Rather than a specific single regulatory regime applicable to software, Mexican law provides a diverse regulatory framework that collectively shapes its legal landscape. This regime includes mainly the Copyright Federal Law (Ley Federal del Derecho de Autor, the “Copyright Law”) which classifies software (programa de computación) as a protected work; the term “Software” (programa de computación) is defined as an original expression or manifestation by any means, language or code, of a compilation of instructions that, with a determined sequence, structure and organization has as purpose that a computer or device performs a specified task or function. The Intellectual Property Federal Law (Ley Federal de Protección a la Propiedad Industrial, the “IP Law”) does not contemplate within its scope the protection of Software (as defined above); however, it does protect inventions, utility models (modelos de utilidad), industrial designs (diseños industriales), layout designs of integrated circuits (esquemas de trazado de circuitos integrados), trade secret (secreto industrial), among others.

Furthermore, the Federal Law on the Protection of Personal Data Held by Private Parties and its secondary regulation (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, “Data Held by Private Parties Protection Law”) play a crucial role in safeguarding databases and personal data within software applications, addressing privacy and data rights.

In addition to these regulations, the legal framework extends to criminal aspects. The Criminal Federal Code (Código Penal Federal) and the Criminal Procedures Federal Code (Código Federal de Procedimientos Penales) establish penalties for various software-related offenses, including piracy, falsification and unauthorized access to systems and data.

The Copyright Law safeguards the intellectual property of original authors to be reproduced or divulgated by any form. According to this law, Software programs are protected under the terms applicable to  literary works (obras literarias); under Article 5th thereunder, immediately after the software is created (and upon it has been affixed to a material support), the developer is entitled to copyright protection for its lifetime and an additional one hundred years; this protection is automatic, which means there is no obligation from the developer to register the software before the Mexican authorities, although its highly recommended to conduct such registration with the Copyright Public Registry (Registro Público de Derecho de Autor), which is overseen by the National Institute of Copyright (Instituto Nacional del Derecho de Autor, “INDAUTOR”) for added certainty and protection.

The economic copyright rights set forth in the Copyright Law entitle the holder thereof to authorize or prohibit, with respect to the applicable Software: (i) its permanent or temporary reproduction, in whole or in part, by any means; (ii) its the translation, adaptation, adjustment or any other modification thereto and the reproduction of the Software resulting therefrom; (iii) its distribution by any means, including through lease; (iv) its decompiling or disassembling, as well as the application of any reversion engineering processes thereto; and (v) the issuance of any public communication in connection therewith, including without limitation, any information made available to the public in general.

According to the IP Law, computer programs are not considered inventions and, therefore, Software cannot be patented. However, Software is protected under the Copyright Law.

In accordance with the Copyright Law, the author or developer of a Software will own the resulting copyrights with respect to the newly created Software.

As a general rule, pursuant to Article 103 of the Copyright Law, if the Software is developed by one or several employees during their employment or following instructions of their employer, in the absence of an agreement to the contrary, the copyrights with respect to the Software shall correspond to the employer.

There is no specific law or statute that governs the harm or liability caused by Software or computer systems. The general regulatory framework applicable to liability arising out between private individuals or legal entities or private acts is set forth in the Federal Civil Code (Código Civil Federal), the Civil Codes (Códigos Civiles) for each federal entity of Mexico and the Commercial Code (Código de Comercio). The applicable regulation shall depend on the specific context or situation.

For instance, the Federal Consumer Protection Law (Ley Federal de Protección al Consumidor “Consumer Protection Law”), protects the rights of the consumers and clients of any goods and services, including Software and computer systems. If a particular harm or liability is caused by Software in connection with Personal Data held by private parties, the applicable law will be the Data Held by Private Parties Protection Law.

Cybersecurity is regulated in the Federal Criminal Code (Código Penal Federal) and penalties for improper use of software may be of a financial nature and, in some situations,  imprisonment, in addition to the obligation to pay damages and losses that may be claimed, depending on the infraction committed.

Furthermore, in April 2023, an initiative to enact a Cybersecurity Law in Mexico was proposed before the Mexican Congress (Congreso de la Unión). The bill seeks to strengthen cybersecurity in Mexico, provide certainty to all entities that participate in the assigned tasks, and to establish policies to penalize illicit conducts committed through cyberspace.

Other than the Code of Commerce (Código de Comercio), the Telecommunications Law, the Consumer Protection Law, and the Financial Technology Institutions Law (Ley para Regular las Instituciones de Tecnología Financiera, “FinTech Law”), the Data Held by Private Parties Protection Law, today there’s not an identifiable technology-specific law that govern the provision of software between a software vendor and customer.

Yes, it is typical for a software vendor to cap its maximum financial liability to a customer in a software transaction in Mexico. According to the Federal Civil Code (Código Civil Federal), civil liability or damages for breach of contract may be limited by the parties in the applicable agreement, except for liability arising from wilful misconduct, which is always enforceable.

The liability cap is typically a determined in accordance with the aggregate amount of fees received by the licensor under the applicable software license agreement, and it is usually the amount of fees that would be received per 12 months. The market standard level of cap varies depending on the jurisdiction, but in Mexico, a cap on indemnification liability not to exceed 100% of the purchase price is common.

The principle of “parties free will” (“autonomía de la voluntad de las partes”) contemplated in the Federal Civil Code (Código Civil Federal) provides that the parties to a software agreement, or to any other agreement, are entitled to cap their liability, or even release themselves from liability, in terms of the applicable agreement. There is no standard answer to this question because every transaction is different in matters of parties’ liability in case of default or damages. However, as a general rule, liability arising from willful misconduct is not waivable pursuant to the Federal Civil Code. Further, liability arising from regulatory fines or felonies may not be limited nor waived pursuant to an agreement by private parties.

Although it is a highly recommended practice, is not a common practice for software developers in Mexico to hold in escrow their software source codes. Some of the typical escrow providers in our country are Praxis Technology Escrow and Escrow Tech.

Mexico enforces export controls on software transactions, in alignment with its Foreign Trade Law (Ley de Comercio Exterior). These regulations encompass dual-use assets, software, technology, and goods, including data processing programs, data transmission, and telecommunications via electronic media, fax, telephone, satellite transmission, or any other means of communication that could potentially be diverted for the proliferation and manufacture of conventional weapons and weapons of mass destruction.

Mexico’s export control framework exhibits a comprehensive scope, extending to technology transfers facilitated through various intangible mean such as USB memory, CDs, DVDs, phone calls, emails, and other controlled channels. The export of controlled assets, including software programs, technologies, and various other controlled goods, requires obtaining an export permit from the Ministry of Economy (Secretaría de Economía “SE”) prior to their export.

On June 16, 2011, the SE implemented the Previous Exportation Permit (Permiso Previo para su Exportación). This permit governs the export of controlled assets, encompassing conventional firearms, their components, everyday dual-use items, software programs, technologies, and various other controlled goods. Notably, in cases involving assets of a sensitive nature, the Ministry of National Defense (Secretaría de la Defensa Nacional) may play a role in the issuance of these export licenses.

There isn’t a specific technology law governing IT outsourcing transactions in Mexico. Instead, these transactions fall under the purview of the Labor Law, which covers outsourcing matters, including those related to IT.

Since the amendment to the Labor Law in 2019, the Mexican Federal Government has been diligently working to regulate outsourcing transactions with the aim of safeguarding the labor and social security rights of employees. Furthermore, with the 2021 amendment to the Labor Law, most outsourcing transactions were prohibited, permitting companies to outsource only specialized services, to the extent the outsourced services provider is registered before the REPSE (as explained below) as an authorized specialized services provider.

On April 24, 2021, the Labor, and Employment Ministry (Secretaría del Trabajo y Previsión Social, “ST”) established the Registry of Specialized Service Providers or Specialized Works (Registro de Prestadoras de Servicios Especializados u Obras Especializadas “REPSE”) in which the outsourcing providers shall be registered.

According to the Labor Law and the absence of technology-law regulation, IT services would be considered “specialized services” which means that the supplier who provides the IT outsourced services must be registered with the REPSE.

The fundamental essence of the Labor Law is to protect the rights of workers, particularly those who are in a more vulnerable position. This law was conceived in response to the need of shielding employees from potential abuses from their employers, creating a legal framework to balance the rights and obligations of workers and employers in Mexico.

The Labor Law safeguards the individual employment and social security rights of workers in cases where services are outsourced to third-party IT service providers. According to the second paragraph of Article 14 of this Law, when a customer (individual or company) contracts specialized services with an outsourcing provider who fails to meet its obligations as an employer toward its employees, the customer shall be also deemed a joint obligor (obligado solidario) of the outsourcing provider as employer,  before and for the benefit of the employees of the latter. This legal provision serves as a protective measure for individual workers.

Also, to the extent an employee of an IT outsource provider has a subordination relationship with the principal company, or receives constant instructions from it, such employee may have rights against such company.

First and foremost, the Mexican Constitution and the Telecommunications Law, complemented by its secondary laws. This Law establishes a regulatory framework for the telecommunications and broadcasting sectors, promoting competition, and ensuring the provision of telecommunication services, including broadband and internet, under conditions of competition, quality, plurality, universal coverage, interconnection, convergence, continuity, and free access throughout the Mexican territory.

The Telecommunications Law provides that in the absence of specific legislation, several supplementary laws apply, including the (i) General Law of National Assets (Ley General de Bienes Nacionales), (ii) Law of General Communication Channels (Ley de Vías Generales de Comunicación), (iii) Consumer Protection Law, (iv) Federal Law of Administrative Procedure (Ley Federal de Procedimiento Administrativo), (v) Code of Commerce (Código de Comercio), (vi) the Federal Civil Code (Código Civil Federal), (vii) the Federal Code of Civil Procedures (Código Federal de Procedimientos Civiles), and (viii) the general laws related to electoral matters.

One of the main organizations aiming to represent and collaborate with the technological industry is the Mexican Association of the Information Technologies Industry (Asociación Mexicana de la Industria de Tecnologías de Información or AMITI). This organization was established about 38 years ago and seeks to represent the technology enterprises that are present in Mexico, being the organization with the most significant impact and representativity of the technology sector in Mexico. The main goal of AMITI is to become the main representative of the technology sector in any conversations and debates held in the public and private forums, as well as to (i) promote the strategy for the technological democratization in Mexico; (ii) develop relevant information to implement digitalization strategies; and (iii) to reduce the digital gap between the Mexican social sectors. AMITI has approximately 135 affiliated companies and a total of six committees, including a cybersecurity committee and an artificial intelligence and new technologies committee, which seek to develop and implement strategies to facilitate the adoption of emerging technologies, as well as to collaborate with the public sector, including the Mexican Congress, seeking to establish a communication channel to regulate new technological trends. For additional information please refer to https://amiti.org.mx/quienes-somos/

Another organization engaged in the technological industry is the National Chamber of Electronic, Telecommunications and Information Technologies Industry (Cámara Nacional de la Industria Electrónica, de Telecomunicaciones y Tecnologías de la Información or CANIETI). This organization has more than 85 years of experience and more than 1,000 affiliated companies throughout Mexico. Its main goal is to be the organization with the broadest representation capabilities within the electronic, telecommunications and technologies sector. For additional information please refer to https://canieti.org/canieti/quienessomos.aspx

Other organizations in Mexico include, the Internet MX Association (Asociación de Internet MX (AIMX), the National Association of Educational Institutions in IT (Asociación Nacional de Instituciones de Educación en Tecnologías de la Información, ANIEI), the Board of Cybersecurity and Information Security (Consejo de Seguridad de la Información y Ciberseguridad), the Cybersecurity Mexican Association (Asociación Mexicana de Ciberseguridad, AMECI), among others.

Interoperability is defined in the Federal Telecommunications Law as the technical characteristics or features of public network, systems and telecommunications equipment that allow an effective interconnectivity, ensuring a consistent and predictable provision of telecommunication services.

Technical standards provide a basis to permit such interoperability among mobile devices. In Mexico there are multiple technical standards within the telecommunications sector. The Digital Agency for Public Innovation (Agencia Digital de Innovation Pública) is a governmental agency seeking to conduct, design and surveil the implementation of data management, digital government and technological infrastructure governing in Mexico City, and it has established several technical standards in matters related to Hardware, Software, Electronic Equipment, IT Networks, among others. For additional information please refer to   https://adip.cdmx.gob.mx/centros/Asuntos-juridicos-y-normatividad

The Normas Mexicanas (NMX) are non-binding technical documents that establish quality specifications in connection with processes, products, services, systems and others, including within the IT and Telecommunications sectors.

In general, technical standards (either binding or not) allow the development of technology and the interoperability of networks, systems and equipment favoring efficiency and the development of new technologies, principally for the benefit of consumers and the private sector in general.

The World Intellectual Property Organization (Organización Mundial de la Propiedad Intelectual) defines a “Standard Essential Patent (SEP)” as “a patent that protects an invention essential to the implementation of a particular technology standard”. Technology standards are “critical for ensuring safety, interoperability and compatibility of different products and services made available by various companies”. Given the nature of SEPs, achieving an adequate balance between the interest of the parties in a license agreement has a significant relevance.

Please note that SEPs are mainly regulated within the international legal framework; however, the Mexican legal framework has not implemented a specific regulation for this type of patent. Nevertheless, the owner of a SEP would still have access to the rights and recourses available pursuant to the IP Law.

Given the importance for the private sector to adhere to technical standards they have a primary interest in gaining access to SEP licenses; however, the main concern when negotiating this type of agreements resides in the international principle know as “FRAND” (fair, reasonable and non-discriminatory) in attempting to reach a fair trade between the parties while still seeking to ensure a free trade and transparency within the market and avoiding antitrust practices and concerns.

As in any other contractual negotiation, attempting to agree in what would be deemed “FRAND” may be challenging as there is no legal objective criteria to reach a conclusive determination. In accordance with the World Intellectual Property Organization, the main concern in connection with warranties in a negotiation would be whether the particular patent is valid and objectively deemed as essential for purposes of implementing a standard¹.

Footnote(s):

¹ https://www.wipo.int/web/patents/topics/sep#:~:text=A%20Standard%20Essential%20Patent%20(SEP,made%20available%20by%20various%20companies

The National Institute for Access to Information and Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, “INAI”) is the authority responsible for the surveillance and enforcement of the data protection regulation in Mexico.

On a daily basis, the INAI publishes guidance on data protection matters, for example: Privacy Notice Guidelines (Lineamientos del Aviso de Privacidad), Personal on Data Security Recommendations (Recomendaciones en Materia de Seguridad de Datos Personales), Guide for Implementing a Security Management Program for Personal Data (Guía para Implementar un Sistema de Gestión de Seguridad de Dtos Personales), Guide for Complying with the Principles and Duties Under the Federal Law on the Protection of Personal Data Held by Private Parties (Guía para Cumplir con los Principios y Deberes de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares), Recommendations for the Designation of a Person or Department to Oversee Data Protection (Recomendaciones para la Designación de la Persona o Departamento de Datos Personales), Guidelines on Short Privacy Notices for CCTV (Modelo de Aviso de Privacidad Corto para Video-Vigilancia), among others.

The INAI, like the IFT, is an autonomous body with independent budgetary control. It has as an objective to ensure access to public information while safeguarding personal data. This institute not only oversees compliance with data protection laws but also extends technical support and training to data controllers. Additionally, it issues opinions, recommendations, and best practices, renders enforcement decisions, imposes penalties when necessary, and engages in the development of studies and research pertaining to data protection.

The principal laws of Mexico’s data protection legal framework are: (i) the Mexican Constitution. Article 6 provides the fundamental right to access and rectify personal data within public records. Article 16 establishes the rights to access, rectify, cancel, or oppose the processing of personal data (rights know as Derechos Arco). And, furthermore, article 73 empowers the Mexican Congress to legislate comprehensively on matters of data protection, reinforcing the constitutional commitment to safeguarding personal information; (ii) the Data Held by Private Parties Protection Law, and its secondary law were created to regulate the entire spectrum of data processing activities by private entities. Its objectives encompass the meticulous regulation of data retrieval, use, disclosure, storage, access, and transfer, concurrently supporting the establishment of binding self-regulation mechanisms, and to fortify the protection of personal data held by private entities, outlining a comprehensive legal framework that underpins responsible data management practices; (iii) the Data Held by Obliged Subjects Protection Law, that was specifically drafted to safeguard and preserve personal data held by any governmental body; and (iv) the Parameters for Self-Regulation on Personal Data Protection (Parámetros de Autorregulación en materia de Protección de Datos Personales), that serve as a strategic guideline for entities engaging in self-regulation concerning the protection of personal data.

In case of failure or in the event of a breach of any applicable data protection laws, the current approximate maximum fine that can be imposed by the INAI consists of MXN$66,380,800 (approximately USD$3,687,822.22) at an exchange rate of approximately MXN$18.00 pero USD$1.00.

It is important to note that this sanction is independent of any civil and/or criminal liability that could result from the breach. The Data Held by Private Parties Protection Law authorizes criminal penalties for individuals in some circumstances, including those causing data breaches or deceitfully processing personal data for profit.

The INAI employs a meticulous approach to determine the penalty amount, considering factors such as the nature and sensitivity of the compromised personal data, whether the data controller disregarded the data subject’s objections, the intentionality or omission behind the violation, the economic capacity of the data controller, and whether the breach constitutes a repeat offense. This multifaceted evaluation ensures that penalties are proportionate to the gravity of the infringement and serves as a deterrent against future violations.

It is not a common practice in technology agreements executed in Mexico to refer to external data protection regimes.  The INAI has not approved any specific standard forms or precedents for cross-border transfers of personal data. As a general rule, Mexican privacy law is subject to the “territorial applicability” principle (i.e., it is only applicable when there is a point of contact with Mexican territory); however, if the “Responsible” is not located within the Mexican territory but the data processor (“Encargado”) is, then, the latter shall still be obligated to maintain certain information security measures.

In Mexico, the regulation of artificial intelligence (“AI”) is not yet specific, however, the government is actively working across its three branches – judicial, legislative, and executive – to develop an AI strategy aimed at regulating its use and penalizing any misuse.

Over the past year, governmental bodies such as the INAI, the National Institute of Statistics and Geography (Instituto Nacional de Estadística y Geografía, “INEGI”), and the National Council of Humanities, Sciences and Technologies (Consejo Nacional de Humanidades, Ciencias y Tecnologías, “CONAHCYT”) have taken on the responsibility of overseeing AI in Mexico.  The government intends to formulate a national AI strategy to promote the responsible and ethical use of AI.

In March of 2023, the House of Representatives (Diputados) proposed the establishment of a new autonomous body to regulate AI matters, such as the Mexican Ethic Council for Artificial Intelligence and Robotics (Consejo Mexicano de Ética para la Inteligencia Artificial y la Robótica, CMETIAR”), that will contribute to the technological development according to the ethics of new technologies, including the use of AI and Robotics inside the national territory.

Furthermore, as a part of this legislative bill, the creation of the National Network of Statistics of Use and Supervision of Artificial Intelligence and Robotics (Red Nacional de Estadística de Uso y Monitoreo de la Inteligencia Artificial y la Robótica, “AI Network”) aims to enhance monitoring and oversight of AI and Robotics applications, ensuring responsible and ethical deployment.

As of June 2024, Mexico lacks specific legislation governing the deployment and use of AI. Nevertheless, several legal frameworks, such as the Data Held by Private Parties Protection Law and the Consumer Protection Law and its associated regulations, are applicable to AI-related matters. Despite the absence of specific AI-focused regulation, judicial resolutions in Mexico have relied on existing intellectual property laws and principles in cases involving AI.

Recognizing the importance of responsible and ethical AI use, the Mexican government is actively developing a national AI strategy. This comprehensive strategy encompasses five key areas: (i) governance, government, and public services; (ii) research and development; (iii) capacity, skills, and education; (iv) data infrastructure; and (v) ethics and regulation.

Proposed measures within the strategy include a legislative bill of the Law for the Ethic Regulation of Artificial Intelligence and Robotics (Ley para la Regulación Ética de la Inteligencia Artificial y la Robótica, “AI Bill”), with the goal to stablish public policies and the creation of Mexican Official Standards (“Normas Oficiales Mexicanas” or “NOMS”) that govern the use of AI and Robotics in Mexico through the creation of the CMETIAR, and the AI Network, as mentioned in question 19 above.

The AI Bill, to the extent passed and enacted, provides the respect to the general principles of data protection, human rights and intellectual property. Further, it also states that the development, creation, investigation and use of AI shall be conducted in accordance with ethics, respect for human rights, gender perspective, and without discrimination or bias in virtue of ethnical origin, race, religion or socioeconomical conditions. Further, no private or public entity shall use AI for social manipulation or discrimination purposes, nor in contravention with the Mexican legal framework.

As mentioned in the last two answers, as of this day there is no specific regulation for deployment and use of large language models and/or generative AI. The AI Bill, proposed in March 2023, is the only project nowadays to protect human rights and personal data.

The lack of specific regulations for AI, including Large Language Models and generative AI, is a current reality in Mexico, but the ongoing discussions and proposals indicate a growing awareness of the need for regulatory frameworks to address the challenges and opportunities presented by these kinds of technologies in Mexico.

Given that, as of June 2024, the IA Bill has not been passed by the Congress, there are currently no mandatory specific provisions addressing AI risk that shall be contemplated in any technology contracts governed under Mexican laws. Nevertheless, in May 2022, the National, Transparency Institute for the Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, the “INAI”) issued several recommendations for the use of Artificial Intelligence. In accordance with such recommendations, the INAI states that, pursuant to publications in the U.S., Artificial Intelligence may be classified in four different categories:

1. Reactive Machines (Máquinas Reactivas): These are the most basic types of AI which are only focused on making determinations based on the present time. They lack memory of past events or experiences and thus are not able to evolve.
2. Limited Memory (Memoria limitada): This type of AI utilizes past experiences (either its own or transferred), rules of behavior and information of certain scenarios to make certain choices.
3. Theory of the Mind (Teoría de la Mente): This type of AI has means to interpret or construe the manifestation of thoughts, emotions and ideals, as well as to assess reasoning and conduct processes. This technology can work together with human beings by emulating their mental processes in accordance with the behavior and conduct that it perceives as part of their internation.
4. Self-consciousness (Autoconciencia). This technology would be self-conscious and, thus, the ability to construe a representation of itself, its surroundings and its own behavior. It has its own perception and subjective ability to perceive and learn from experience.

Furthermore, the recommendations issued by the INAI refer to the five main principles that have been recognized by the Organization for Economic Cooperation and Development (Organización para la Cooperación y el Desarrollo Económicos, “OCDE”): (I) the use of AI for the benefit of the people in general and the planet pursuing sustained growth and wellbeing; (ii) AI must be developed in accordance with the legal frameworks of the States, human rights, democratic values and diversity for purposes of pursuing a fair and equitable society; (iii) there must be a transparent and responsible disclosure of IA and its systems; (iv) AI systems must be implemented in a solid and safe manner, continuously assessing potential risks; and (v) the organizations and individuals that develop and operate AI systems shall operate with full responsibility. In addition, such recommendations, among other aspects, focuses on the importance of implementing privacy measures (in consistency with the applicable legal framework) in the application of AI in the treatment of personal data.

Please note that, as mentioned in question 8 above, the Federal Civil Code (Código Civil Federal) recognizes the principle of “parties’ free will”, thus, the parties to any technology agreement may negotiate and include any provisions they deem convenient in order to limit or deal with AI risk.

As Mexican law has not developed significantly in this matter, as of June 2024, the legal industry has not yet identified specific market standard provisions that shall be included in technology or Software agreements in which AI is or may have been utilized. The Copyright Law has not been amended to identify the consequences of utilizing AI technology in the creation of Software and other protected works thereunder; however, the parties remain subject to the main “free will” principle which allows them to negotiate and stipulate provisions in any technology or Software agreements in connection with intellectual property rights, including but not limited to ownership thereof; provided, however, that any such provisions or stipulations shall not contravene the content of the Copyright Law and other applicable laws.

Use of Blockchain in Mexico continues to develop. There is still a lot of work to be done in terms of regulation. The main challenges for Blockchain in Mexico are the lack of regulation we do have on these matters. Recently, there has been an effort from the Mexican Congress and the authorities mentioned on the answer above to further regulate this matter.

The principal laws that govern Blockchain and digital assets are the (Circular 4/2019) later amended by Rule (Circular 37/2020), both issued by Banxico. Such Rules regulates the use of digital assets by the Financial Technology Institutions (Instituciones de Tecnología Financiera, “FinTechs”) and Credit Institutions (Instituciones de Crédito), with the previous authorization of Banxico, promoting the use of financial technologies and the provisions of services that use digital assets mitigating risks for users and clients.

Furthermore, the Federal Law for the Prevention and Identification of Operations with Resources from Illegal Sources (Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita, “LFPIORPI”), enacted to prevent money laundering and terrorism finance, provides that any institution that uses digital assets must submit itself to the regulation of this law, and KYC (know your costumer) procedures. The LFPIORPI consider the offer and exchange of digital assets is consider a vulnerable activity that facilitates money laundering and terrorism finance.

The FinTech Law, drafted by the Ministry of Finance (Secretaría de Hacienda y Crédito Público, “SHCP”), the CNBV, and BANXICO specially regulates the financial services provided by financial technology institutions such as Electronic Payment Fund Institutions (Instituciones de Fondos de Pagos Electrónicos, “IFPEs”) and Crowdfunding Institutions (Instituciones de Fondeo Colectivo or “IFC”). The goal is to provide services with digital assets without risk to users and clients.

Additionally, the Financial Information Standard C-22 Cryptocurrencys’ (Norma de Información Financiera C-22 Criptomonedas) issued by the Financial Information Council, outlines general guidelines for valuation, reporting, and disclosure of balance sheets of operations with digital assets.

A significant development occurred on April 6, 2022, when a bill was presented before the Mexican Senate (Senado de la República) to amend the Monetary Law (Ley Monetaria). The proposed amendment aims to recognize cryptocurrency as legal tender in Mexico.

The primary laws that govern search engines and marketplaces in Mexico are:  the Electronic Commerce Mexican Official Standard NMX-COE-001-SCFI-2018 (Norma Oficial Mexicana de Comercio Electrónico NMX-COE-001-SCFI-2018), which general purpose is to protect and guarantee the rights of the consumers that utilize marketplaces to buy their goods and/or services, protecting at the same time their personal data and their access to information rights; and the Consumer Protection Law, which general purpose is to protect the rights of the consumers of any goods and/or services, including a special chapter for those consumers of  marketplaces).

On general aspects, (i) the Telecommunication Law, which general purpose is to regulate the operation and utilization of telecommunications and broadcasting networks and services, (ii) the Code of Commerce, which general purpose is to regulate the commercial relationships between providers of goods and services with consumers, and (iii) the Data Held by Private Parties Law Protection Law which general purpose is to regulate data processing (retrieval, use, disclosure, storage, access, and transfer of data).

There is not a comprehensive legal framework that governs the social media in Mexico, however the primary laws in the social media legal framework are: (i) the Mexican Constitution, on article 6th establishes the right to access and correct personal data in public records, including social media; (ii) the Telecommunications Law, that has as objective to regulate, promote, and supervise the use, exploitation, and management of networks, encompassing relevant aspects of social media; and (iii) Data Held by Particulars Protection Law that imposes obligations on companies offering services through online platforms to ensure the consent of the information holder and preserve the privacy of personal data.

Additionally, specific to Mexico City, the Civil Liability for the Protection of the Right to Privacy, Honor and Self-Image Federal District Law (Ley de Responsabilidad Civil para la Protección del Derecho a la Vida Privada, el Honor y la Imagen en el Distrito Federal), which general purpose is to protect the right to privacy, honor, self-image of social media users.

In 2022, a bill for Protection of Digital Users Federal Law (Ley Federal de Protección al Usuario Digital) was proposed. This bill appears to have a general purpose focused on promoting and safeguarding the rights of digital users, digital services, and the intermediation of digital services. The specifics of this law, once enacted, will likely play a significant role in shaping the legal landscape for social media in Mexico.

Footnote(s):

² Source: http://sil.gobernacion.gob.mx/Archivos/Documentos/2021/02/asun_4135655_20210209_1612903477.pdf

Our top 3 predictions for significant developments in technology law in the next 3 years are:

(i) Electronic negotiable instruments. The issuance and transfer of electronic negotiable instruments. The use of electronic signature in Mexico has been permitted under Mexican law for several years. However, law firms and legal practitioners have shown their reluctance to admit the use of such type of signature in negotiable instruments (títulos de crédito) such as promissory notes given the formalistic and legal features traditionally granted to this type of instruments. The preference in the market to use and transfer such type of instruments using electronic signatures and systems (in particular since the COVID pandemic) has resulted in the Mexican Congress passing an amendment to the General Law of Negotiable Instruments (Ley General de Títulos y Operaciones de Crédito); such amendment entered into full force and effect in March, 2024. Such amendment expressly recognizes and allows the issuance and transfer of “electronic” promissory notes while still requiring the applicable electronic systems to meet certain requirements to guarantee the identity of the issuer or signatory thereof. We are likely to see additional changes to existing regulations and even the issuance of new regulation to fully implement this trend.

(ii) Artificial Intelligence. As detailed above, the Mexican Government has been working towards developing a national AI strategy to promote the responsible and ethical use of AI and the AI Bill has already been presented before the Mexican Congress. Given the accelerated development of this technology currently being experienced throughout the world, we expect the Mexican Government to actively continue such efforts which will likely become into effective laws and regulations.

(iii) Cybersecurity. In line with the developments being experienced in AI technologies and the increased use of digital platforms, individuals and companies may become subject to cyberattacks that could infringe their private data. This context has increasingly created the need for an effective legislation to protect the private rights of individuals and companies in Mexico and to prevent potential felonies that could be carried out through cybernetic means.  Even though the Data Held by Private Parties Protection Law and its regulations have been in full force and effect for several years now, it has not yet evolved to cybernetic security. We expect the Mexican Government to increase efforts to create a national strategy and likely enact legislation concerning cybersecurity in line with the current worldwide trend.

Nevertheless, Mexico is actively striving to make substantial improvement toward achieving net-zero emissions and enhance sustainability; there is a solid regulatory framework and is aiming for sustainability and self-sufficiency based on energy sovereignty, with plans to increase the productivity and efficiency of the current hydrocarbon-based energy system while progressively integrate clean and renewable energies.

Many Mexican or Mexican-based companies have pledged to become net-zero by 2050. This commitment involves the implementation of Rational Environmental Technologies (Tecnologías Ecológicamente Racionales, “TER”), adherence to Environmental, Social and Governance (“ESG”) and Sustainable Development Goals (”SDG”) criteria in almost every legal aspect – including technology contracts and use of technology.

Additionally, Mexico has a Climate Change General Law (Ley General de Cambio Climatico) which establishes a fund to allocate financial resources for initiatives combatting climate change. This includes supporting projects focused on energy efficiency and the development of renewable energy sources.

These concerted efforts suggest a growing awareness and commitment to sustainability and environmental protection in Mexico. As this awareness continues to evolve, there is a potential for a broader integration of such provisions into technology contracts, marking a positive step towards aligning business practices with environmental responsibility in the future.