CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

The Protection of Personal Information Act 4 of 2013 (“POPI”). It is a comprehensive piece of data protection legislation that is comparable to the GDPR.

POPI came into effect on 1 July 2020. Businesses must ensure POPI compliance by no later than 30 June 2021. 

POPI applies to the processing of personal information entered into a record by or for a responsible party (referred to as a data controller in the GDPR) by making use of automated or non-automated means, where the responsible party is domiciled in South Africa. 

If not domiciled in South Africa, POPI applies if that responsible party makes use of automated or non-automated means in South Africa (unless those means are used only to forward personal information through South Africa).

‘Automated means’ is defined as any equipment capable of operating automatically in response to instructions given for the purpose of processing information.

‘Responsible party’ is defined as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. 

2. Data protection authority

Information Regulator (South Africa)

The Personal Data Protection Act 2012 (PDPA) is the data protection law that governs the collection, use, disclosure and handling of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

The PDPA also provides for the establishment of a national Do Not Call (DNC) Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.

Some key subsidiary legislation that operates alongside the PDPA include the Personal Data Protection Regulations 2021, Personal Data Protection (Notification of Data Breaches) Regulations 2021 and Personal Data Protection (Do Not Call Registry) Regulations 2013.

Personal Data Protection Act 2012: https://sso.agc.gov.sg/Act/PDPA2012 

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

The Personal Data Protection Commission (PDPC) 

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

There are no anticipated changes. 

The following changes to the PDPA have been passed by Singapore’s Parliament, however they have not yet come into effect:

  • Data portability – mandatory obligation for organisations to provide an individual’s data, at the individual’s request, to another organisation in a commonly used machine-readable format; 
  • provisions which exempt organisations from the proposed data portability obligation and the obligations to provide an individual with access to or to correct personal data at the individual’s request in respect of “derived personal data” (i.e. new data that is created through the processing of other data by applying business-specific logic or rules); and
  • Higher penalties – an increase in the financial penalties that may be imposed on organisations: in the case of a breach of the data protection provisions, 10% of its annual turnover in Singapore or SGD 1m, whichever is higher; and in the case of a breach of the prohibitions on the use of dictionary attacks and address-harvesting software, 5% of its annual turnover in Singapore or SGD 1m, whichever is higher. 

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

Non-compliance with POPI may result in complaints, Information Regulator audits and/or orders, administrative fines as well as civil and/or criminal proceedings.

Administrative sanctions: 

The Information Regulator may deliver an infringement notice to a responsible party alleged to have committed an offence. 

The infringement notice will specify the amount of the administrative fine payable. This may not exceed ZAR 10m.

Factors that will be considered when determining an appropriate fine include:

  • the nature of the personal information involved;
  • the duration and extent of the contravention;
  • the number of data subjects affected or potentially affected by the contravention;
  • the likelihood of substantial damage or distress;
  • whether the responsible party or a third party could have prevented the contravention from occurring; and
  • whether the responsible party has previously committed an offence in terms of POPI.
Criminal sanctions: 

This will depend on the nature of the specific offence. Generally, a person convicted of an offence may be held liable to a fine or to imprisonment for period of up to ten years, or to both a fine and imprisonment.

Others:

A data subject or the Information Regulator (at the request of the data subject), may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of POPI. A court hearing the proceedings may award an amount that is just and equitable.

Administrative sanctions:
  • In relation to the enforcement of the data protection provisions, the PDPC may issue fines of up to SGD 1m for each breach.
  • In relation to the enforcement of the DNC Registry provisions and the prohibition on use of dictionary attacks and address-harvesting software, the PDPC may issue a fine up to an amount not exceeding SGD 200,000 in the case of an individual, and up to SGD 1m in any other case.
  • The PDPC may also issue directions for non-compliance, which includes directions to stop collection, use or disclosure of personal data, and to destroy personal data collected. 
Criminal sanctions:
  • Imprisonment for a term not exceeding: 
    • Two years – for knowing or reckless unauthorised disclosure of personal data; knowing or reckless unauthorised use of personal data for a gain or to cause a harm or loss to another person; or knowing or reckless unauthorised re-identification of anonymised information;
    • 12 months – for unauthorised request to access or correct personal data about another individual; obstructing or hindering the PDPC in the exercise of its powers or duties; knowing or reckless false statement made to the PDPC; or knowing attempts to mislead the PDPC; or
    • Six months – for neglect or refusal to provide any information or produce any document to the PDPC or attend before the PDPC without reasonable excuse; or unauthorised use of a symbol or representation identical to or which resembles that of the PDPC. 
  • Criminal fines may also be imposed and varies depending on the specific offence, although in general not exceeding SGD 10,000 in the case of individuals, and SGD 100,000 in the case of organisations.
Others: 
  • Individuals have a private right of action and may seek relief by way of injunction, declaration or damages for damages or losses suffered directly as a result of a contravention of the PDPA.     

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.

Registration

Businesses are required to register their respective Information Officers (referred to as Data Protection Officers in the GDPR).

Notification

Generally, there is no obligation to notify the Information Regulator of each and every data processing activity. However, there are certain instances when prior authorisation may be required to be obtained from the Information Regulator for certain processing activity.

Authorisation

Processing of special personal information

There is a general prohibition on the processing of special personal information. This information includes:

  • the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
  • the criminal behaviour of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence; or any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings. 

POPI contains a general authorisation in terms of which the prohibition on processing special personal information does not apply. These are instances where the:

  • processing is carried out with the data subject’s consent;
  • processing is necessary for the establishment, exercise or defence of a right or obligation in law;
  • processing is necessary to comply with an obligation of international public law;
  • processing is for historical, statistical or research purposes subject to certain requirements being met;
  • information has deliberately been made public by the data subject; or
  • the provisions of sections 28 to 33 of POPI (as may be applicable) are complied with.

The Information Regulator may also (upon application by a responsible party) authorise a responsible party to process special personal information if such processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the data subject.

Processing of personal information of children

There is a general prohibition on the processing of personal information concerning a child.
However, there is general authorisation on processing the personal information of children in terms of which the aforementioned prohibition on processing personal information of children does not apply. These are instances where the processing is:

  • carried out with the prior consent of a competent person;
  • necessary for the establishment, exercise or defence of a right or obligation in law;
  • necessary to comply with an obligation of international public law;
  • for historical, statistical or research purposes subject to certain requirements being met; or
  • of personal information which has deliberately been made public by the child with the consent of a competent person.

The Information Regulator may (upon application by a responsible party) authorise a responsible party to process the personal information of children if the processing is in the public interest and appropriate safeguards have been put in place to protect the personal information the child.

Prior authorisation

A responsible party is required to obtain prior authorisation from the Information Regulator prior to any processing, if that responsible party plans to:

  • process any unique identifiers of data subjects: (i) for a purpose other than the one for which the identifier was specifically intended at collection; and (ii) with the aim of linking the information together with information processed by other responsible parties;
  • process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
  • process information for the purposes of credit reporting; or
  • transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.

A responsible party is required to notify the Information Regulator if the processing of any personal information is subject to prior authorisation. 

There is no requirement for organisations to register with the PDPC. However, voluntary registration of the Data Protection Officer is encouraged. 

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   

There are eight conditions for the lawful processing of personal information.

Accountability

  • The conditions for the lawful processing of personal information must be met.    

Processing limitation 

  • Processing must be done in a reasonable and lawful manner that does not infringe the privacy of a data subject. 
  • Processing must be adequate, relevant and not excessive.
  • Personal information may only be processed if:
    • the data subject has consented;
    • processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party;
    • processing complies with an obligation imposed by law;
    • processing protects the legitimate interest of the data subject;
    • processing is necessary for the proper performance of a public law duty by a public body; or 
    • processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
  • Personal information must be collected directly from the data subject. However, there are certain exceptions to this.

Purpose specification 

  • Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party;
  • Records of personal information must not be retained any longer than is necessary for achieving the purpose for which it was collected or subsequently processed. However, there are certain exceptions to this. 

Further processing limitation

  • Further processing must be in accordance or compatible with the purpose for which the personal information was initially collected.

Information quality

  • Reasonably practicable steps must be taken to ensure that the personal information is complete, accurate, not misleading and updated where necessary.

Openness 

  • Documentation of all processing operations must be maintained.
  • Reasonably practicable steps must be taken to notify a data subject of, amongst others, the information being collected (or the source, if not collected from the data subject), the purpose for collection, the name and address of the responsible party, whether the supply of the information is voluntary or mandatory, and the consequences of a failure to provide the information.   

Security safeguards

  • Appropriate, reasonable technical and organisational measures must be taken to prevent loss of, damage to or unauthorised destruction of personal information, and unlawful access to or processing of personal information.     

Data subject participation

  • A data subject has the right to, amongst others, request confirmation of whether or not the responsible party holds his, her or its personal information as well as the record or a description of the personal information that is held;
  • A data subject has a right to request (in certain instances) the correction and/or deletion of the data subject’s personal information. 

Organisations, wherever located, that process personal data of individuals in Singapore are required to comply with the PDPA.

The PDPA sets out ten main data protection obligations which are to be complied with when processing personal data.

Under the PDPA, to collect and process personal data lawfully, organisations must comply with the following obligations:

  1. Consent Obligation – to obtain the consent of the individual; 
  2. Purpose Limitation Obligation – to collect, use or disclose personal data about an individual for the purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent;
  3. Notification Obligation – to notify individuals of the purposes for which the organisation is intending to collect, use or disclose their personal data on or before such collection, use or disclosure of personal data;
  4. Access and Correction Obligation – upon request, provide information in which the individual’s personal data has been or may have been used or disclosed and to correct any error or omission in an individual’s personal data;
  5. Accuracy Obligation – make reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete;
  6. Protection Obligation – make reasonable security arrangements to protect the personal data that the organisation possesses or controls;
  7. Retention Limitation Obligation – cease retention of personal data or remove the means by which the personal data can be associated with particular individuals when it is no longer necessary for any business or legal purpose;
  8. Transfer Limitation Obligation – ensure that the standard of protection provided to the personal data transferred to another country will be comparable to the protection under the PDPA; 
  9. Data Breach Notification Obligation – assess whether a data breach is notifiable and notify the affected individuals and/or PDPC where it is assessed to be notifiable; and
  10. Accountability Obligation – implement policies and procedures to meet its obligations under the PDPA, and make information about its policies and practices publicly available and to appoint a data protection officer.

Organisations that have contracted to process personal data on behalf of another organisation may be considered a “data intermediary”. 

A data intermediary that processes personal data pursuant to a written contract will only be responsible for the Protection Obligation, the Retention Obligation and the Data Breach Notification Obligation – protecting the personal data in its care, ensuring that the personal data is not retained by the data intermediary when there is no longer a business or legal need to do so, and notifying the organisation or public agency for which it is processing personal data on behalf of where the data intermediary discovers that a data breach has occurred.

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

  • Right to have personal information processed in accordance with the conditions for the lawful processing of personal information; 
  • Right to be notified regarding collection or unauthorised acquisition/access;
  • Right of access by the data subject;
  • Right to rectification or erasure;
  • Right to object to processing;
  • Right to object to processing for purposes of direct marketing;
  • Right not to have personal information processed for purposes of direct marketing by means of unsolicited electronic communications except when consent is given or data subject is a customer of the responsible party (subject to certain requirements being met);
  • Right not to be subject to a decision based solely on automated processing, including profiling;
  • Right to submit a complaint to the Information Regulator;
  • Right to institute civil proceedings regarding alleged interference with the protection of personal information.

Under the PDPA, individuals have the following rights:

  • private right of action for direct loss or damage suffered directly as a result of the contravention of the PDPA; 
  • right to ask the organisation to provide the contact of a person who can answer, on behalf of the organisation, their questions about the collection, use or disclosure of the personal data;
  • right to withdraw their consent for the collection, use or disclosure of their personal data by an organisation at any time, with reasonable notice;
  • right to request access to their personal data that an organisation possesses or controls, including to be provided with information about the ways in which such personal data has or may have been used or disclosed within the year before the request;
  • right to request an organisation to correct an error or omission in their personal data; and
  • right to file a complaint.

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.

Subcontracting

Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

An operator (referred to as a data processor in the GDPR), or anyone processing personal information on behalf of a responsible party or an operator, is required to process such information only with the knowledge or authorisation of the responsible party.

They are also required to treat personal information which comes to their knowledge as confidential and not disclose it, unless required by law or in the course of the proper performance of their duties. 

A written contract between the responsible party and the operator is required to be entered into to ensure that the operator establishes and maintains the security measures required in terms of POPI.

The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

An operator is defined in POPI as a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the director authority of that party. 

An organisation must observe the same obligations under the PDPA in respect of personal data processed on its behalf by a data intermediary as if the personal data were processed by the organisation itself.

Data intermediaries that process personal data on behalf of and for the purposes of another organisation pursuant to a written contract will only be subject to the Protection Obligation, the Retention Obligation and the Data Breach Notification Obligation.

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.

A responsible party may not transfer personal information about a data subject to a third party who is in a foreign country unless one or more of the following conditions apply:

  • that third party is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection that:
    • upholds principles for reasonable processing that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject; and
    • includes provisions that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;
  • the data subject consents to the transfer;
  • the transfer is necessary for the performance of a contract between the data subject and the responsible party;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
  • the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the data subject’s consent; and if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.  

There is a limitation on transfers of personal data outside Singapore unless conditions are met. The transfers of personal data outside of Singapore requires the recipient of the personal data to provide safeguards equivalent to or greater than the requirements under the PDPA. The PDPA does not provide a white-list of countries that are deemed to have equivalent protection.

As such, organisations may transfer personal data overseas if they have taken appropriate steps to comply with the data protection provisions in respect of the transferred personal data while such personal data remains in their possession or control. When the personal data is transferred to a recipient outside of Singapore, organisations need to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to that under the PDPA. Such legally enforceable obligations include obligations imposed under law, any contract or binding corporate rules. In addition, organisations and data intermediaries that are certified under the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System are deemed to be bound by legally enforceable obligations for the purpose of transfers of personal data outside Singapore. 

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

The Data Protection Officer is referred to as an Information Officer in POPI.

The Information Officer has responsibilities in terms of both POPI and the Promotion of Access to Information Act No 2 of 2000 (“PAIA”).

The Information Officer of a juristic person that is a private body is the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or a person acting as such (or any person duly authorised by such acting person).

Information Officers are required to be registered with the Information Regulator.

The Information Officer’s duties and responsibilities include:

  • the encouragement of compliance with the conditions for the lawful processing of personal information;
  • dealing with requests made to the organisation pursuant to POPI;
  • working with the Information Regulator in relation to investigations conducted in relation to the organisation;
  • ensuring compliance by the organisation with the provisions of POPI; and
  • as may be prescribed.

Organisations are required to designate at least one individual, known as the Data Protection Officer (DPO), to oversee the data protection responsibilities within the organisation and ensure compliance with the PDPA. 

The business contact information of the DPO must be made available to the public. Although not a legal requirement, in practice, the PDPC does request for the information of the DPO to be registered with it.

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

The integrity and confidentiality of personal information is required to be secured by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information.

These measures include:

  • identifying all reasonably foreseeable internal and external risks;
  • establishing and maintaining appropriate safeguards against the risks identified;
  • regularly verifying that the safeguards are effectively implemented; and
  • ensuring that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

Due regard must be given to generally accepted information security practices and procedures which may apply to a responsible party generally or be required in terms of specific industry or professional rules and regulations.

Organisations must protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, and the loss of any storage medium or device on which personal data is stored.

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.

A responsible party is required to notify the Information Regulator and the data subject (unless the identity of the data subject cannot be established) when there are reasonable grounds to believe that the personal data of that data subject has been accessed or acquired by any unauthorised person. 

The notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.

Organisations are required to assess whether a data breach is notifiable, and to notify the affected individual(s) (where required) and/or the PDPC where the data breach is assessed to be notifiable. A data breach is assessed to be notifiable where: 

  • the scale of the data breach is of a significant scale, i.e. where it involves the personal data of 500 or more individuals; or 
  • the data breach causes significant harm to affected individual(s) where the compromised personal data relates to: 
    • the individual’s full name or alias or identification, in combination with: (a) financial information that is not publicly disclosed; (b) identification of vulnerable individuals; (c) life, accident and health insurance information that is not publicly disclosed; (d) specified medical information; or (e) information related to adoption matters; or (f) private key used to authenticate or sign an electronic record or transaction; or 
    • individual’s account identifier and data for access into the account.

Organisations must notify the PDPC as soon as practicable, but no later than 72 hours after it makes the assessment that a data breach is notifiable. Where required to notify the affected individual(s), the notification by organisations must be as soon as practicable (at the same time or after notifying the PDPC). 

In addition, data intermediaries that process personal data on behalf of and for the purposes of another organisation or a public agency are not required to assess whether the breach is notifiable or to notify the PDPC, but are required to notify that other organisation or public agency when a potential or actual data breach is detected without undue delay. 

Sector specific regulation, such as the Notices and Guidelines on Technology Risk Management issued by the Monetary Authority of Singapore, may also require breach notification under different timelines. 

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or email is prohibited unless the data subject has consented; or is a customer of the responsible party.

Personal information of a data subject who is a customer of the responsible party may only be processed:

  • if the contact details of the data subject are obtained in the context of the sale of a product or service;
  • for the purpose of direct marketing of the responsible party’s own similar products or services; and
  • if the data subject has been given a reasonable opportunity to object to such use of his, her or its electronic details at the time when the information was collected; and on the occasion of each communication with the data subject for the purpose of marketing (if the data subject has not initially refused such use).   

The DNC provisions of the PDPA generally prohibit organisations from sending marketing messages (in the form of voice calls, text or fax messages) of a commercial nature to Singapore telephone numbers, including mobile, fixed-line, residential and business numbers, registered with the DNC Registry, unless the consumer has provided their clear and unambiguous consent in written or other accessible form for sending the marketing message to the Singapore telephone number.

The organisation may still send a direct marketing message where the sole purpose of the message is: 

  • to facilitate, complete or confirm an earlier transaction between the sender and recipient; 
  • to provide warranty information, product recall information, or safety or security information with respect to a product/service purchased by the recipient;
  • to deliver goods or services that the recipient is entitled to receive under an existing transaction; or 
  • related to the subject matter of an ongoing relationship between the sender and the recipient. 

Individuals may subsequently opt out of receiving direct marketing messages. Upon receiving an individual’s opt-out request, the organisation must stop sending such messages to that individual's telephone number 21 days after the opt-out.

Under the PDPA, organisations are not permitted to send, cause to be sent or authorise to send any message with a Singapore link to telephone numbers generated or obtained through the use of a dictionary attack or address harvesting software. This prohibition also applies with respect to electronic messages generated or obtained through the use of a dictionary attack or address harvesting software under the Spam Control Act. 

In addition, under the Spam Control Act, organisations are prohibited to send, cause to be sent or authorise to send any unsolicited commercial electronic messages in bulk if they do not comply with the statutory conditions (e.g. the message needs to include an email address to which the recipient may submit an unsubscribe request).

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.

POPI does not specifically mention cookies. However, to the extent that cookies collect personal information, the requirements regarding the processing of personal information in POPI need to be complied with.

Generally, organisations must:

  • notify users that cookies are used;
  • explain what the cookies are used for and why;
  • get the user’s consent to store a cookie on their device unless the cookie is strictly necessary (essential) for the operation of the organisation’s website.

The PDPA applies to the collection, use or disclosure of personal data using cookies.

However, consent is not required for cookies that:

  • do not collect personal data; and
  • for internet activities clearly requested by the user where the individual is aware of the purposes of such collection, use and disclosure and has voluntarily provided his personal data for such purposes.

If the individual configures his browser to accept certain cookies but rejects other, he may be found to have consented to the collection, use and disclosure of his personal data by the cookies he has chosen to accept. In such a circumstance, the PDPC has confirmed that consent can be implied. However, the failure of an individual to actively manage his browser settings does not imply that he has consented to the collection, use and disclosure of his personal data.

15. Risk scale

Moderate

Severe.

Moderate

Cybersecurity

1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

There is currently no dedicated cybersecurity statute in South Africa. Provisions relating to cybersecurity are fragmented and found in various pieces of legislation.

The Electronic Communications and Transactions Act No 25 of 2002 (“ECTA”) contains several provisions specifically addressing cybercrime.

The Regulation of Interception of Communications and Provision of Communication-related Information Act No 70 of 2002 (“RICA”) is aimed at, amongst others, regulating the interception of certain communications. 

The Criminal Procedure Act No 51 of 1977 (“CPA”) contains provisions dealing with the investigation and prosecution of crimes (including cybercrimes) in South Africa.

POPI promotes the protection of personal information processed by public and private bodies and introduces certain conditions to establish minimum requirements for the processing of personal information. See “Data Protection” section above for full details of data protection laws.

The Cybersecurity Act 2018 governs the prevention, management and response to cybersecurity threats and incidents, and regulates owners of critical information infrastructure and cybersecurity service providers. The provisions generally apply to any critical information infrastructure, computer and computer system located wholly or partly in Singapore. The provisions also apply to the Singapore Government, except that the Singapore Government will not be liable to prosecution for an offence. 

The related regulations and code of practice that operate alongside the Cybersecurity Act 2018 are the Cybersecurity (Critical Information Infrastructure) Regulations 2018, Cybersecurity (Confidential Treatment of Information) Regulations 2018 and the Cybersecurity Code of Practice for Critical Information Infrastructure. 

The Computer Misuse Act (CMA) is the principal legislation on cybercrimes. The CMA applies to any person regardless of nationality and citizenship, outside as well as within Singapore, where the accused, computer program or data was in Singapore at the material time of the offence or the offence causes or creates a significant risk of serious harm in Singapore.  

Local cybersecurity laws also include sector-specific rules, such as guidelines and notices issued by the Monetary Authority of Singapore for the financial sector (MAS rules). 

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

The Cybercrimes Bill is one step away from becoming law, having been passed by the Parliament of South Africa on 2 December 2020. It is unclear at this stage when the president will sign this Bill.

The Cybercrimes Bill, once it becomes law, will be a comprehensive statute regulating cybercrime in South Africa. It contains comprehensive provisions addressing cybercrime and criminalises, amongst others, the following offences:

  • unlawful access to data, a computer program, a computer data storage medium or a computer system (commonly known as ‘hacking’);
  • unlawful interception of data;
  • the unlawful and intentional use or possession of software and hardware tools that are used in the commission of cybercrimes;
  • cyber fraud;
  • cyber extortion;
  • cyber forgery and uttering; and
  • malicious communications. This is the distribution of data messages with the intention to incite the causing of damage to any property belonging to, or to incite violence against, or to threaten a person or group of persons, including the distribution of “revenge porn”.

The Cybercrimes Bill also contains provisions dealing with, amongst others, the investigation of cybercrimes, the provision of mutual assistance between States, as well as reporting obligations of electronica communications service providers and financial institutions.

Cybersecurity Act 2018: Provisions relating to the licensing of cybersecurity service providers are not yet in effect. The Cyber Security Agency of Singapore has stated that the implementation of the licensing framework will be communicated at a later date.

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.

ECTA

ECTA applies in respect of any electronic transaction or data message. It criminalises, amongst others, the unauthorised access to, interception of or interference with data as well as computer related extortion, fraud and forgery. 

RICA

RICA contains a general prohibition on the interception of direct and indirect communications. This prohibition is subject to certain exceptions which includes, amongst others, the interception of communication by a party to a communication, under an interception direction, with the consent of a party to a communication, in connection with carrying on a business, to prevent serious bodily harm or for the purposes of determining a location in the case of an emergency.

POPI

POPI applies to the processing of personal information entered into a record by or for a responsible party by making use of automated or non-automated means, where the responsible party is domiciled in South Africa. If not domiciled in South Africa, POPI applies if that responsible party makes use of automated or non-automated means in South Africa (unless those means are used only to forward personal information through South Africa).

  • Cybersecurity Act 2018: The Cybersecurity Act 2018 requires and authorises the taking of measures to prevent, manage and respond to cybersecurity threats and incidents; regulates owners of critical information infrastructures (CIIs); establishes the framework for the sharing of cybersecurity information; and regulates cybersecurity service providers. It also provides the regulator with the power to investigate cybersecurity threats or incidents in order to determine their impact, prevent further harm and future incidents. These investigative powers can be delegated to authorised persons, and can be exercised in respect of any computer or computer system in Singapore; not only CIIs. The level of intrusiveness of such powers that can be exercised will depend on the severity of the situation.
  • CMA: The CMA makes provision for securing computer material against unauthorised access or modification, and to require or authorise the taking of measures to ensure cybersecurity. In particular, the CMA criminalises cybercrime such as ecommerce scams and hacking, and also makes it illegal for: (a) any person to provide or receive personal information which he suspects was obtained through unauthorised means; and (b) any person to deal with items designed for, adapted to and used to commit computer crimes, including hardware and software (e.g. computer programmes, passwords or access codes).
  • MAS Rules: The MAS Rules, amongst other things, require regulated entities to: (a) conduct system and penetration testing; (b) continuously monitor and detect network and other types of cyber intrusions; and (c) require the board and senior management of the regulated entities to effectively implement that entity’s cyber resilience programme.

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 

POPI

Information Regulator (South Africa): https://www.justice.gov.za/inforeg/

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.

RICA

Before a telecommunication service provider enters into a contract with any person for the provision of a telecommunication service to that person, he/she is required to obtain certain information (as detailed more fully in RICA) from that person and take steps to verify that information. The relevant telecommunication service provider is required to ensure that proper records of such information is kept.

An electronic communications service provider who provides mobile cellular electronic communications services may not activate a SIM card on its electronic communications system unless it implements a process to record and store and does record and store:

  • the Mobile Subscriber Integrated Service Digital Network number (MSISDN number) of the SIM card that is to be activated;
  • the full names and surname, identity number, country where the passport was issued (in the case of a non South African citizen) and at least one address of the person who requests that a SIM card be activated on that electronic communications service provider’s electronic communication system;
  • the full names, surname, identity number and an address of the authorised representative of a juristic person as well as the name and address of the juristic person (and, where applicable, the registration number of the juristic person), in the case of a juristic person.

The electronic communications service provider is required to verify the information collected. Furthermore, the electronic communications service provider must ensure that the information recorded and stored as well as the facility in or on which the information is recorded and stored, are secure and only accessible to persons specifically designated by that electronic communications service provider.

POPI

See “Data Protection” section above.

Cybercrimes Bill

When the Cybercrimes Bill becomes law, an electronic communications service provider or a financial institution that is aware or becomes aware that its computer system is involved in the commission of any of the cybercrime offences set out in the Cybercrimes Bill, will be required to report the offence to the South African Police Service without undue delay and, where feasible, not later than 72 hours after having become aware of the offence.

Cybersecurity Act 2018:
  • Owners of critical information infrastructure must: (a) comply with codes and directions; (b) conduct audits and risk assessments; (c) report cybersecurity incidents; and (d) participate in cybersecurity exercises; and
  • Certain cybersecurity service providers will need to be licensed.
CMA:
  • The following activities are prohibited: (a) unauthorised access or modification of computer material; (b) unauthorised use or intercept of computer services; (c) obstructing the use of computers; (d) unauthorised disclosure of computer access codes; (e) providing, receiving or supplying personal information which the person knows or suspects was obtained through unauthorised means; and (f) dealing with items designed for, adapted to and used to commit computer crimes. 
MAS Rules:
  • Establish methodologies for system testing, conduct penetration testing and source code review, and enable recovery measures and user access controls;
  • Board and senior management of regulated entities are to: (a) ensure appropriate accountability structure and organisational risk culture is in place, and (b) be trained in technology risk and cybersecurity;
  • Notify the MAS of breaches of security and confidentiality of financial institutions’ customer information (MAS Notices and Guidelines on Technology Risk Management and the MAS Guidelines on Outsourcing); and
  • Implement cybersecurity measures to protect IT systems, and prevent and mitigate against cyberattacks (MAS Notices on Cyber Hygiene).   

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 

Administrative sanctions:

POPI

See “Data Protection” section above.

Criminal sanctions:

ECTA

This would ultimately depend on the nature of the offence and may include liability to a fine or imprisonment for a period of up to five years.

RICA

This would ultimately depend on the nature of the offence and may include liability to a fine not exceeding ZAR 2m or to imprisonment for a period not exceeding ten years. In certain instances, in the case of a telecommunication service provider, liability may include a fine not exceeding ZAR 5m.

POPI

See “Data Protection” section above.

Others: 

ECTA

Any person who has suffered damages as a result of a contravention of any of the provisions of ECTA may, depending on the circumstances of the case, institute a civil claim for damages suffered against the wrongful party. 

RICA

Any person who has suffered damages as a result of a contravention of any of the provisions of RICA may, depending on the circumstances of the case, institute a civil claim for damages suffered against the wrongful party.

POPI

See “Data Protection” section above. 

Administrative sanctions:

Cybersecurity Act 2018: 

  • Fines not exceeding SGD 10,000 for each contravention or non-compliance which is not an offence, but not exceeding SGD 50,000 in aggregate.
Criminal sanctions:

Cybersecurity Act 2018:

  • Varies depending on the specific offence, although in general a criminal fine not exceeding SGD 100,000 or imprisonment for a term not exceeding two to ten years or both.

CMA:

  • A criminal fine not exceeding SGD 50,000 or imprisonment for a term not exceeding ten years or both; and
  • In respect of protected computers, a criminal fine not exceeding SGD 100,000 or imprisonment for a term not exceeding 20 years or both.
Others: 

CMA: 

  • Compensation for damage caused to computer, programme or data. 

MAS Rules:

  • Varies depending on the type of regulatory instrument that set out the specific rules (e.g. directives, guidelines, notices or circulars). For example, the contravention of guidelines is not a criminal offence and does not attract civil penalties but may have an impact on the regulator's overall risk assessment of that entity and renewal of licences issued by the regulator. Circulars, on the other hand, are documents sent for the relevant entities’ information have no legal effect. Notices primarily impose legally binding requirements on a specified class of financial institutions or persons. 

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.

The Electronic Communications Security - Computer Security Incident Response Team (ECS_CSIRT) serves as the South African Government Security Incident Response Team. Its core services are primarily offered to Organs of State, with the intention to create a single point of contact, where the constituency can obtain CSIRT services and receive assistance on cybersecurity issues.

The Cybersecurity Hub is South Africa’s National Computer Security Incident Response Team (CSIRT) and strives to make Cyberspace an environment where all residents of South Africa can safely communicate, socialise, and transact in confidence. It achieves this by working with stakeholders from government, the private sector, civil society and the public with a view to identifying and countering cybersecurity threats. It is mandated by the National Cybersecurity Policy Framework (NCPF) which was passed by Cabinet in March 2012.

Yes, the Singapore Computer Emergency Response Team (SingCERT) responds to cybersecurity incidents for its Singapore constituents. It was set up to facilitate the detection, resolution and prevention of cybersecurity related incidents on the Internet.

8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

Yes, see above.

According to Singapore’s Cybersecurity Strategy, the National Cyber Security Centre (part of the CSA) will coordinate with sector regulators to provide a national level response and facilitate quick alerts to cross-sector threats.

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 

The National Cybersecurity Advisory Council is mandated to:

  • advise the Minister of Telecommunications and Postal Services on policy, legal and technical issues as well as other matters pertinent to cybersecurity in line with the Department’s roles and responsibilities as outlined in the NCPF, the establishment and operationalisation of the national Cybersecurity Hub and the alignment and adoption of standards in South Africa;
  • promote and encourage coordinated public-private partnerships on issues regarding cybersecurity, including threat and risk information in South Africa pursuant to building confidence and trust in the secure use of ICTs;
  • develop an annual report on, amongst others, cybersecurity risk assessment measured against international best practices, measures available to promote the culture of cybersecurity, recommendations on how South Africa will enhance prevention and address threats and vulnerabilities; and
  • investigate and report on other matters that may be referred to the Council by the Minister.

Singapore’s Cybersecurity Strategy sets out Singapore’s vision, goals and priorities for cybersecurity. It engenders coordinated action and facilitates international partnerships for a resilient and trusted cyber environment - see more here.

Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Portrait of Zaakir Mohamed
Zaakir Mohamed
Partner
Johannesburg
Sheena Jacob