CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

The principal data protection legislation is Law 19.628 “on protection of private life” (also known as the Chilean Data Protection Law or “CDPL”). 

There are also two other legal provisions that regulate some aspects of personal data processing:

  • The Chilean Constitution, in its article 19 No. 4 and No. 5, which enshrine the right to privacy, as well as the protection of personal data, and also;
  • Law 19.496 (Consumer Protection Law) that establishes the regulation regarding unsolicited commercial marketing communications for consumers.
  • Data Protection in Kenya is regulated by the Data Protection Act No. 24 of 2019 (the "DPA").
  • The DPA came into effect on 25 November 2019.
  • The Data Protection Act No. 24 of 2019.

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

Chile does not have a Data Protection Authority.

The Office of the Data Commissioner.

The Data Commissioner was formally appointed on 16 November 2020 and is in the process of setting up its office.

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

Congress is discussing a new law that will replace the current one and raise the protection standards.

Anticipated changes:

  • A new legal definition: The objective will be to update and expand it, in accordance with international standards;
  • Legitimate Basis for Processing: A more robust basis for processing has been incorporated;
  • The creation of a Data Protection Authority: A National Directorate for Personal Data Protection with the obligation to register databases;
  • Cross-Border Data Transfer: It will be regulated for the first time. According to the current law, there is no statement that controls cross-border data transfers.
  • A new set of infringements;
  • A complaint procedure: This procedure will consist of three steps. First, a direct claim to the data processor. Secondly, an administrative claim before the new National Directorate for Personal Data Protection, and finally, a judicial claim that disputes the decision of the National Directorate for Personal Data Protection.

Following the Data Commissioner's appointment, a Task Force was convened in January 2021 to develop the Data Protection Regulations under the DPA.

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

Since there is no Data Protection Authority, sanctions can only be imposed by a judge (in a civil procedure). To this end, Law 19.628 establishes a special procedure called “habeas data”. However, it is common practice to also use the “Remedy for the Protection of Constitutional Rights”, a constitutional action, to protect the fundamental rights affected by an illegal or arbitrary treatment of personal data.

Administrative sanctions:

The DPA gives the Office of the Data Commissioner the power to impose administrative fines for failure to comply with the DPA.

The Office of the Data Commissioner may impose a fine of up to KES 5m (USD 50,000) or in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower. The fine is payable to the Office of the Data Commissioner.

Failure to comply with an order of the Office of the Data Commissioner is considered an offence under the DPA.

Section 65 of the DPA accords all data subjects the right to compensation from data processors or controllers for damage caused to them.

Criminal sanctions:

There are certain specific offences under the DPA including:

  • Unlawful disclosure of personal data in a manner incompatible with the purpose for which the data was collected;
  • Unlawful disclosure of personal data that the data processor processed without the prior authorisation of the data controller;
  • Obtaining access to personal data without the prior authorisation of the data controller or processor holding the data;
  • Disclosure of personal data to a third party without prior authorisation by the data controller or processor holding the data;
  • Sale of personal data obtained unlawfully. Advertising the sale of such data constitutes an offer to sell under this offence;
  • Failure to register with the Office of the Data Commissioner as a data processor or controller;
  • Provision of false or misleading information during the application process for registration as a data processor or controller;
  • Obstruction of the Office of the Data Commissioner during an investigation. 

On conviction, an offence under the DPA carries a general penalty of a fine not exceeding KES 3m (USD 30,000) or an imprisonment term not exceeding ten years, or both. Obstruction of the Data Commissioner during an investigation is an offence liable to a fine not exceeding KES 5m (USD. 50,000) or imprisonment for a term not exceeding two years, or to both.

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.

There is no registration or notification obligation since there is no data protection authority in Chile and the law does not establish this requirement.

The DPA requires data processors or controllers to register with the Office of the Data Commissioner. The DPA, however, allows the Office of the Data Commissioner to set a threshold for data processors or controllers whose registration shall be mandatory. This threshold is yet to be set, but we anticipate it will be in the upcoming regulations currently in development.

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   

Data processing: 

According to the CDLP the processing of all data shall be carried out:

  • In a manner consistent with the law;
  • For the purposes permitted by the legal system; and
  • With attention to the full exercise of the fundamental rights of the data subject.

Consent of the data subject: Article 4 of the law establishes that the processing of personal data is permitted only when the law authorises it, or the subject expressly consents or authorises it. However, the law does not provide a definition of what the “authorisation” or “consent” of the data subject means or entails.

Quality: Article 6 of the law establishes that personal data will be: destroyed or cancelled when the purpose of its storage has no legal basis or when it has expired; modified when it is inaccurate, inexact, misleading or incomplete; and blocked when it cannot be destroyed or cancelled, and its accuracy cannot be established or whose validity is doubtful.

Confidentiality: Article 7 of the law establishes that people who work in the processing of personal data, in the private and public sector, must maintain confidentiality when the data comes from sources not accessible to the public, as well as with respect to other data information related to the data bank; an obligation that does not cease upon completion of its functions or activities in that field.

Purpose: Personal data will be used only for the purposes for which it was collected, unless it is obtained from sources accessible to the public (Article 9 of the law)
Personal data: Article 10 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:

  • The law authorises it;
  • The data subject expressly accepts said processing;
  • Such data is necessary to establish or grant health benefits that pertain to the respective data subject.

Data security: Article 11 of the law establishes that those responsible for the registries or personal data must “take care of them with due diligence” and be liable for damages.

Data Processing Principles:

All data processors/controllers are required to follow the data protection principles, which are:

  1. Data processing in accordance with the right to privacy of the data subject;
  2. Fair and transparent processing of a data subject's personal data;
  3. Collection of personal data for specified and legitimate purposes and not further processing beyond those purposes;
  4. Purpose limitation for data collected;
  5. Collection of personal data relating to family or private affairs only where a valid explanation is provided;
  6. Accuracy of collected personal data and every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  7. Personal data is to be kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected;
  8. Personal data shall not be transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject. 
Duty to Notify:

Before collecting any personal data, data processors/controllers are required to notify a data subject of:

  1. Their rights as data subjects under the DPA;
  2. The fact that their data is being collected and the purpose for the collection;
  3. Any third parties that have or will have access to their data including details of safeguards adopted;
  4. The contacts of the data controller/processor and any other entity receiving the collected personal data;
  5. The technical and organisational security measures taken to ensure the integrity and confidentiality of the data;
  6. Whether the data is being collected pursuant to any law and whether such collection is voluntary or mandatory;
  7. The consequences if any, if they fail to provide all or any part of the requested data
Lawful Processing:

Personal data may only be processed on the lawful basis provided under Section 30 of the DPA as:

  1. Consent: the individual has given clear consent for a data processor or controller to process their personal data for a specific purpose;
  2. Contract: the processing is necessary for a contract's performance between a data processor or controller and the data subject or because the data subject has asked the data processor or controller take specific steps before entering into a contract;
  3. Legal obligation: the processing is necessary for a data processor or controller to comply with the law (not including contractual obligations);
  4. Vital interests: the processing is necessary to protect the vital interests of the data subject or another natural person;
  5. Public task: the processing is necessary for a data processor or controller to perform a task in the public interest or the exercise of official authority vested in the controller;
  6. Legitimate interests: the processing is necessary for a data processor or controller's legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the data subject's data which overrides those legitimate interests;
  7. Historical, Statistical, Journalistic, Literature and Art or Scientific research: if the data is required in such pursuits. 

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

Access to data

The rights pertaining to all data subjects to demand from the person responsible for any public or private data bank, any information that pertains to them, its source, the purpose for collecting, the legality of the data processing and the name of the individuals or entities to which the data is regularly transmitted. 

Correction and deletion

Correction or modification: The right of all data subjects to request the modification of inaccurate, incomplete, misleading or outdated data that concerns them.

Cancellation

The right of all data subjects to demand the destruction or cancellation of personal data when the purpose of its storage has no legal basis or when it has expired.
Data subjects have the right to request the cancellation of data, if the data storage is not authorised by law or if the authorisation has expired. The data subject is also entitled to exercise this right even if this data has been voluntarily provided or is being used for commercial communications, and he no longer wishes to appear in such records, temporarily or permanently.

Marketing objection

The Consumer Protection Law regulates unsolicited commercial or marketing communications sent by email to consumers. That communication must obtain a valid email address to which the recipient may request the suspension of future communications.

  1. Right to be informed of the use to which their personal data is to be put;
  2. Right to access their personal data in the custody of the data controller or processor;
  3. Right to object to the processing of all or part of their personal data;
  4. Right to correction of false or misleading data;
  5. Rights to deletion of false or misleading data about them;
  6. Right to withdraw the consent given to data processor or controller at any time;
  7. Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affects the data subject;
  8. Right to object to the processing of their personal data, unless the data controller or data processor demonstrates compelling legitimate interest for the processing which overrides the data subject's interests, or for the establishment, exercise or defence of a legal claim;
  9. Right to receive personal data concerning them in a structured, commonly used and machine-readable format and the right to transmit such data from one data controller to another

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.

Subcontracting

Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

The laws do not regulate processing by third parties. According to Article 8 of the CDLP:
If the processing of personal data is carried out by virtue of a mandate, the general rules will apply. Also, the mandate must be granted in writing, regulating the conditions of use of the data.

The DPA does not prohibit the processing of personal data by third parties but requires that the data subject be informed of any third parties that may have access to their personal data and the safeguards adopted to ensure their data security. 

The data processor or controller is also required to provide the third party's contact details to the data subject. This information should be provided before the data is collected.

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.

The law does not establish specific requirements or restrictions on transfers of personal data abroad.

However, the law contains rules for the automated transmission of data. Article 5 of the law prescribes that the person responsible for the database can establish an automated system for the transmission of personal data, provided that it adequately ensures the rights or interests of the parties involved and such transmission is strictly related to the duties and objectives of the participating entities.

In the case of a request for the transmission of personal data through an electronic network, the following shall be recorded:

  • Identification of the requesting party;
  • Reason and purpose of the request;
  • Type of data transmitted.

The law does not restrict transfers of personal data to third countries.

Since there are no data transfer restrictions, foreign companies mostly rely on standard clauses to binding corporate rules established by EU legislation. 

The transfer of personal data does not require registration/notification or prior approval from the relevant data protection authority or entity (given the fact that this body does not exist)

The following conditions must be satisfied prior to a transfer of personal data out of Kenya:

  1. The data controller or processor must give proof to the Office of the Data Commissioner on the appropriate safeguards for the security and protection of the personal data, including the safeguards legislative safeguards commensurate with the DPA in Kenya; 
  2. The transfer must be necessary:
    1. for the performance of a contract between a data processor or controller and the data subject or because the data subject has asked the data processor or controller take specific steps before entering into a contract;
    2. for any matter of public interest;
    3. for the establishment, exercise or defence of a legal claim;
    4. to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
    5. for compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects;
  3. The processing of sensitive personal data out of Kenya may only be done with a data subject's consent and with confirmation of appropriate safeguards. 

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

There is no legal requirement for the appointment of a Data Protection Officer.

A Data Protection Officer, may be appointed where:

  • The processing is carried out by a public body or private body, except for courts acting in their judicial capacity;
  • The core activities of the data controller or processor consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects; or
  • the core activities of the data controller or the data processor consist of the processing of sensitive categories of personal data

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

There are no legal requirements to take appropriate technical and security measures to protect personal data, but the data processor will always be liable for the damages caused by the leaking of information.

Every data processor or controller must implement appropriate technical and organisational measures to effectively implement the data protection principles and integrate necessary safeguards for data processing. 

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.

There is no legal obligation to notify to the authority data breach events.

Where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access, a data controller is required to:

  • Notify the Office of the Data Commissioner without delay: and
  • In certain prescribed circumstances communicate the occurrence of the breach to the data subject in writing. 

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

Direct marketing is regulated by the Consumer Protection Law. This Law regulates unsolicited commercial marketing communications sent by email to consumers, specifying, among other things, that such communications must contain a valid email address to which the recipient may request the suspension of further communications, also known as an opt-out system. From the moment the recipient requests the suspension of sending further emails, any communication or unsolicited email is prohibited by law.

The DPA does not have specific provisions on direct marketing

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.

The CDPL does not directly regulate the use of cookies or similar technologies. 

The DPA does not have specific provisions on cookies and adtech

15. Risk scale

Moderate

Low

Severe

Cybersecurity

1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

Chile does not have a specific law to regulate cybersecurity. However, many laws regulate some aspects of cybersecurity, for example:

  • Ley N°20.285/2008 - Law on access to public information
  • Ley N°17.336/2004 - Intellectual Property Law
  • Ley N°19.927/2004 - Law amending criminal codes regarding child pornography crimes
  • Ley N°19.880/2003 - Law that establishes the bases of the administrative procedures that govern the acts of State administration bodies
  • Ley N°19.799/2002 - Law on electronic documents, electronic signature and certification services of said signature
  • Ley N°19.223/1993 - Law on criminal figures related to computing
  • Ley N°20.478/2010 - Law on recovery and continuity on critical and emergency conditions of the public telecommunications system
  • Ley N°20.285/2008 - Law on access to public information
  • Ley N°17.336/2004 - Intellectual Property Law
  • Ley N°19.927/2004 - Law amending criminal codes regarding child pornography crimes
  • Ley N°19.880/2003 - Law that establishes the bases of the administrative procedures that govern the acts of State administration bodies
  • Ley N°19.799/2002 - Law on electronic documents, electronic signature and certification services of said signature
  • Ley N°19.223/1993 - Law on criminal figures related to computing
  • Ley N°20.478/2010 - Law on recovery and continuity of critical and emergency conditions of the public telecommunications system
  1. Computer Misuse and Cybercrimes Act, No. 5 of 2018 Laws of Kenya, which provides for cybercrime offences;
  2. Kenya Information and Communications Act, No. 2 of 1998 Laws of Kenya which was enacted to facilitate the development of the information and communications sector and electronic commerce;
  3. Kenya Information and Communications (Consumer Protection) Regulations, 2010 which was passed to protect consumers of ICT services and products;
  4. Data Protection Act, No. 24 of 2019 Laws of Kenya which makes provision for the regulation of personal data, the rights of data subjects and the obligations of data controllers and processors;
  5. Guidelines on Cybersecurity for Payment Service Providers, July 2019 which were passed to create a secure cyberspace and combat cybercrime;

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

On October 2018, a bill was introduced to the Senate to strengthen the cybercrime law, thus adapting the current regulation to the Budapest Convention standards. One of the amendments proposed in the bill is the inclusion of any cybercrime as a cause for a legal entity criminal liability under law No. 20,393. 

Thereby, if the amendment is approved, legal entities must prevent any cybercrimes from being carried out by their owners, controllers, executives, representatives or managers. The failure to maintain reasonable preventive measures shall cause the legal entity to be subject to criminal liability and therefore the following sanctions:

  • Fines from UTM 400 (an indexed unit of account) to UTM 300,000;
  • Partial or total loss of benefits or absolute prohibition of receiving them for a specified period;
  • Temporary or permanent prohibition to execute contracts with the State of Chile; and
  • Dissolution of the legal entity.

This bill was approved by the Senate and now has moved to the second constitutional procedure. It is likely to be approved in 2021.

There are no anticipated changes in the current cybersecurity legislation in Kenya.

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.

N/A

Computer Misuse and Cybercrimes Act (the “Act”)

The Act provides for offences relating to computer systems such an unauthorised access or interference, cyber espionage, cyber harassment, cybersquatting, phishing and cyber terrorism; contains provisions to enable timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes; and facilitate international co-operation in dealing with computer and cybercrime matters.

Kenya Information and Communications Act (the “KICA”)

The KICA was amended in 2019 to provide for the regulation of electronic transactions and cyber-security by requiring the Communications Authority of Kenya (“CA”) to develop a framework for facilitating the investigation and prosecution of cybercrime offences and promote and facilitate the efficient management of critical internet resources.

Kenya Information and Communications (Consumer Protection) Regulations (the “Regulations”)

The Regulations set out the rights and obligations of consumers as well as the safeguards that licensed telecommunication service providers should put in place to protect consumer rights. The Regulations require service providers to take appropriate technical and organizational measures to safeguard the security of its services. 

Data Protection Act (the “DPA”)

The DPA imposes obligations on data controllers and data processors to provide security measures and mechanisms to ensure the protection of personal data against unlawful destruction, loss, alteration and transfer.

Guidelines on Cybersecurity for Payment Service Providers (the “Guidelines”)

Due to the increased cyber threats against banks, the Central Bank of Kenya (“CBK”) issued Guidelines to create a safer and more secure cyberspace and establish a coordinated approach to the prevention and combating of cybercrime. The Guidelines set out the minimum standards that Payment Service Providers (“PSPs”) should adopt to develop effective cybersecurity governance and risk management frameworks. 

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 

N/A

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.

N/A

Computer Misuse and Cybercrimes Act (the “Act”)
  • The Act creates various cybercrime offences by criminalising acts such as unauthorised access or interference, cyber espionage, false publications, child pornography, computer forgery, cyber harassment, cybersquatting, identity theft and impersonation, phishing and cyber terrorism;
  • A person who operates a computer system or a computer network, whether public or private, is required to inform the National Computer and Cybercrimes Co-ordination Committee (the “Committee”) of any attacks, intrusions and other disruptions to the functioning of another computer system or network within 24 hours of such attack, intrusion or disruption;  
Kenya Information and Communications (Consumer Protection) Regulations (the “Regulations”)
  • The Regulations require service providers to take appropriate technical and organisational measures to safeguard the security of its services. 
  • Where there is a particular risk of a breach of the security of the network, a service provider is required to inform its subscribers of the risk and of any possible remedies where the risk lies outside the scope of the measures that may be taken by the service provider.
Data Protection Act (the “DPA”)
  • Where personal data has been accessed or acquired by an unauthorised person and there is a real risk of harm to the data subject, a data controller must notify the Data Commissioner without delay, within 72 hours of becoming aware of the breach. 
  • The data controller is also required to inform the data subject of the breach unless a restriction is necessary for purposes of prevention, detection or investigation of an offence. 
  • Offences under the DPA include: disclosure of personal data by data controllers, contrary to the purpose for which the data was collected; disclosure of personal data by data processor without the prior consent of the data controller; obtaining access to personal data without the consent of a data controller or data processor; and offering to sell personal data which has been unlawfully accessed or obtained 
Guidelines on Cybersecurity for Payment Service Providers (the “Guidelines”)

The Guidelines impose broad obligations on PSPs requiring them to:

  1. Submit a Cybersecurity Policy, Strategies and Frameworks to the Central Bank of Kenya (CBK) by December 31, 2019, for those Operators registered prior to that date and for prospective Operators to submit the same during the licence application process;
  2. Notify the CBK within 24 hours of any cybersecurity incidents that could have a significant and adverse impact on the PSP’s ability to provide adequate services to its customers, its reputation or financial condition;
  3. Provide CBK with a report concerning its occurrence and handling of cybersecurity incidents on a quarterly basis 

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 

N/A

Administrative sanctions:
  • DPA

Under the DPA, the Data Commissioner may serve an enforcement notice on a person who has failed to comply with any provision of the DPA. 

The Data Commissioner may also serve a penalty notice to a person who has failed to comply with an enforcement notice requiring the person to pay the amount specified in the notice.

The maximum amount of the penalty is up to KES 5m or in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower.

  • KICA

Under the Kenya Information and Communications (Consumer Protection) Regulations, the Communications Authority may impose fines of up to KES 300,000.

Criminal sanctions:
  • Computer Misuse and Cybercrimes Act

Upon conviction an offender may be liable for a fine ranging between KES 3m to KES 25m and/or a jail term of between three to 25 years. 

  • DPA

The general penalty, for commission of an offence under the DPA is a fine not exceeding KES 3m, or to an imprisonment term of ten years, or both.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.

The National Cybersecurity Centre (which is part of GCHQ) does not regulate the NIS Regulations but has a role in providing technical support and guidance by the following:

  • a Single Point of Contact (SPOC) – for engagement with EU partners, coordinating requests and submitting annual incident statistics;
  • a Computer Security Incident Response Team (CSIRT) to provide advice and support where reported incidents are identified or suspected of having a cybersecurity aspect;
  • being a Technical Authority on Cyber Security – to support OESs and CAs with advice and guidance, and to act as a source of technical expertise. For example, it provides:
    • a set of 14 NIS Security Principles for securing essential services;
    • a collection of supporting guidance for each principle;
    • a Cyber Assessment Framework (CAF) incorporating indicators of good practice; and implementation of guidance and support to CAs.

The National Kenya Computer Incident Response Team – Coordination Centre (National KE-CIRT/CC) was established by the Communications Authority of Kenya as part of its mandate to develop a national cyber security management framework through the establishment of a national computer response team. 

The National KE-CIRT/CC’s mandate is to coordinate responses, manage cybersecurity incidents nationally and collaborate with relevant actors locally, regionally and internationally. Its functions include:

  1. Implementation of national cybersecurity policies, laws and regulations;
  2. Cybersecurity awareness and capacity building;
  3. Early warning and technical advisories on cyber threats on a 24/7 basis;
  4. Technical co-ordination and response to cyber incidents on a 24/7 basis in collaboration with various actors locally and internationally;
  5. Development and implementation of a National Public Key Infrastructure;
  6. Research and development in cybersecurity;
  7. Promote and facilitate the efficient management of critical internet resource.

8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

Yes, see above.

Yes, See above.

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 

No.

The National Cybersecurity Strategy developed by the Ministry of Information Communication and Technology (ICT) defines Kenya’s cybersecurity vision, key objectives, and ongoing commitment to support national priorities by encouraging ICT growth and aggressively protecting critical information infrastructures. 

The Strategy contains four goals:

  1. Enhance the nation’s cybersecurity posture in a manner that facilitates the country’s growth, safety and prosperity;
  2. Build national capability by raising cybersecurity awareness and developing Kenya’s workforce to address cybersecurity needs;
  3. Foster information sharing and collaboration among relevant stakeholders to facilitate an information sharing environment focused on achieving the Strategy’s goals and objectives;
  4. Provide national leadership by defining the national cybersecurity vision, goals and objectives and coordinating cybersecurity initiatives at the national level.

Additionally, the Communications Authority has published the General Information Security Best Practice Guide, which was issued by the CA to be adopted by Kenyan organisations and users across all sectors to enable them to deal with common information security challenges. 

The Guide proposes recommendations for common information security challenges such as online safety, unauthorised access, infringement of intellectual property and trade secrets, malware, cloud computing, wireless networks, mobile security, identity theft and fake news.

Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Portrait of Diego Rodríguez
Diego Rodríguez, LL.M.
Partner
Santiago
Portrait of Samson Oduol
Samson Oduol
Partner
Nairobi
Portrait of Brian Gatuguti
Brian Gatuguti
Associate
Nairobi
Jessica Mutemi