Mexico City, May, 2021
On April 16, 2021, certain amendments to the Federal Telecommunications and Broadcasting Law (hereinafter FTL) were published in the Federal Official Gazette, which order the creation of the National Registry of Mobile Telephone Users (hereinafter the Registry), which has a direct implication on Data Protection regulations.
The main justification to create this Registry is an improved public safety, allowing the identification of persons who commit any wrongdoing and providing the State with more information to prevent and eradicate crimes committed using mobile phones and data, messaging services and telephone calls, among others. The information available in the Registry will include various personal data, including biometric data of the user or a legal entity’s representative.
This reform, like others, has generated different perceptions among stakeholders, particularly because the Registry includes the processing[1] of biometric data for the purpose of fully identifying telephone line owners and such data, due to its characteristics, is considered sensitive. In this respect and as a matter of principle, it is important to understand the concept of biometric data in order to measure the consequences of providing such data.
For such reason, the Transparency, Access to Information and Personal Data Protection National Institute (INAI) defines biometric data, in the ” Treatment of Biometric Data Guide”, as follows:
“Physical, physiological or behavioral properties or personality traits attributable to a single person that are measurable[2].”
Article 29 Working Party (currently European Data Protection Board) listed the following characteristics in relation to the concept of biometric data:
- Universal, since every person possesses it;
- Unique, since no two biometrics have the same characteristics for which they distinguish us from others;
- Permanent, since they are maintained, in most cases, over time in each person; and
- Quantitatively measurable.
Having specified the foregoing, there are concerns that the processing of biometric data could violate the privacy of data subjects. In addition, the reasons (in connection with public safety) why citizens will be required to provide this data to obtain mobile telephone service or to provide the service for current users were not clearly stated.
Moreover, 2 other laws converge with the FTL: the General Law for the Protection of Personal Data in Possession of Obligated Subjects and the Federal Law for the Protection of Personal Data in Possession of Private Parties, since the Registry will be managed by the Federal Telecommunications Institute, which is governed by the former, while concessionaires or authorizes (telecommunications companies) that will collect information will be governed by the latter and although both laws focus on data protection, there are differences with respect to the liability of regulated subjects.
Thus, on April 27, 2021, the Plenary of the INAI unanimously agreed to bring an action of unconstitutionality with the Supreme Court of Justice of the Nation against the reform to the FTL, as the data protection administrative authority for both regulated entities and private parties, having the necessary authority to file the recourse. In addition, the Institute considered that the creation of the Registry is contrary to the principle of proportionality in data processing since it is not necessary, adequate or relevant and, possibly, does not follow the criterion of data minimization for processing purposes.
Although the reform seeks to preserve the public safety of individuals, there is undoubtedly a clash with the privacy and data protection rights provided under Article 16 of the Constitution and therefore, the creation of the Registry perhaps does not bring about the exceptions to the principles governing data processing provided thereunder.
Last, the opinion of INAI, as the authority on data protection, was not included in the opinion that gave rise to the reform. This situation did not allow for an optimal debate to discuss whether the need to create the Registry was paramount to the privacy and data protection rights of citizens.
*This article is authored by Gustavo Miranda and Israel Ledesma and it may reflect their personal opinions independently from the law firm they work for. Shall you intend to apply any of the debated interpretations within the article, we highly recommend to formally consult Jáuregui y Del Valle, S.C. or any other qualified tax and labor advisor.
© 2020, Jáuregui y Del Valle, S.C.(JDV), All rights reserved. This information belongs to JDV and external distribution should be authorized. Printing and sharing are allowed.
[1] Definition integrated with basis on Opinion 3/2012 of Article 29 Working Party and the Privacy & Biometrics Document. Building a conceptual foundation. National Science and Technology Council. Committee on Technology. Committee on Homeland and National Security, Subcommittee on Biometrics, United States, 2006.
[2] The collection, use, disclosure or storage of personal data through any means. Use includes any action of access, handling, use, exploitation, transfer or disposal of personal data. LFPDPPPPP, DOF July 05, 2010, Mexico.