Welcome to Benchmark!

Hal Licino

The Impact of Mexico's New Personal Data Exclusion & Breach Laws

May 09 2011, 02:15 PM by

“As a straight black man who is wheelchair bound after an accident in a CTM unionized shop caused by dizziness due to sickle cell anemia, I object to the anti-Catholic, anti-family tone of the PRD's latest campaign so I'm switching my vote to PAN.”

If you have that statement from a Mexican citizen on your computer systems and just that one lone sentence is compromised and revealed, congratulations! You've just violated the "sensitive personal data" regulations of Mexico’s new federal government laws punishing each unauthorized release of:
 
Genetic information
Philosophical and moral beliefs
Political views
Present and future health status
Racial or ethnic origin
Religious beliefs
Sexual preference
Union membership
 
…with a fine of over $3 million and ten years in jail. That one statement above is a Grand Slam hitting each of the eight factors, so now you can look forward to eighty years in a Mexican prison, right after your check for $24 million clears the bank. Mexico’s new legislation definitely has sharp and jagged teeth and any email marketer with even one Mexican citizen on their subscription list would be well advised to take special precautions to avoid a debacle. Under Mexican law, if just 2% of the 77 million personal records revealed in the recent Sony Playstation Network breach were Mexican citizens, the Japanese electronics giant would be hit with fines totaling $4.6 trillion dollars - which is roughly equal to Japan’s entire Gross Domestic Product.
What Constitutes "Legitimate Reasons" for Total Personal Data Deletion?
Mexico implemented its Robinson exclusionary list several years ago to allow citizens to place their telephone numbers onto a national do not call database. Similarly to the other Robinson list systems implemented by a variety of nations, it has proven effective in ceasing the calls from legitimate, reputable telemarketing firms while at the same time being a boon for snake oil salesmen who thumb their nose at the law and use the list as a juicy database of leads to be milked. The new Mexican online citizen rights legislation allows any individual to demand complete data deletion directly from a company for what are deemed “legitimate reasons.” The Mexican courts have yet to weigh in on what the legal level of “legitimacy” entails, but it could be as quirky as “I don’t like your company because you changed your policies / prices / logo / chile relleno recipe.”
The Law Is Packed with Imprecise Language Open to Court Interpretation
The Mexican regulations also call for a company to “immediately” notify its customers of any data breach that would “significantly” affect them. This legal language is also open to a wide spectrum of interpretation by the courts. Is a “significant” effect the disclosure of the customer’s credit card number, or just their phone number or email address? Furthermore, what is “immediate?” In some cases companies may not be aware that their systems have been breached by hackers until months after the fact. Does “immediate” refer to when the act occurs or when the company admits it publicly?
Personal Data to Be Kept at DoD Top Secret Security Level?
The law also requires that companies marketing to Mexican citizens apply security measures to protect their customers' personal data that are not “inferior to those they keep to manage their own information.” This statement is yet another trip wire, as a corporation acting as a defense contractor to the Mexican government would have to maintain its email subscription list as Top Secret as the most sensitive data provided to them by the Department Of Defense!
Questioning Mexico's Enforcement Priorities
Observers seem to be split as to whether a government that has proven fairly ineffective in quelling the heated drug wars that have claimed the lives of tens of thousands of its own people is able to exercise the political will and bureaucratic capability to enforce the violations of such adamantine laws on cyberspace. Some believe that this will be just another “paper law” with little to no enforcement, while others claim that due to the incentive of the massive fines that can be levied, the Mexican federal government may adopt the policy of some small, budget strapped American towns: plunk traffic cameras along known speeding streets not so much for safety concerns but to use as a fine-machine cash cow. Regardless of any personal viewpoint, Mexico’s new laws deserve the careful attention of any email marketer to that nation.

Posted in Tips & Resources, Email Marketing News

Related Blogs