Sensitive Personal Data in the Digital Era: a Mexico Data Protection Law Perspective

The coronavirus pandemic has led to an unprecedented surge in the processing of personally identifiable information worldwide. From the widespread use of e-commerce and video communication platforms, and adapting to the new work-from-home environment, to technology aimed at health tracking and reporting, governments and private corporations are now in possession of one of the largest digital footprints ever, which raises concerns from a data protection perspective. Beyond concerns about overstepping individuals’ rights to informational self-determination – the right for individuals to exert control over information pertaining to them and held by others – attention should be drawn to the growing risks that corporations face when processing personal data, particularly, considering the opportunities provided by, and the legal gaps in, Mexican data protection regulation, often paired with a lack of clear guidance from the regulator. This article will briefly address some of these concerns and the risks that they pose, specifically, in relation to sensitive personal information.

What is sensitive personal data?

Personal data, as defined by the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (DPA), is any information concerning an identified or identifiable individual (a data subject). It therefore includes a myriad of data being constantly collected nowadays, including biometrics (eg, facial and body geometry, fingerprint mapping or voiceprints), which is often captured through smart phones, CCTV and instant communication technologies, or even through more innovative means such as drone cameras or virtual reality (VR). It may also capture location data inadvertently shared on a daily basis through Wi-Fi connections, satellite-based radio navigation systems or mobile communication networks.

This data’s sensitivity is unarguable. The relevant test under Mexican law requires (i) a relation to the most “intimate sphere” of the data subject, or (ii) a threat of discrimination or grave risk of harm to the data subject, if misused. The DPA specifically labels personal health; genetic, religious, racial or ethnic information; and information relating to union membership, political views and sexual preference, as sensitive personal data. Because a person’s physical appearance or movement patterns could potentially lead to discrimination and paired with certain technologies, can provide information that poses a threat or that is harmful, there is no question that such data could be construed as sensitive data and is hence deserving of heightened scrutiny, as assessed in the following sections.

Enhanced form requirement for consent

Under the DPA, all processing of personal data is generally subject to the data subject’s consent, except for those cases where the law expressly excludes it. In Mexico, as with other jurisdictions worldwide, consent for processing must be freely given, specific, informed and unambiguous. Although Mexican law recognises other legal bases for processing personal data, including when processing is necessary for the fulfilment of a legal relationship, consent is considered the default legal basis for processing.

This has to do with the fact that purposes for processing, albeit classified into essential and non-essential, are fundamentally non-exhaustive. Individuals and corporations who process personal data (data controllers) may only collect the minimum amount of data necessary for a specific purpose, provided such data is adequate and relevant in relation to that purpose. However, data controllers have general discretion as to the purposes for processing personal data so long as consent covers those specified purposes, which is why Mexico’s data protection regime is ultimately based on individual consent.

Still, it follows that the DPA establishes a higher standard when it comes to processing certain personal data (ie, financial and sensitive data) and, with this, a specific legal form requirement for data subjects to consent accordingly. While tacit consent is traditionally sufficient for processing simple personal data (eg, name, telephone number, email, etc), consent must be express and in writing when it comes to the processing and transfer of sensitive personal data. Express consent occurs when it is actively communicated either orally, in writing, by electronic or optical means or through any other technology.

Written consent, as established in Article 19 of the Regulations to the DPA – an administrative-in-nature set of norms recognised by Mexican law – is limited to handwritten signature, fingerprint and other mechanisms authorised by law. In a digital environment, it can be in the form of an electronic signature or through any other technology allowing identification of the data subject. The Federal Commercial Code recognises electronic signature as valid form of consent that is as enforceable as a “wet ink” signature, defining it as “any electronic data [...] used to identify the signer with respect to a data message and to indicate that the signer approves the information contained therewith [...].”

Organisations operating in Mexico may not collect data subjects’ express and written consent – at least not in the form required by law – prior to the processing of much of the sensitive personal data collected through digital means. Even in the case of apps or sites with traditional user identification controls (eg, login credentials such as username and password), the high bar for “written” consent might not be reached, thereby rendering the grant of consent dubious. Moreover, although access and use of a given service could constitute a clear affirmative action to consent to the processing of data that is necessary to use that specific service, it says little to nothing of a user’s will to subject its data to other processing purposes or even transfers (which are also subject to owner’s written consent).

Under stricter regulations across the globe including the European Union’s General Data Protection Regulation (GDPR), written consent, while recommended for purposes of accountability of the data controller, is not mandatory. It suffices as long as it is given through a declaration or an active motion (such as an opt-in), both of which are widely accepted industry best practices. The fact of the matter is that it would be virtually impossible to subject global emerging technologies to mechanisms that affected the user interface or experience, such as advanced electronic signature or facial/voice-recognition systems. This raises some questions regarding the current local norms’ limitations, and their effectiveness in a realm where data has become the world’s most desired and valuable commodity.

Sensitive “databasing” and data retention

In Mexico, the creation of databases containing sensitive personal data is generally prohibited, unless there is legitimate cause – which, according to Article 9 of the DPA, must be valid, specific and must relate to the activities or explicit ends pursued by the data controller. While being the main exception provided for in the DPA, legitimate cause is one of three exceptions listed in the Regulations to the DPA, alongside legal mandate and public interest. In connection with the latter, the DPA establishes that the principles and rights provided therein will have as a limit in terms of their enforcement and exercise, the protection of national security, public order, health and safety, as well as the rights of third parties.

In addition, under the current data protection regime in Mexico, processing of personal data must be limited to that which is necessary, adequate and relevant in relation to the purposes set forth in the privacy notice. In the absence of disassociation or pseudonymisation, data controllers must delete any personal data that is no longer necessary for the fulfilment of the processing purposes. Moreover, according to Article 13 of the DPA, sensitive data processing periods must be limited to the “indispensable minimum”.

This is problematic as large technology corporations today are more and more interested in data retention and big data. Whether locally or remotely stored, data allows technology to work better by improving the overall experience that users have when in, or interacting with, a digital space. Governments and corporate players also gain substantial intelligence (directly or through analytics and aggregated data sets) on consumer preferences and choices, which is the basis for improved decision-making and the development and deployment of new technology, including artificial intelligence.

Although an argument can be made that sensitive data processing, under certain circumstances, could fall under the scope of legitimate cause (eg, when necessary to perform a specific contractual obligation), this is not always the case. Some technological developments rely on multi-party interactions that occasionally are not based in a contractual relationship. For example, the participants in a recorded videoconference can be entirely alien to that conference’s organiser, which could later use, store or share such content.

What is more, even in the case of people subject to a contractual relationship and a privacy notice, it is questionable whether the purposes for creating a sensitive database would meet the materiality standard of Article 9 of the DPA, in that they are intrinsic to the ends pursued by the data controller. Moreover, because data retention periods are – by law – directly related to the processing purposes outlined in the privacy notice, consideration should be given to these and to whether or not they allow further data use (upon completion of the contractual relationship), and, thus, could escape the restrictions of Article 13 of the DPA.

Here too, the proposition is not to jeopardise the experience of using the technology, but rather to clarify the tension between emerging technologies and the existing privacy-preserving data protection rules. However, until the current principles and laws are adapted to conform with modern global standards, corporations should be wary of cases where they might be running afoul of the law.

Moral rights’ distress, a basis for notification of breaches

The modern working environment has increased the risk and incidence of data security breaches and cyber-attacks, and, with that, the need for sound information security policies properly enforced within corporations. More and more people are using unsecured devices and public internet connections with low levels of protection. When considering that much of the data that transits through such channels is sensitive in nature, then the chance of becoming subject to the regulator’s scrutiny is feasible.

A third safeguard established in Mexico’s data protection regulation in connection with sensitive personal data is in regard to data security breaches. While official reporting of data security incidents is not mandatory under Mexican law, it is incumbent upon data controllers to notify breaches that substantially affect the property or moral rights of any determined individual. The rationale behind this rule is to grant data subjects the opportunity to take timely action in defence of their rights.

Moral rights, as described in the regulator’s recommendations, are harmed when the breach relates to feelings, emotions, beliefs, honour, reputation, private life, physical configuration and aspect, opinions of self from others, or when liberty and the physical and psychic integrity of a person is illegitimately impaired. The use and abuse of sensitive data can significantly injure a person’s moral rights in that it generally conveys information about such a person’s private life or physical appearance. With notification to individuals being contingent on moral rights’ distress, and the likelihood of the latter – as well as the incidence of cyber-attacks – becoming increasingly common with the use of technology, data controllers are facing the growing risk of being subject to full investigations/sanctions by the regulator.

The rapidly increasing use and demand for technologies that collect potentially sensitive data, therefore, calls for the attention of corporations processing data in Mexico. Under the DPA, controllers are accountable for complying with the principles and obligations thereby established, including implementing appropriate security measures to protect data against loss, theft, or unauthorised use or access. Compromising the security of databases, premises, programs or equipment, when attributable to the data controller, may result the imposition of administrative fines that can go as high as USD1.4 million, and this amount, in the context of sensitive data, may be doubled.

Conclusion

In Mexico, the DPA was enacted in 2010, and has not been amended since. Although most governments throughout the world have actively worked towards introducing new data protection rules or enhancing pre-existing ones, topics including privacy, cybersecurity and data protection, while highly politicised, have not been prioritised in the legislature’s agenda recently. Corporations should be cognisant of this, and of how pervasive it will continue to be during the current crisis – where governments care more about the safeguards to ensure public health (including not overly restricting access to data), than they do about privacy controls or a trusted digital environment. This will allow them to adopt appropriate measures that guarantee harmonised compliance on a global scale, responsible data use and hazard-prevention.