placeholder

Data Privacy Landscape in Canada and Mexico: PIPEDA and LFPDPPP

Both U.S. neighboring countries pushed the region’s privacy standards forward with thorough, and similar, privacy protection laws. On the North, PIPEDA sets strong management principles, while on the South, LFPDPPP places the bar higher its specificity in data processing requirements.

This last couple of months we have been on a data security awareness crusade! Starting with the Mobile Theft & Loss Report, we have published a series of articles covering the how to protect your -and others- data privacy. Both as a person, and through your organization across different industries

We followed the report with Your Personal Data, Your Right to Privacy, and, most recently focused on educating on data protection regulations that affect how businesses and organizations handle their users’ data.

On that note, we already touched base with the European Union’s General Data Protection Regulation (GDPR) and its overarching reach; the California Online Privacy Act (CalOPPA); and we created a thorough guideline towards compliance for the U.S. health privacy rule, the Health Insurance Portability and Accountability Act (HIPPA).

So perhaps it’s time to look further to the north and south. Let’s see what data protection legislation our Canadian and Mexican neighbors have in place.

A Look Into the North: PIPEDA

Privacy in Canada PIPEDA
PIPEDA is promoted by the Privacy Commissioner of Canada

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was enacted on April 13, 2000. That makes it one of the oldest data protection acts in existence! Designed to promote fair and honest electronic commerce, the law outlines specific data protection rules for both individuals and organizations.

For individuals, PIPEDA gives them the right to know why an organization collects, uses or discloses their personal information. It also gives them the right to gain access to that information and to complain if their information is not accurate or has been used in ways not defined by the law.

For organizations, PIPEDA requires that they acquiring consent before collecting personal information, provide services to individuals if they have not consented to share their data, and have clear, understandable data collection policies.

The 10 Fair Information Principles

The whole scope of PIPEDA’s requirements come from its ten Fair Information Principles. They represent the legislation’s full intents when it comes to how data must be treated. As well as which precautions an organization must take.

1. Be Accountable An organization with data under its control is responsible for its protection, and therefore must create personal information policies and safe practices.

Start by appointing an accountable figure in charge of controlling this, and then develop a privacy management program. For this, you must audit how you currently utilize data, and set usage limits for both your organization and involved third parties.
2.Identify the Purpose Before, or during, the collection of information your organization should know the reason behind that collection. This must be documented and informed to the user, who also has to consent any further use given.
3. Gather Proper Consent Any person whose data is being collected, used, or disclosed must know and consent the process. Except when it aids processes such as fraud investigations, breach of agreements, contraventions of the laws of Canada, and other exceptions.

Proper consent means you must be clear and inform how the data is going to be used. No tricks behind any checkbox, and you can’t deny service to those who reject it.
4. Limiting Collection The information gathered must be limited to that which is needed for specific and identified purposes. Minimize the gathering as much as possible and justify each use! If it is not a functional or operational need, it is not crucial.
5. Limit use, Disclosure, and Retention Your organization cannot disclose or use a person’s information for other purposes than that for which it was collected unless it is consented or required by law.

Furthermore, the storage of said should be temporary. Any data that is no longer needed for the purpose it was collected for should be deleted or anonymized.
6. Be Accurate Keep personal information accurate, complete, and up to date if necessary. Your organization shouldn’t utilize, make decisions, or disclose, information that is incorrect.
7. Use Appropriate Safeguards All Personally identifiable information (PII) should be protected against loss, theft, unauthorized access, disclosure, copying, or modification.

No matter the format in which it is stored, meaning that if it is physical it should be locked away and protected; if it is digital it should be blocked behind passwords and encryption; and the organization should have clearance processes, training, and limited access.
8. Be OpenAs an organization responsible over a user’s data, you should inform any clients, users, and employees about your policies and practices on safe data management.

Explain how users can make their data requests, present the person in charge of compliance, open complaint channels, and have clear privacy policies.
9. Give Individual AccessAny individual whose data is stored under your organization must have access to it.

You must be able to handle these requests, provide the data, correct any information, and mention its usage and disclosures to third-parties.
10. Provide Recourse Any individual has to be able to challenge your organization’s compliance by a complaint, directed to the Chief Privacy Officer, or whoever is accountable for PIPEDA compliance. Open complaint channels, review, and process them.

Canadians who believe their data has been compromised are encouraged to bring their complaints to the Office of the Privacy Commissioner of Canada, where an ombudsman will arbitrate their claim. The Privacy Commission seeks to uphold the PIPEDA fair information principles across the country’s ecommerce landscape.

PIPEDA has set a threshold for consumer data protection in Canada, but it has not been able to eliminate data breaches altogether. In 2014, an IT consultant working for Medicentre Family Health Care Clinics in Edmonton had his unencrypted laptop stolen precipitating one of the biggest data hacks in the Canadian media industry. More recently, in May 2018, hackers broke into the Bank of Montreal and Canadian Imperial Bank of Commerce’s Simplii Financial, stole customer information and triggered perhaps the largest Canadian data breach to date.

In view of the fast-changing nature of data security science, Canada’s PIPEDA has been updated several times since 2000. In November 2018 a mandatory data breach notification law was passed; it requires organizations to let consumers know if their data has been hacked. Overall, Canadian law is doing a good job in keeping abreast of data security issues.

View Into the South (LFPDPPP)


Enacted by the Congress on April, 2010, LFPDPPP is a fairly young legislation.

Data protection in Mexico falls primarily under the Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) or LFPDPPP, which was enacted in 2010. This law governs how the private sector can collect, process, and reveal individuals’ personal data.

Prior to LFPDPPP, Mexican data privacy was largely ruled by two pre-existing laws: the Federal Law of Transparency and Access to Public Government Information and the Protection of Personal Data in the State of Colima. However, in light of the growth on e-commerce and other international data privacy regulations, the Mexican government enacted LFPDPPP in order to keep its country in step with global data protection norms.

Data Protection Principles

Mexico’s legislation carries a lot of similarities with GDPR and PIPEDA itself. After all, most of the solutions or security implementations required represent an expected standard for any organization nowadays!

Furthermore, and once again much like PIPEDA, all personal data usage must be justified and its usage must follow nine principles: legitimacy, consent, information, quality, purpose, loyalty, proportionality, and accountability. Sound familiar?

1. LegitimacyAs a data controller, you must ensure your data processing follows the Mexican law.
2. ConsentAs a data controller, you must obtain consent from the user to gather and utilize personal information, for specific purposes only. Consent must be explicit, and users have to be able to withdraw at any time.
3. InformationYour organization must give notice to the data subject of the information that is being collected, and how it is being utilized and processed.
4. QualityAll information handled by your organization as a data controller must be exact, complete, and up-to-date to carry out their intended purpose. Specific preservation periods are also established.
5. PurposePersonal data can only be processed for a specific purpose your organization must delimit in its privacy notice/policy. These purposes have to be differentiated and treated individually.
6. LoyaltyThe principle of loyalty states an obligation to give priority to the interests of the data subject and its privacy expectations when it comes to data processing.
7. ProportionalityThe principle of proportionality seeks to minimize the amount of data processed, retaining only what’s relevant and necessary.
8. Minimization Furthermore, your organization must make efforts to reduce the amount of processed data to the minimum according to the purpose of processing.
9. AccountabilityFinally, the principle of accountability states that the data controller is responsible for the protection of collected data and must prepare safety policies and implement technical, physical, and administrative safeguards to guarantee their safety.

LFPDPPP’s Wide and Specific Reach

However, unlike Canada’s PIPEDA, Mexico’s LFPDPPP is significantly specific. It gives proper definitions and implementation suggestions for everything! How ARCO rights should be executed, regulated processes for national and international transmission of personal data, to subcontracting services that handle data, and specific examples and exceptions for each requirement.

What’s more, even if the nine principles rule the legislation, LFPDPPP isn’t completely defined by them. The law extends its requirement thoroughly in an effort to cover dozens of new privacy problems from the digital era: Proper consent processes, data preservation rules, and even guidelines for data processing in the cloud, or physical access data requests!

Where the law doesn’t stand strong is on the technical requirements front. Unlike HIPAA, the legislation doesn’t make technical suggestions, like implementing data encryption. It simply provides a series of factors an organization must view to determine the security measures they are to implement, according to the risks present.

LFPDPP Impact

Due to its thorough scope and complexity, we recommend you take law’s complete scope into consideration. LFPDPPP was Mexico’s heavy push into the data legislation world, and they committed to creating a law that doesn’t leave space for interpretation. Unlike GDPR, and HIPAA, the Mexican law breaks each point down and develops how real-world implementations for that would be carried out.

Since its implementation in 2018, Mexico’s data protection act has come to be taken seriously both by native Mexican organizations – such as banks, utilities, and retailers – as well as by foreign companies doing business in Mexico. The law is enforced by the National Institute for Transparency, Access to Information and Personal Data Protection (INAI), which investigates reported violators and applies steep fines to violators.

Over time, the Mexican government has augmented the LFPDPPP with new legislation instituted in 2011, 2013, 2014, and 2018. Today, the INAI protects two basic rights: access to public information and protection of personal data. At the same time, Mexico’s data privacy law has solidified its place as a player on the world stage.


Nicolas Poggi

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.