Laws or Regulations in Relation to the Metaverse

New technologies and applications, such as the metaverse, are quickly becoming a reality. Nonetheless, Mexico currently has no regulations in relation to the metaverse. Mexico’s Telecommunications and Broadcast Law (the Telecom Law) is technology-neutral, so there is no regulation that applies to a specific type of technology. The Telecom Law and its subsidiary regulations govern public telecommunications and broadcast services and the use of spectrum and licensing, but not technologies.

Key Legal Challenges in Relation to the Metaverse

The biggest legal challenge relating to the metaverse is that there is no specific legal/regulatory framework that easily allows the implementation of the metaverse and new technologies. Mexico’s telecommunications regulator (the Federal Telecommunications Institute ‒ IFT) has promoted the discussion of the metaverse and topics for new technologies over the last year, but no law/regulation exists as of February 2023. Therefore, any projects relating to the metaverse would be subject to the same laws and regulations as ordinary intellectual property, data protection and cybersecurity matters.

Laws and Regulations Regulating the Digital Economy

In general terms, the laws or regulations applicable to electronic commerce or e-commerce are the Federal Consumer Protection Law, the Code of Ethics for Electronic Commerce, Mexico’s Commerce Code, the Federal Civil Code, the Federal Copyright Law, the Federal Law for the Protection of Industrial Property, the Federal Law for the Protection of Personal Data in the Possession of Private Parties, the Income Tax Law, the Value Added Tax Law, the Federal Tax Code and Mexican Norm NMX-COE-001-SCFI-2018.

The Federal Consumer Protection Law

The Federal Consumer Protection Law governs the contents, promotions and offers made through electronic means. Specifically, Article 76 bis of the Federal Consumer Protection Law mandates that providers of goods and services through electronic means, optic channels or any other technology, shall:

• use in a confidential manner the information provided by consumers and not disclose or share such information with third parties not related to a transaction;
• use available technical elements to provide security and confidentiality to the information provided by consumers and inform the consumer of such security and confidentiality elements prior to the conclusion of a transaction;
• provide to consumers, prior to them entering into a transaction, the seller’s physical address, contact telephone numbers and means to file claims or clarifications;
• avoid using misleading commercial practices when advertising or selling a product;
• disclose all information on the terms, conditions, costs, additional charges, if applicable, and forms of payment for the goods and services offered;
• respect the consumers’ choice concerning the quantity and quality of the products it wishes to acquire, as well consumers’ decision not to receive any commercial advertisements; and
• avoid using sales or advertising strategies that do not provide consumers with clear and sufficient information about the products and/or services offered, especially in the case of marketing practices aimed at the vulnerable population.

In addition, providers of goods or services through electronic means must observe the Code of Ethics in Electronic Commerce published by Mexico’s Consumer Protection Agency (Procuraduría Federal del Consumidor ‒ PROFECO) and register themselves before PROFECO as responsible e-commerce providers.

Mexico’s Commerce and Federal Civil Codes

Mexico’s Commerce and Federal Civil Codes govern commercial operations and the exchange of data and information carried out through electronic means, as well as the methods to express consent, acceptance and validity within contracts when they are executed through the use of electronic means, optical channels or any other technology pursuant to Articles 1803, 1805, 1811 and 1834 bis of the Mexican Federal Civil Code and Articles 80, 89, 90, 90 bis, 91, 91 bis, 92, 93, 93 bis, 94 and 95 of the Commerce Code.

The Federal Law for the Protection of Personal Data in the Possession of Private Parties

The Federal Law for the Protection of Personal Data in the Possession of Private Parties regulates the way in which personal data must be treated by providers of goods and/or services, including the obligation to display a privacy notice and request a person’s explicit consent to the gathering and sharing of its data.

Mexico’s Federal Tax Code

Mexico’s Federal Tax Code governs e-commerce as it relates to the issuance of digital tax receipts, the issuance of electronic invoices and the use of the advanced electronic signature. This relates to tax matters only.

Mexico’s Value Added Tax Law

Mexico’s Value Added Tax Law establishes the following digital services as services subject to value-added tax, as long as there is a payment involved:

• services provided through applications or content in digital format, via the internet or some other network; and
• these services may or may not require any human intervention.

The Federal Income Tax Law

The Federal Income Tax Law establishes that all taxpayers must pay income tax over payments they receive for the sale of goods or services through the internet, technological platforms, computer applications and any similar digital services, including payments they receive for any ancillary concepts.

The Federal Copyright Law and the Federal Law for the Protection of Industrial Property

The Federal Copyright Law and the Federal Law for the Protection of Industrial Property apply in a general sense, since:

• the Federal Copyright Law protects and regulates the distribution of content or works under different platforms, including the internet; and
• the Federal Law for the Protection of Industrial Property protects and regulates the use of trade marks, distinctive signs and domain names through different means, including the internet.

Mexican Norm NMX-COE-001-SCFI-2018

Mexican Norm NMX-COE-001-SCFI-2018 regulates electronic commerce services in detail and establishes the terms and conditions that all e-commerce merchants must comply with, whether they sell their goods and/or services directly, through internet web pages or through an intermediary.

Key Legal Challenges in the Digital Economy

One of the biggest challenges in relation to the digital economy in Mexico lies with the regulation of social media, whether for commercial, expression, information or entertainment purposes. Although there is a bill in the Mexican Senate that seeks to govern the operation of social media by means of amending the Telecom Law and giving additional powers to the IFT, the fact is that such bill has been opposed by civil society, NGOs, social media groups and suppliers and it is likely that neither this bill nor similar bills will be passed prior to the coming Presidential election in 2024.

Laws and Regulations in Relation to Cloud and Edge Computing

Mexico is the second largest cloud and edge data centre market in Latin America after Brazil, and several domestic and foreign companies offer cloud computing services through a combination of domestic and international data centres that offer low latency and redundancy.

Unlike other jurisdictions in Latin America, Mexico has no general laws that impose limitations on the entrusting of certain processes or data to the cloud or edge computing, although certain regulations – like the IFT’s Collaboration with Justice Guidelines – which require telecommunications licensees to store in Mexico the information necessary to respond to information warrants from Mexican courts or crime prosecution agencies.

Nonetheless, Article 19.12 of the United States-Mexico-Canada Agreement (the USMCA) prohibits the parties from requiring members of the other parties to locate computing facilities in their own country as a condition for conducting business. Since the USMCA, like other international treaties entered into by Mexico, has a legal hierarchy right below the Mexican Constitution, Mexico’s Congress cannot pass any laws that would set such a requirement.

In addition, Article 52 of Mexico’s Data Protection Regulations defines “cloud computing” as the external supply of on-demand computer services that implicate the provision of infrastructure, platforms or software distributed through a flexible mode and virtualisation processes with dynamically shared resources; it further states that Mexican regulatory agencies shall issue governing criteria for the processing of personal data through cloud computing, within the scope of their jurisdiction and with the collaboration of Mexico’s National Institute for Information Access (INAI).

In July 2019, INAI issued its Minimum Standards for the Contracting of Cloud Computing Services that Involve the Processing of Personal Data (the Standards). The Standards are not mandatory and offer general recommendations to users who seek the safeguarding of their personal data.

The Standards’ main recommendations to cloud service users include the following.

Prior considerations

Before executing a cloud services contract, users should carry out the following.

• Identify the data, processes or functions that will be involved in the cloud computing service.
• Identify the data provisioning model to guarantee the processing of personal data in the cloud computing service.
• Verify security policies and measures for the use of cloud computing services.
• Evaluate all aspects of the service, as well as the terms and conditions of the cloud computing service to be contracted.
• Users should verify the supplier’s level of compliance and the quality of its services and safety measures, and whether the supplier has been subject to complaints or investigations from personal data authorities around the world.
• Users should check the supplier’s name or business name and means of contact for customer services (email, phone, automated systems, etc), depending on the geographical area (regional offices, local offices, etc).
• Users should check the governing law and location for the processing and storage of personal data, identifying certifications that are enforceable on the supplier and the governing law of the contract, as well as the location of systems for the processing and storage of personal databases and, where appropriate, the corresponding service’s regional office.
• Clients should verify that the contract includes clauses that prevent the supplier and its subcontractors from claiming ownership of the information provided by the client, at any time, and clauses, policies or automated systems that:
1. guarantee that the supplier uses the information only for the purposes set forth in the terms and conditions of the cloud computing service;
2. restrict and limit the supplier from disclosing or modifying the processing of personal data or the information generated by the client;
3. keep the client informed as to who shall have access to its personal data and for what purpose;
4. guarantee that the client may access, amend or remove its personal data at any time;
5. notify the client of any changes or updates in the provision of the cloud computing service, as well as of any incident that causes a service interruption;
6. inform the client of any violation of safety measures for the processing of their personal data; and
7. provide compensation for failure or service interruption, or due to a violation of safety measures in the processing of the client’s personal data.

Transparency

As regards transparency, the Standards recommend that suppliers provide the following:

• transparency regarding the people or companies subcontracted by suppliers for cloud computing services;
• mechanisms to guarantee the legal processing of personal data by outsourced third parties;
• mechanisms for clients to access, rectify or cancel their personal data or to oppose the use of it (ARCO Rights); and
• mechanisms for the removal of personal data through safe deletion from the cloud, which mechanisms shall prevent the recovery of personal data by an unauthorised third party.

Safety measures

As regards safety measures, the Standards recommend users to select suppliers who have clauses, policies or automated systems that:

• guarantee the processing of personal data in safe systems, whether they belong to the supplier and/or outsourced third parties;
• guarantee the availability, integrity and isolation of the client’s personal data from the information of other clients;
• guarantee the client’s administration, control and access over the processing of its personal data in cloud computing services;
• make suppliers subject to audits by third certified parties, regarding their compliance with applicable regulations; and
• make suppliers subject to certification.

Risk evaluation

As regards risk evaluation, the Standards recommend that clients be aware of the following risks when suppliers process their personal data:

• lack of control over the personal data lifecycle in the cloud;
• absence of transparency with outsourced third parties;
• lack of automated systems or support mechanisms when processing personal data in the cloud;
• inappropriate use of shared resources, and the absence of isolation of the client’s personal data in the cloud;
• lack of portability or interoperability of the client’s personal data; and
• misunderstandings in the processing of personal data when the information is used by unauthorised third parties or multi-stakeholders, or for advertising purposes, without the client’s authorisation;

Other considerations

The Standards recommend that clients avoid contracting with suppliers that do not offer clauses, policies or mechanisms that offer and guarantee the retrieval of personal data when the service ends. The Standards recommend clients to verify the supplier’s terms and conditions for the interoperability and portability of their personal data. The Standards advise clients to prefer suppliers that allow contract negotiation, in order to tailor the contract to the client’s service requirements.

Highly Regulated Industries

The financial industry is subject to additional regulation regarding cloud services and financial institutions must therefore obtain authorisation from the National Banking and Securities Commission (CNBV) for any type of service or commission abroad. Moreover, Mexican finance laws and regulations establish that Technology Financial Institutions (ITFs) in which cloud services are provided by third parties, must adopt special measures in their respective continuity plans in order to protect the interests of their customers and to maintain their own security, operational integrity and finances, as well as the security and operational integrity of the payment system as a whole, without prejudice to any other measures imposed on the ITFs by any applicable law or its provisions.

Some regulated industries, like health, insurance and telecommunications, may be subject to additional data regulations, but these do not extend to cloud services specifically.

Issues Processing Personal Data in the Context of Cloud Computing

There are certain specific issues affecting the processing of personal data in the context of cloud computing, which include:

• low coverage and penetration of broadband services;
• distrust over information processing by private and governmental entities, either because of third party hacks and/or possible invasion of privacy (big brother syndrome);
• lack of exemplary punishment against data privacy violations by private or public entities;
• absence of local representatives and professional customer care; and
• a shortage of trained personnel who know how to administer cloud services.

Laws and Regulations in Relation to the Use of AI and Big Data

There are no laws or regulations that govern the use of artificial intelligence and big data in Mexico, nor are there any specific industry codes of conduct.

To date, Mexican authorities like the IFT have only conducted seminars or research studies in order to evaluate the adoption of artificial intelligence tools among Mexican users and identify areas of opportunity to provide recommendations and information to the general public.

Relevant Elements

Except for Article 52 of Mexico’s Data Protection Regulations and certain industry-specific regulations, any projects relating to big data and artificial intelligence would be subject to the same conditions of liability, insurance, data protection, intellectual property, jurisdiction and fundamental rights as any regular project.

Regarding data protection, Mexico has an “opt in” regime regarding the treatment of personal data, under which owners of personal data must consent to the treatment of their data through different available means, which may include a signature or a “click”.

Responsible parties that process (treat) personal data are obliged to safeguard and protect a person’s information, such as their name, address, email, telephone number and any other data that serves to identify an individual.

Responsible parties must also publish a data privacy notice, which must be made available to those persons whose information is collected, along with any changes to such data privacy notice. Unless expressly authorised, a responsible party or a third party cannot use personal data to contact the user to offer or promote products or services. Regarding the treatment of personal data, INAI outlines a general process for individuals to ensure the exercise of their ARCO rights (ie, access, rectification, cancellation or opposition).

This process is based on the following principles:

• lawfulness and fairness – individuals must act in compliance with the laws and regulations for the protection of personal data;
• consent – the data controller shall have the consent of the individual for the processing of their personal data;
• information – individuals must be informed about the main characteristics of the processing to which their personal data will be subject;
• proportionality – the controller is obliged to process personal data only if such information is necessary, adequate and relevant to the purposes for which said personal data was collected;
• purpose – personal data may only be processed in order to comply with the purpose, motive or reason for which the owner has been notified;
• quality – this principle states that processed personal data shall be accurate, correct, complete, up to date and relevant; and
• liability – this condition is based on the principle of “accountability”, which establishes the obligation to take all necessary measures to ensure the protection of personal data, even when the data is being processed by machines or AI.

These principles are mandatory under Mexico’s Data Protection Regulations for the protection of personal data held by private parties. In case of conflict, individuals may file a complaint before the INAI, which will review whether the data controller has complied with all of these principles during its processing of personal data.

Laws and Regulations in Relation to the IoT

There are currently no laws or regulations in relation to the internet of things.

As mentioned in 1.1 Laws and Regulations, Mexico’s regulatory environment is technology neutral and the IFT only seeks compliance of regulations that apply to all electronic communications regarding hardware homologation, interconnection, no spamming, no phishing, consumer protection, collaboration with justice, numbering, net neutrality, spectrum use and signalling.

In addition, the IFT published in 2021 its Network and Traffic Management Guidelines (the Guidelines), which apply to internet service providers (ISPs).

The Guidelines are intended to ensure net neutrality and that ISPs establish general network traffic policies that comply with the following principles:

• to guarantee the quality and speed of the internet access services contracted by the end user;
• to preserve the integrity and security of internet access networks, as well as end users’ private communications;
• to guarantee users’ freedom of choice to access any content, application or internet service, without the ISP limiting, degrading, restricting or discriminating access to them; and
• to guarantee non-discriminatory treatment of end users, applications, content and/or service providers, similar types of traffic as well as own and third-party traffic on the network.

On the other hand, the Guidelines allow ISPs to supply services in which ISPs give special treatment to content, apps or services accessed by end users.

In this case, the cost of data for access to a specific content, application or service is sponsored by a third interested party, provided that the end user has an active data balance in either its prepaid or post-paid services.

The IFT’s Guidelines also allow the provision of “free” services when the end user does not have an active data balance provided that such services:

• have the purpose of reducing the digital divide;
• promote digital financial inclusion; and
• allow end users to make top-ups, payments and contract telecommunications services.

The Guidelines also allow ISPs to provide specific or superior network resources to transmit and improve upload and download speeds or the user’s experience, as long as these services in no way affect the quality or speed of other traffic transmitted through the same public telecommunications network.

It is important to highlight that ISPs that distribute content, applications or services of their own through the use of specific resources of their networks shall make these resources available to providers of applications, content or any other internet-based service, and in no circumstance shall such services require the providers of applications, content or any internet-based service to pay for the transmission of the traffic generated by their content, applications or services, under standard conditions.

Relevant Elements

Machine-to-machine communications will likely make the most use of sponsored or free ISP services under the Guidelines.

This will especially be the case for financial, gaming, security, healthcare, transportation or emergency apps and services; it is therefore reasonable to assume that banks, gaming platforms, child or elderly care companies or institutions will seek to contract these services from ISPs.

The Guidelines further require ISPs to:

• file before the IFT every six months a report that includes the name of the companies or individuals that sponsor the provision of services (data consumption sponsorship), the service rate registered before the IFT and the term of such offer, within the ten business days following the closing of each semester; and
• publish in their web portals their policy code for traffic management (the Policy Code), which shall incorporate the principles under which the ISP shall carry out its traffic and network management.

The Policy Code shall also include:

• a clear description of the ISP’s network monitoring techniques that will serve as a basis for the administration of traffic and the ISP’s network;
• recommendations to end users on how to reduce risks to the privacy of their communications and their network’s security;
• updated references to the current legal and regulatory framework and, in its case, to international standards that support traffic and network management; and
• the last date on which the Policy Code was updated.

Main Requirements for Providing Audio-Visual Media Services

The Telecom Law regulates the issuance of universal service licences or single concessions for telecommunications and broadcast services which do not include over-the-top services (OTTS).

Therefore, the single concession licence to provide an audio-visual media service such as pay TV would be the same as the single concession licence for a fixed broadband or telephony service; however, online audio-visual platforms such as Netflix, AppleTV, Disney Plus and Amazon, as well as video-sharing platforms, are not subject to licensing or content regulation.

In the case of over-the-air TV and radio broadcast services, the Telecom Law establishes that the granting of a spectrum licence – in the case of commercial services – must be awarded through a public auction.

Procedure

Single concessions have to be filed before the IFT along with legal documents and technical and financial plans, and the IFT has 120 business days to rule over an application; this time period is usually extended by 60 days due to additional information requests from the IFT.

The government fee for the processing of a single concession application is approximately USD1,500.

Scope of Requirements for Local Telecommunications Rules

The Telecom Law and its subsidiary regulations govern traditional telecommunications services such as pay TV, broadband, SMS, over the air TV and radio broadcast as well as ordinary telephone calls; however, modern services such as audio-visual streaming, instant messaging or video/audio calls are not regulated or subject to licensing.

The only precedent that exists as to regulation of OTT or digital services is the antitrust authorisations issued by the IFT and/or Mexico’s Economic Competition Commission (COFECE).

As it refers to those non-spectrum-based services that fall within the scope of local telecommunications rules and the requirements prior to bringing them on to the market, Mexico’s Telecom Law foresees two types of licensing:

• a single concession that is facilities based; and
• reseller authorisations that allow for the resale of services provided by single concession holders.

Both licences allow for the provision of telecommunications services without limiting their scope to a specific technology.

As mentioned in 6.1 Requirements and Authorisation Procedures, all spectrum concessions for commercial purposes are licensed through a public auction. For single concessions, the IFT has 120 business days to rule over an application and the government fee for the processing of such application is of approximately USD1,500.

The government fee for the processing of a reseller license is approximately USD500 and the IFT has 30 business days to rule over an application, after which term the reseller authorisation is deemed granted if there is no reply from the IFT; however, this rule does not apply to single concession applications.

In addition to licensing, services that use national numbers like regular phone calls or SMS are subject to specific regulation for matters such as the assignment of number blocks, domestic or international interconnection, signalling and numbering.

On the other hand, terminal equipment that transmits signals through the airwaves and/or connects to a public telecommunications network has to be homologated before the IFT, it must not cause harmful interferences to other telecommunications systems and, when applicable, it must comply with the applicable National Norm Certification.

Homologation is carried out before the IFT, which has from 12-30 business days to rule over a homologation application. Homologation certificates can be of three different types, which are the following.

• Type A homologation certificates apply to equipment considered as inherently compliant according to one or more of the IFT’s Technical Regulations. This type of homologation certificate applies to scientific, medical or industrial equipment. The IFT has 12 business days to issue a Type A homologation certificate, and the applicable government fees is of approximately USD45.
• Type B homologation certificates apply to equipment that the interested party intends to operate during the organisation and celebration of a specific event, considering that its use is temporary and that same shall operate as secondary use. The IFT has 30 business days to issue a Type B homologation certificate, and the applicable government fees is of approximately USD150.
• Type C homologation certificates apply to equipment for telecommunications or broadcasting infrastructure that need to comply with the IFT’s Technical Regulations through a verification unit. The IFT has 30 business days to issue a Type C homologation certificate, and the applicable government fees is of approximately USD170.

Technology Agreements - Challenges

The main challenges encountered by organisations entering into technology agreements with Mexican organisations relate to the setting up of business in Mexico, since agreements may require the incorporation/organisation of a local company, the registration of the new company’s by-laws before the Public Registry of Commerce, the registration of the new company before Mexican tax and social security authorities, opening a bank account and registering the new company before Mexico’s National Immigration Institute as an employer. All of these requirements can take several months to complete.

Specific Features of Mexican Laws

Mexico has no provisions on technology agreements such as price revisions or restrictions on the importation of equipment, other than compliance with general technical norms and homologation, international data transfers or storage location. No licence is required for the provision of IT services.

Heavily Regulated Industries

As in other countries, banking and insurance are subject to greater restrictions than other industries and must obtain licensing from finance regulators, which in this case are Mexico’s National Banking and Securities Commission or Mexico’s National Insurance and Bonds commission.

In addition, banks and insurers have to comply with applicable laws as well as regulation approved by finance authorities, including Mexico’s Central Bank, Mexico’s Ministry of Finance, etc.

That said, Mexico also has a law for the Regulation of Financial Technology companies which seeks to promote and organise the operation of fintech entities and protect consumers. This new law is intended to reorganise a sector that was previously mostly unregulated, and several companies that operated prior to the enactment of this new law have not been able to meet licensing and operation requirements; nonetheless, the general public has benefitted from having more transparent and reliable fintech service providers that are also overseen by the CNBV.

Laws and Regulations in Relation to the Delivery of Trust Services, the Use of Electronic Signatures and Digital Identity Schemes

The exponential increase in electronic transactions in Mexico is rapidly moving suppliers and consumers towards a complete digital model that requires guarantees of data integrity, confidentiality and authenticity of exchanged and archived payments, information and documents through the use of trust services, electronic signatures and digital identity schemes.

Mexico’s Commerce Code recognises the validity of electronic transactions and contracts. Nonetheless, Mexico also has regulation that governs the use of trust services or e-signatures, such as the Commercial Code’s Guidelines for Trust Services Providers (PSC), Mexican Norm NOM-151-SCFI-216 and Mexico’s Advanced Electronic Signature Law.

The purpose of the foregoing regulation is to establish standards for information security, electronic commerce and advanced electronic signature, as well as to certify trust services providers for the issuance of digital certificates and other advanced electronic signatures.

Nonetheless, the problem with many of these certifications and standards is that many of them are not the trust services or software that most people use on a daily basis, and in such case, many users may prefer to continue using common commercial trust services and e-signatures, even if they are not endorsed or certified by Mexican authorities.

The exception to the above would be Mexico’s advanced e-signature, which is absolutely necessary in order to file tax returns or exchange communications with tax authorities.

Relevant Elements

Due to the high volume of remote or electronic transactions in which a supplier may not have a presence in Mexico and a user or consumer may therefore not have the opportunity to file complaints at a business address or representative in Mexico, concepts like liability, insurance, data protection, jurisdiction and fundamental rights have become more important than ever.

Strong regulation is necessary in order to protect consumers and users against fraud, identity theft or misuse of their personal data, which are practices that in many cases are impossible to revert, even if they get to be sanctioned. This has happened in recent cases in which Mexico’s justice system prosecuted, fined or even imprisoned individuals who committed online violations like the unauthorised distribution of private content, including pictures or videos of an intimate nature.

In these cases, jurisdiction becomes a key factor, since a person may or may not be able to file a complaint or lawsuit in their country of residence against a person or supplier they consider to have violated their rights or even their fundamental rights. In this respect, Mexican and international law have a long way to go.