By Mayra Cavazos, Senior Consultant, Tueoris, LLC

Introduction

The European Union (EU) General Data Protection Regulation (GDPR) has impacted businesses around the world in a variety of different ways, influenced in part on the locations of the businesses.  For businesses with headquarters or major operations in Mexico, GDPR has created not only a new set of compliance obligations, but also a new set of opportunities – particularly when viewed in the context of current conservative US approaches to trade.  The Federal Law on the Protection of Personal Data held by Private Parties (“the Mexican Data Protection Act”), issued in 2010, established data privacy requirements that, if Mexican entities made the effort to gain compliance, would leave them not only well-prepared for GDPR compliance, but also well-situated to take advantage of these new opportunities.  Many Mexican businesses, however, took a passive approach to compliance with the Mexican Data Protection Act and have followed the same approach with GDPR.  Conversely, north of the border in the US, many businesses took a more proactive approach to GDPR compliance, driven in large part by concerns over large fines and damage to reputation.

The current, somewhat protectionist, US trade landscape has opened a door for Mexican multinational entities to compete with their US neighbors, potentially attracting foreign investment in order to grow businesses and foster innovation.  That opportunity can be significantly enhanced if Mexican companies promote enhanced privacy rights that are reflective not only of the Mexican Act, but GDPR as well.  Additionally, Mexico’s recent ratification to the EU’s Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data (“the Convention”) gives Mexico a new and unique business advantage.

In order to leverage these advantages, Mexican companies must leave behind the pervasive skepticism towards local and international enforcement and move toward privacy models that reflect regulatory requirements as well as data subject expectations.

An Evolving Regulatory Landscape and the Mexican Reactive Response

Prior to the Mexican Data Protection Act coming into effect, Mexico did not have a comprehensive law regulating the use of personal data. While the protection of personal data was included in Mexico’s Political Constitution as a fundamental right in 2007, it remained regulated, to largely varying degrees, by each Mexican state, until the Act was published. The Act reflected a European view toward privacy and data protection introducing, among other concepts, the roles of data controllers and processors, privacy notices, data subject rights, and breach notification procedures.

Many privacy, compliance and legal professionals at Mexican companies struggled to operationalize these new concepts – if they chose to act at all – as most had to build their privacy programs from scratch in response to the Act. Many companies in Mexico did not see beyond simply posting publicly-facing privacy notices, potentially because of the historical lack of privacy enforcement by Mexican authorities, or perhaps due to a propensity to remain relatively dormant until something triggers a reaction. The approach to GDPR compliance took a similar course, as many Mexican-rooted companies continued to process personal data as they had for years, awaiting the imposition of a heavy fine by EU Data Protection Authorities (DPAs) on a Mexican company.  Conversely, companies with headquarters in the United States appeared to take more proactive approach, identifying necessary adjustments to their existing privacy programs in order to comply with GDPR.

US Businesses and the Proactive Response

In the US, I’ve experienced firsthand the beautiful madness of my clients’ responses to GDPR. While every company I’ve worked with reacted in a unique manner, they all had one thing in common: a proactive approach to compliance driven by the need to mitigate future risk of potential fines and impact to reputation. I was amazed that this proactive approach came from businesses in a country where privacy rights are viewed by much of the world as trailing far behind Europe – a country where, in most instances, once personal data is given to an organization, that organization is free to process it as it deems appropriate to its own objectives.

While many US companies viewed GDPR as another impediment to conducting business efficiently and effectively, some recognized an opportunity. Far from considering GDPR as an obstacle to their day-to-day operations, these organizations recognized individuals’ concerns caused by a lack of control over business use of personal data about them. These forward-thinking companies acknowledged that in order to continue to grow internationally, they needed not only to improve externally facing efforts, but also to implement procedures, change operational processes, and undertake to align behaviors in order to gain the trust of customers and consumers in a multinational marketplace.

Of course, the heavy fines for GDPR violations were a clear overriding factor driving compliance efforts. Some US-based companies undertook a global approach, applying GDPR-compliant initiatives even to processing of personal data of non-EU residents. Others segmented processing activities by adopting either an ex-US or an ex-EU approach. And while there remains a degree of uncertainty with respect to the level of enforcement outside of the EU, prudent companies have moved to gain alignment with GDPR requirements and reduce the risk of complaints from EU residents and scrutiny from DPAs.

Mexico and New Global Opportunities

As businesses based in Mexico look north, they see that the US – and Silicon Valley in particular – is home to many of the world’s largest and most innovative corporations and the cradle of thousands of startups. These entities also see that as the EU moved forward with a restrictive privacy regulation, the US remained an attractive destination for innovators and investors, particularly as many US-based companies developed proactive privacy strategies to develop international business and play by the international rules.

However, while the US economy continues to expand, it is simultaneously limiting immigration and taking a hard line toward trade, forcing many potential investors to look elsewhere to invest. As a result, Mexico has become an attractive destination for tech and business innovators looking for competitive advantages. Mexico is one of the 15 largest economies in the world and is expected to continue its growth during the coming decades. According to a report published by the Organization for Economic Co-Operation and Development (OECD) in 2016, Mexico was the country with the largest number of startups in Latin America, just behind Brazil. The city of Guadalajara, Jalisco, the tech capital of Mexico, has had more than $120 million dollars of investments since 2014 in nearly 300 startups and exports $21 billion in tech products and services annually.

In view of growing US protectionism, established Mexican companies and startups alike, have an exceptional opportunity as well-positioned North American alternatives to traditional US businesses. In order to succeed in this, however, they must progress from historic passive and reactive responses to new regulatory requirements, leave enforcement skepticism behind, and take a proactive approach to GDPR compliance.  The response to GDPR that many forward-thinking US-based companies took provides an excellent model for Mexican companies to follow to create new opportunities in a current environment that may limit trade and investment in the US and open new doors to Mexican companies.