MEXICO: New Privacy Notice Guidelines were introduced April 17, 2013, specifying the format and contents of privacy notices required for the direct or automated collection of personal data.

The Guidelines seek to enable data subjects to make free and informed choices, by ensuring that they are given information and an opportunity to consent and object to the collection of their personal data. Privacy notices must be provided prior to collection, and must be set out in Spanish and in a format that is clear, easy to understand, and not misleading. A simplified or short form privacy notice can be justified in certain circumstances, but must inform data subjects where they can access a fuller privacy policy. The latter must contain, among other information, the data controller’s identity, the purposes of collection, and the rights of the data subject. The addendum to the Guidelines also provides additional recommendations, including special rules for handling the data of children.

Compliance with the Guidelines is mandatory and no exemptions are available. They will be particularly important to businesses operating in the jurisdiction processing personal data of its employees, customers and/or vendors, and/or website operators placing cookies in Mexico. The Instituto Federal de Acceso a la Información y Protección de Datos (IFAI) is already exercising its enforcement powers, including the issuing of monetary penalties. In December 2012, the IFAI fined a Mexican pharmaceutical company a total of 2 million Mexican pesos (approximately US$162,000), giving a clear indication of its actions on data privacy violations.

COLOMBIA: Following the lead of Costa Rica and Peru, Colombian Law No. 1581, having introduced its first data protection frameworks in March this year, came into force April 18, 2013. The new law covers, among other matters, notice and consent requirements, cross-border data transfers, and the processing of children’s personal data. In a vein similar to the IFAI in Mexico, the new Colombian data protection regime is supported by serious sanctions, which include monetary penalties of up to US$650,000, up to six-month trading suspensions, and even temporary or permanent closure of business operations for persistent violations.