New Federal Law on the Protection of Personal Data Held by Private Parties (“LFPDPPP”)

In the context of the reforms approved at the end of 2024 regarding organic simplification, which involves the disappearance of certain autonomous regulatory bodies, including the National Institute of Transparency, Access to Information and Protection of Personal Data (“INAI”), to assign their functions to centralized federal administration agencies, it was established that the legislative branch had a 90 days period to make the pertinent modifications to the applicable laws, including the Federal Law on the Protection of Personal Data Held by Private Parties and its Regulations.

On March 20^th, 2025, a Decree was published in the Official Gazette of the Federation (“DOF”) by which (i) the General Law on Transparency and Access to Public Information; (ii) the General Law on the Protection of Personal Data Held by Obligated Subjects; (iii) the Federal Law on the Protection of Personal Data Held by Private Parties; and (iv) various provisions of the Organic Law of the Federal Public Administration are amended. The LFPDPPP will enter into force the day after its publication in the DOF, repealing the LFPDPPP published on July 5, 2010.

In general terms, this new LFPDPPP does not establish substantial changes compared to its predecessor; however, the main differences presented by the new regulation are described below:

The main change reflected in the new LFPDPPP is that the Anti-Corruption and Good Governance Ministry (“SABG”) will be the new authority to protect personal data held by private parties, and its resolutions may be challenged through an amparo trial that will be substantiated by judges and specialized courts in the matter.

Changes were made in the wording to use inclusive language, standardize the rules, principles, bases, procedures, and, in general, establish the mechanisms for exercising the rights of personal data subjects.

Regarding the rights of data subjects, certain conditions were established for the exercise of the right of opposition by the personal data subjects, including in case of automated information processing. Likewise, it is foreseen that the exercise of this right will not proceed in those cases in which the processing is necessary for compliance with a legal obligation imposed on the data controller.

The adoption of binding self-regulation schemes that complement the provisions of the LFPDPPP is promoted, including mechanisms to measure their effectiveness in data protection (through audits), consequences, and corrective measures in case of non-compliance, such as changes to policies or processes, implementation of additional security measures, or imposition of internal sanctions.

Finally, it is important to mention that, as part of this package of new regulations, a new version of the LFPDPPP Regulations was not issued; however, the transitory articles establish that the Federal Executive Branch must issue adjustments to the regulations and other applicable provisions within 90 calendar days following the entry into force of the Decree.

At Cannizzo, Ortiz y Asociados, S.C., we can advise you on the implementation of the changes provided in the new LFPDPPP to remain in compliance and avoid possible sanctions. Our team of experts is available to provide personalized advice and support in the adoption of this new regulation.

 For more information, please contact Karen Ortega at [email protected].

Yours sincerely,

Cannizzo