On February 20, 2025, the Federal Executive submitted to Congress the “Initiative with Draft Decree enacting the General Law on Transparency and Access to Public Information, the General Law on the Protection of Personal Data Held by Obligated Entities, and the Federal Law on the Protection of Personal Data Held by Private Parties, and amended various provisions of the Organic Law of the Federal Public Administration” (the “Decree”). The Decree seeks to reform the legal framework governing transparency, access to public information, and personal data protection. It proposes enacting three new laws and eliminating the National Institute for Transparency, Access to Information, and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales; the “INAI”), consolidating its functions within the federal public administration.
According to the explanatory memorandum (exposición de motivos) of the Decree, these modifications aim to enhance efficiency in processing access-to-information requests and personal data protection while optimizing resources and eliminating redundancies in government structures. However, this Decree represents a significant structural shift that will impact both obligated entities in the public sector and private entities collecting or processing personal data.
I. Transformation of the Transparency and Access to Public Information System
The Decree largely mirrors the previous law in structure and content. Fundamental principles such as maximum publicity and limited exceptions subject to a harm test for withholding information are retained. Similarly, procedures for requesting information and filing appeals remain unchanged. The most significant change concerns institutional restructuring. The Decree provides for the dissolution of the INAI and the transfer of its functions to the newly created Ministry of Anti-Corruption and Good Governance (Secretaría de Anticorrupción y Buen Gobierno; the “SABG”). This new agency will be responsible for guaranteeing access to public information at the federal level and overseeing compliance with data protection regulations. At the state level, these functions will be assumed by the internal control bodies of each public authority and by state comptrollers. The previous collegial body of seven commissioners will be eliminated, and decisions will now be made by a single individual.
To align the new transparency and data protection frameworks, the Decree provides for the consolidation and simplification of the regulatory framework through the enactment of three new laws: (i) the General Law on Transparency and Access to Public Information (Ley General de Transparencia y Acceso a la Información Pública), (ii) the General Law on the Protection of Personal Data Held by Obligated Entities (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados), and (iii) the Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares; the “LFPDPPP”). These laws will replace existing regulations and establish new rules and procedures to ensure access to information and personal data protection in Mexico.
On February 27, 2025, the Senate committees approved the bill enacting these new laws and amending various provisions of the Organic Law of the Federal Public Administration (Ley Orgánica de la Administración Pública Federal) and on March 4, 2025, during a Regular Session of the Chamber of Senators, the ruling with the abovementioned draft decree was approved in general and in particular(1). The vote in the Joint Committees on Governance and First Legislative Studies (Comisiones Unidas de Gobernación y de Estudios Legislativos Primera) concluded with 20 votes in favor and 7 against, the latter from opposition legislators and the vote in the Regular Session of the Chamber of Senators was approved with 67 votes in favor and 20 against. What comes next is for this to be referred to the Chamber of Deputies and submitted to a vote.
Under the new institutional framework, the bill provides for the creation of Transparency for the People (Transparencia para el Pueblo), a decentralized body under the SABG, which will assume INAI’s former transparency-related responsibilities. According to the Federal Executive’s justification, this change aims to operate “under more functional and efficient schemes and align with the principles of rationality and republican austerity.”(2) Additionally, the SABG is granted with authority to regulate and manage the National Transparency Platform, thereby consolidating its control over the country’s access-to-information mechanisms.
II. New Regulation on Personal Data Protection
One of the most significant changes in the Decree is the modification of the personal data protection regime, as the SABG will assume all functions previously performed by the INAI. This means that oversight, regulation, and enforcement concerning data processing in both the public and private sectors will now be handled by this new agency.
This shift raises concerns about the autonomy and oversight capacity of the authority responsible for ensuring compliance with personal data protection laws. Eliminating an autonomous body such as the INAI and replacing it with a federal executive agency raises questions about impartiality in dispute resolutions and the potential for government interests to influence decision-making in this area.
The proposed new LFPDPPP introduces general modifications, including the use of inclusive language and the harmonization of rules, principles, procedures, and mechanisms for exercising the right to personal data protection by private entities.
In general terms, the LFPDPPP remains largely unchanged but introduces modifications to the right to object, establishing more specific criteria for its exercise and restricting its applicability in certain cases. Previously, this right was broad and allowed data subjects to object to processing for any legitimate reason. However, the new provisions require demonstrating a specific situation where continued processing may cause harm, even if lawful. Additionally, it explicitly regulates automated decision-making, granting individuals the right to object when such processing significantly affects aspects such as their economic situation, health, or personal behavior. A new exception is also introduced, specifying that the right to object does not apply when data processing is legally required for the data controller to fulfill an obligation.
Another notable change is the reduction of regulatory authorities’ roles in personal data protection, replacing their supervisory functions with a more flexible but less structured self-regulation approach. Under the new LFPDPPP, the Ministry of Economy (Secretaría de Economía) will no longer play an explicit role in promoting, supervising, and enforcing compliance in the private sector. Additionally, the co-regulation mechanisms between regulatory authorities and the now-defunct INAI will be eliminated, with these responsibilities transferred to yet-to-be-specified authorities. While the initiative maintains the concept of voluntary binding self-regulation, it removes the broader institutional framework that previously governed its implementation, raising concerns about the effectiveness of the new regulation and the level of protection it will ensure for data subjects.
During Senate debates on the bill, opposition senators argued that this reform further centralizes power within the Federal Executive by eliminating an autonomous agency that acted as a counterbalance. Legislators from the PAN (Partido Acción Nacional) and the PRI (Partido Revolucionario Institucional) asserted that, with this reform, “the government will be both judge and party,” potentially weakening access-to-information mechanisms and accountability measures.
III. Transition Process
If approved by the Chamber of Deputies, the Decree establishes a 90-day period from its entry into force for the Federal Executive to issue the necessary regulatory provisions for implementing the new laws. During this period, it will be crucial for obligated entities and private parties collecting or processing personal data to conduct an impact analysis and adopt measures to comply with the new regulations.
IV. Considerations and Recommendations for Companies and Obligated Entities
The Decree represents a fundamental shift in access to public information and oversight of personal data processing in Mexico. For private parties that collect, process, or store personal data, it will be essential to anticipate these changes and adopt strategies for efficient compliance with the new regulations.
First, private parties should conduct a comprehensive review of their internal policies and procedures concerning personal data protection. Given that the SABG will now oversee and enforce compliance, ensuring that data collection, processing, storage, and transfer procedures adhere to the new provisions is crucial.
Second, personnel training on transparency and personal data protection will be key. The new provisions may introduce changes to procedures and obligations for private parties handling personal data. Thus, well-trained teams will be vital for ensuring regulatory compliance and minimizing risks.
Finally, private parties should closely monitor the regulatory provisions to be issued in the coming months. The implementation of this Decree will heavily depend on secondary regulations issued by the Federal Executive, and organizations must be prepared to adapt to regulatory changes in a timely manner.
Given the impact of this Decree, both government entities and private parties handling personal data should carefully analyze its implications and take the necessary steps to ensure compliance with the new transparency and personal data protection provisions. In an environment of increasing regulatory scrutiny, anticipation and adaptation will be crucial to mitigating risks and ensuring operational continuity within the new legal framework.
At Ritch Mueller, we have extensive experience in personal data protection, with a team of professionals available to advise our clients and help them navigate the legal implications of these changes. We can assist in adapting to this new regulatory landscape, ensuring compliance with obligations, mitigating potential risks, and safeguarding our clients’ rights.
Should you require additional information, please contact Pablo Perezalonso Eguía ([email protected]), Ricardo Calderón Mendoza ([email protected]), Isabel Ortiz Monasterio Borbolla ([email protected]), Sara Hardy Pérez ([email protected]) or Pablo Rueda Carmona ([email protected]).
Visit our site www.ritch.com.mx or reach us at (+52) 55 9178 7000 | [email protected]
(1) Sistema de Información Legislativa – Sesión de la Cámara de Senadores - Sesión Ordinaria del día Martes 04 de Marzo de 2025 - https://sil.gobernacion.gob.mx/Calendario_Sesiones/MxM.php?CveSesion=4845905&Sesion=2&Fecha=2025-03-04&strTipoSesion1=Sesi%F3n%20Ordinaria
(2) La Jornada, “Aprueban en comisiones transferencia de funciones del INAI a SABG”, available at: https://www.jornada.com.mx/noticia/2025/02/27/politica/aprueban-en-comisiones-transferencia-de-funciones-del-inai-a-sabg
(3) Ídem.