale data. Key new legal obligations for companies include:

• Revising and expanding privacy notices
• Documenting the legal basis for data processing without consent
• Adopting internal control systems to manage risks
  
  

Consent and automated decision-making

‍

The law clarifies and restricts exceptions to explicit consent and gives data subjects the right to:

• Be informed about automated decision-making
• Challenge decisions made without human oversight
• Withdraw consent in broader scenarios
  
  

Expanded ARCO rights and organizational duties

‍

New responsibilities include:

• Allowing data subjects to access treatment conditions, not just data
  
• Ensuring rectification includes outdated information
  
• Recognizing “legitimate cause” as a new ground for opposition—despite its vague definition
  
  

Enforcement and penalties

‍

Transparency compliance risks and data protection violations may result in:

• Administrative sanctions
• Mandatory data disclosure by court order
• Damages for negligent or intentional mishandling of ARCO requests
• Judicial appeals through amparo trials
  
  

The new law also allows companies to charge fees for processing ARCO requests (with limitations) and formalizes self-regulation mechanisms under government supervision.

‍

Legal implications of the new laws for the private sector

‍

Revising internal compliance frameworks

‍

Companies will need to:

• Update privacy notices and consent formats
• Review vendor contracts and data transfer clauses
• Develop new documentation for data lifecycle management
  
  

Cross-functional capacity building

‍

Compliance will no longer be confined to the legal department. Businesses should:

• Assign clear roles for data governance
• Train operational teams on compliance obligations
• Align IT, legal, and HR protocols with the law
  
  

Operational and reputational risks

‍

The legal implications of the new laws include:

• Exposure to investigations and administrative proceedings
• Increased litigation risks
• Reputational harm following data leaks or non-compliance scandals
• Negative audit findings affecting funding or partnerships

‍

Conclusion: Compliance as a strategic defense

‍

The new legal framework for data protection in Mexico demands much more than formal adjustments. It calls for strategic, integrated compliance that protects both organizations and individuals.

Understanding the legal implications of the new laws and responding proactively is essential. For many companies, this means strengthening internal procedures, fostering a culture of data ethics, and treating compliance not as a burden but as a competitive advantage in an increasingly regulated environment.

At EBL Consulting Group, we provide preventive advisory services to reduce risks and avoid sanctions.

‍