La Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita, o “Ley Antilavado”, fue muy sonada desde finales de la administración del Presidente Calderón, y de las primeras promulgadas en la del Presidente Peña. Como siempre ocurre con la vigencia de un nuevo ordenamiento, fue muy comentada en diversos foros desde la presentación de la iniciativa correspondiente, y este blog no fue la excepción (ver entradas de los días 17 de junio, 17 de julio,  16 de agosto, 30 de agosto, 11 de noviembre, del 2013 y el 19 de enero del 2014), pero acercándonos al segundo aniversario de su vigencia sus alcances y resultados son poco conocidos, y aparentemente limitados.

En parte es obvio que la reserva y confidencialidad con la que se debe conducir el trabajo de la prevención de operaciones con recursos de procedencia ilícita y financiamiento del terrorismo no abona a la difusión de buena parte de la materia. Por otra no obstante la relevancia del tema en el contexto de (in)seguridad que vive México, las autoridades han hecho poco para difundir lo avanzado en la aplicación de dicho ordenamiento, lo cual podría generar en el público la impresión de que no fue más que otro intento por sujetar al gobernado a mayores requerimientos de cumplimiento normativo de poca trascendencia, generando molestia por la consecuente carga regulatoria. El 1 de febrero de este año Reforma dio cuenta de comentarios de diversos galeristas de arte (actividad vulnerable sujeta a la Ley conforme a su artículo 17, fracción VII) sobre la dinámica que siguieron para mitigar el impacto regulatorio, y algunos han escrito en contra del mismo.

Para salir de dudas, no queda más que el acceso a la información pública, puesto que una vez concluido un procedimiento administrativo la información derivada del mismo adquiere tal carácter. Por ese medio ha sido posible saber que al menos en el caso de la fracción V del artículo 17 de la Ley (prestación habitual o profesional de servicios de construcción o desarrollo de bienes inmuebles o de intermediación en la transmisión de la propiedad o constitución de derechos sobre dichos bienes, en los que se involucren operaciones de compra o venta de los propios bienes por cuenta o a favor de clientes de quienes presten dichos servicios), en el período comprendido entre la entrada en vigor entre la entrada en vigor de la Ley y el mes de mayo del presente año fueron impuestas 10 sanciones, por un total de $322,992.00.

Será interesante sondear cómo ha evolucionado el comportamiento de las demás actividades vulnerables prevista en dicho ordenamiento, particularmente los instrumentos monetarios, metales y piedras preciosas o vehículos terrestres, marítimos y aéreos, así como su blindaje.

LeadersLeague - Copy

It is our distinct honour to have been ranked in the Innovation-Technology & Intellectual Property Directory of Leaders League as Highly Recommended (please refer to page 65) among Mexico’s best law firms in the data protection practice, alongside many esteemed friends and colleagues.

Leaders League Group is a media and business company based in Paris, France, that provides strategic information for international decision-making senior executive in order to connect them to the appropriate networks and contacts. Their directories are compiled based on a series of interviews to business leaders, executives, directors and practitioners. Such Directories and law firm rankings are particularly important in a market where there are significant asymmetries of information on who is actually competent and experienced in a given field of practice, and qualified to handle certain deals, even more so in a field of practice that is nascent in Mexico.

Gratitude and appreciation are due to Leaders League and all who contributed their good word on our work and made this milestone possible, which further commit us to further endeavour to excel in data protection and our other fields or practice.

google-legal-240px - Copy

As mentioned in the previous post herein, the IFAI v Google case is so complex that it could not be discussed in one single post, so I divided up my ideas thereupon in two parts. Mind you, these are posts on the case itself, not on the underlying rationale of the “right to be forgotten”, on which Google’s Advisory Council just released its report.

The most obvious questions to be made about this case, other than the possible or expected outcome, are: “Was IFAI trying to follow in the European Court’s footsteps?” And if it were: “Could it and should IFAI follow in the European Court’s footsteps?” The answer to the first question is, very obviously, “YES, it was”, and it seems to be making a point out of it, prominently featuring an icon on its website that links to the public version of the case file… much like other icons therein linking to other relevant current affairs of said DPA, such as the overhauling of the freedom of information law and the novel law on privacy and data protection relative to the State.

IfaiWebsite - Copy

Clicking on that conspicuosly-placed icon will lead you to the decision in the instant case, in which page 34 of 39 you’ll read this:

“As the right to data protection, is a human right and considering the pro personae principle in article 1 of the Political Constitution of the United Mexican States, this Plenary (Council) takes as a guiding criterion and reinforcing the foregoing, the ruling of the Court of Justice of the European Union in case C-131/12, corresponding to the proceeding against Google Spain, S.L. and Google Inc., where the relevant part states:

(80) It must be pointed out at the outset that, as has been found in paragraphs 36 to 38 of the present judgment, processing of personal data, such as that at issue in the main proceedings, carried out by the operator of a search engine is liable to affect significantly the fundamental rights to privacy and to the protection of personal data when the search by means of that engine is carried out on the basis of an individual’s name, since that processing enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that can be found on the internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him.


Article 2(b) and (d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).


Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.


(Emphasis added)”

Having established that IFAI seems determined to follow the “Costeja Case”, answers the second question “could it and should it?” may vary, but I would opine: “No”, for the following reasons:

  • Not all DPAs and/or Courts the world over are following the ruling in the “Costeja Case” to the letter.

In the Costeja Case observations were submitted to the ECJ by the European Commission and the governments of Asutria, Greece, Italy, Spain and Poland; while they sided with Mr. Costeja and Spain on some issues, they did not do so across the board nor unanimously. Even national courts in Europe have not found that the Costeja Case should be followed blindly; whereas a French court sided with a Mr. Shefet on a like case where he sought to have search results on defamatory materials accusing him online of professional malpractice, fraud and even connections to the Serbian mafia removed from Google’s global search results, not just France’s, a court in Amsterdam sided with Google against a request by the owner of an escort agency in 2012 for ‘attempted incitement of contract killing’, who wanted to have links removed to online publications linking him to the crime.

In Latin America, both courts of appeals and the Supreme Court of Argentina have ruled in favor of Google and Yahoo! on cases akin to the Costeja Case, where models Virginia da Cunha and María Belén Rodríguez sought to have URLs linking to sites which associated their images to pornographic content removed, as well as damages, much in the way the Fonovisa v Cherry Auction case serves as a defense against secondary liability for online copyright infringement in certain cases. No matter how much European influence there may be in our countries’ data protection framework, the Latin American regimen and context are much different from Europe’s.

On the whole, my thoughts on why IFAI ran amiss in finding against Google in the instant case can be summed up as follows:

  • The decision is an open and abrupt departure from IFAI’s decision in a like case against the same company.

There is a principle called “Stare Decisis“, which in Mexico we call “analogy”, whereby all things remaining equal (meaning no fundamental changes in the law or regulations, for example) like cases should be decided in like ways. That is what gives us precedent, which in turn gives us guidance and certainty.

As indicated in my previous post, IFAI found no liability on the part of Google Mexico in a previous case decided in the same year (2014) also involving search results from Google, so much so that the third finding for that case stated that:

“[f]rom the information in the file being acted upon it is found that as regards the services relative to the search engine and email that in their time gave rise to the opening of the file that is acted upon, as well as the statements of the Complainant in his writ of February 6, 2014, these are provided by Google, Inc., a corporation domiciled in the United States of America, over which this Institute lacks jurisdiction by territory, as it escapes the content of the LFPDPPP, as provided for in its article 1 and is not within the provisions of article 4 of its Regulations…”

The reason I find this concerning is that in a practice as privacy and data protection, which is in its infancy in Mexico, us practitioners need clear guidance from the DPA in order to be able to advise our clients, but even more so our clients need certainty so that they can know what their businesses should expect from the DPA. Absent either or both, we are all simply at a loss and exposed to the whims of the DPA, or any other relevant authority for that matter.

As noted above, the Argentinean courts have followed precedent, whereas IFAI did not.

  • The ARCO request and Rights’ Protection Claim from which the case stems should have been dismissed.

Numeral 1) in the data subject’s complaint to IFAI, which can be read in the very first page of the decision, states that:

1) In the referred URL contain my name, that of my (late) father and of my brothers, as well as clipped and out-of-context information of my activities as a businessman and merchant, which not only affects my most intimate sphere…”

Key words there: businessman and merchant. The Regulations to the Law provide for an exception to the application of its provisions (mind you, not the Law’s provisions) relative to the information of a data subject regarding their capacities as merchants and professionals, and as per the data subject’s own claim the former would be the case as concerns him. While this exception has an issue of legality and if applied it could be successfully challenged in court, as the exception should have been provided for in the law and not in the Regulations thereto, fact is IFAI should have applied it, but didn’t.

  • The decision unduly pierces the corporate veil.

Under Mexican law there are very few and limited instances where the corporate veil can be pierced: labor, tax, anti-trust and some instances in financial laws and regulations that provide for effective control as a criteria for their application to a transaction or operation. So unless expressly provided for, a Mexican authority, whether administrative or judiciary, may not pierce a corporate veil.

However, IFAI did when it decided, on merely formalistic grounds, that Google Mexico was the data controller for the information that the data subject complained about, such formalistic grounds being that:

  1. The purveyance of search engine services was provided for under the corporate purpose in its bylaws, which it had disregarded in the preceding case on the results from
  2. Screenshots of the website, where the name of our country can be seen below the search box, there’s a reference to the location of their Mexico City office, and so and so forth. However simply slapping a thumbnail of our country’s flag on a website cannot be held as sufficient grounds for a Mexican authority to exercise its jurisdiction on a foreign corporation, even less for it to find a Mexican corporation liable for the actions of a foreign corporation. If IFAI had conducted a WhoIs search of the records of (the Registry/Registrar of the .MX ccTLD) for the domain name, it would have found that the Registrant thereof, and therefore the party that could perhaps and eventually be found to be liable for the information therein is Google, Inc., well away from IFAI’s jurisdiction in Montainview, CA:

WhoIsGoogleMX - Copy

The domain name in question is even directed to Google’s servers in the USA. As Google responded to IFAI in the instant case, it has no servers in Mexico.

If wording in bylaws and/or contracts is going to be found to be grounds for liability in privacy and data protection, things can get very complicated, very quickly, for any number of potential data controllers in this country.

  • There is no evidence in this case that the data subject took previous action relative to the allegedly infringing information.

Although, as IFAI quoted in its decision, the European Court ruled that:

“…the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.

…from the Costeja, the Dan Shefet and even the case in the Netherlands cases one can find that the complainants/plaintiffs took action prior to bringing their cases. Mario Costeja himself, for example, had settled his debt with the Spanish social security, which rendered the publication indexed by Google incorrect, irrelevant and outdated. That doesn’t appear to have happened in this case, as the data subject offers no evidence of having acted against the source of the information he complained against.

Incidentally, it seems that exercising the “right to be forgotten” may turn out to be an exercises in futility. Whereas Mario Costeja sought to have that debt stricken from his online record, he and that are constantly referred in scholarly discussions and publications on privacy and data protection the world over. In the instant case, other commentators and journalist Sergio Sarmiento published information that reveals the identity of the data subject.

  • As a matter of policy, in a struggling democracy as Mexico’s, it’s just not a good idea to enforce the right of cancellation/be forgotten to the detriment of freedom of speech, of the press and access to information.

Naturally, the “right to be forgotten” can cut against freedom of speech, of the press, access to information and what not. That is why the European Court concluded in its ruling that:

“…those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.

In the instant case the allegedly infringing information appears to deal with the data subjects alleged involvement in some case regarding the management of a transport company in Mexico, donations made thereby to a charity ran by a formers President’s First Lady, references to the bank bailout of the ’90s, and so on and so forth, which could be regarded as being of interest to the general public, whereas other information would not, even if it concerned the same data subject.

In a country such as Mexico, where current affairs are, perhaps not always better, but more actively discussed through and thanks to social networks and online media, authorities should be very wary of where and how they draw the line on what is of interest to the general public, and should therefore remain available, and what is and should not.

It will ultimately fall upon the administrative and judiciary courts to decide who is right after all, whether IFAI or Google, and to provide us with a profoundly interesting and rich precedent. Said courts will undoubtedly apply a deeper analysis and criteria, which IFAI was probably not in a position to apply, as it is after all the DPA that applies a protectionist legal framework that is heavily weighed in favor of data subjects. However, in principle my money is on Google, for the reasons outlined above and many others that Google has probably already thought about.

The case has sparked a heated debate in the privacy/data protection community in Mexico; Mr. Andrés Calero, former General Director of Verification in IFAI and myself  (@1’32”) were interviewed by CNN Mexico to opine on it:

google-law-gavel - Copy

Timing is of the essence, and the release of the communiqué by IFAI, Mexico’s data protection authority, announcing its decision to fine Google Mexico for failing to comply with an individual’s objection to the processing of his data and IFAI subsequent order thereto, is no exception. It was released exactly one week ago, right on the eve of international data privacy day, and therefore remarked upon almost every single one of the participants in the conferences organized for that date. It was also very timely released less than 20 days after the political analysis magazine “Proceso” questioned IFAI’s unwillingness to act against Google, on grounds that it was near and dear to the current administration’s digital agenda, seemingly implying that afforded the search giant some measure of immunity.

However now IFAI ranks up there with countries such as the United States, Germany, the Netherlands and Spain, which have in one way or another acted against Google for transgressions to their privacy frameworks; however it is not the first time that Google has come before IFAI’s crosshairs, and also while many privacy commentators and scholars opine that this case bears a strong resemblance to the “Costeja Case” of the Spanish Privacy Agency and European Court of Justice regarding the “right to be forgotten”, there are important nuances to it.

Key ideas following here folks: as of June 2002 there is a “FOIA-equivalent” Transparency Law in force in Mexico, which includes provisions on privacy regarding personal information in the power of agencies and instrumentalities of the Federal government. In 2009 the Mexican Constitution was amended for the right to data protection to be included among the human rights protected by it, and afford Federal Congress the power to pass laws thereupon. About a year thereafter Mexico’s federal privacy law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares or LFPDPPP) was enacted. The amendment to the Constitution and both Federal statutes follow the model set by the European Union’s Privacy Directive, providing for 4 fundamental appurtenances of individuals as concerns the processing of their personal information:

  1. Access thereto;
  2. Rectification thereof;
  3. Cancellation thereof, and
  4. Opposition (to the processing thereof).

Having outlined the above, this is not the first time Google and IFAI have met face to face. In March 2011 IFAI ruled on case 4198/09, concerning the petition of an individual to the Federal Labor Board (the administrative court that hears labor cases in Mexico) for its online-searchable daily bulletin of cases to be heard on a given date to not include his name, so as to prevent him from being rejected by future employers on grounds of having sued a former employer.The petitioner had to sue in Federal court in order for his request to be honored by said Board and IFAI itself, following which the latter found on review that the measures proposed by the Board had been appropiate and in compliance with the rulin in the case wherein the Board proposed to:

  • Modify the format o the files used to publish the Bulletin on the Board’s website, so that search engines cannot find and index the individual’s name with regards to the labor case concerned, and
  • Directly request Google to delete from its indexes the information concerning the individual’s name with regards to the labor case concerned.

The record shows that the Board did reach out to Google therefor; however it remains unknown whether or not Google complied with the Boards request.

Then on March 2014, IFAI ruled on a verification proceeding initiated relative to Google for its caché of a website under the domain, which belongs to Nexus World LLP in the UK, for which a person complained about on grounds that the original source for the infringing information had removed it, but Google had not.

Google Mexico was served with a request for information to which it replied in terms that are relevant for the sanctions case at hand, so bear this in mid: it responded that as per its current bylaws its corporate purpose includes (bylaws in Mexico have these ridiculously long listings of things the corporation may do in pursuing its corporate purpose)…

1. Commercializing and selling online advertising and products and services for direct commercialization, in Mexico or abroad, on its own behalf or the behalf of third parties, as well as to provide all kinds of services through electronic means, including but not limited to, search engine, instant messaging, email, storage, reproduction and broadcast and retransmission of of data, and similar, annex and related services.

However another key concept is also quoted on that reply from Google Mexico to IFAI:

Notwithstanding the breadth of its corporate purpose, the activities that my principal in fact performs in Mexico center on those described in numeral 7 of article Third in its bylaws, particularly in the purveyance of administrative, financial, advisory and consulting services for corporations.

7. Receiving from other persons, individuals or corporations, as well as providing said individual or corporations whichever services necessary to comply with their corporate purposes, including but not limited to, administrative, financial, technical assistance, advisory and consulting services.

And then it underscored:

My principal does not provide the search engine service, as said service is provided by Google, Inc., an American corporation that owns the corresponding technological platform, with domicile at 1600 Amphitheatre Parkway, Mountain View…which operates and provides, amongst others, the search engine service for its users using its own servers and equipment. Therefore my principal does not gather nor process personal information of the users of the services provided by Google Inc.

Consequently,…Google Mexico, s de R.L. de C.V., is not the corporation that owns nor is responsible for the operation of the search engine service, as said services is offered and managed by Google, Inc. …Google, Inc., and Google Mexico, S. de R.L. de C.V., are different corporations, besides Google Mexico, S. de R.L. de C.V. is not a liaison office, branch or representative office of Google, Inc.

It further underscored that “Google Mexico only processes personal information of its employees and the databases that include physical files that contain them are the only elements that are protected pursuant to the LFPDPPP, and that exist in its facilities, and so it has been attested by the Verifiers…”

What follows is material for the instant case; in the Third finding (“Considerando Tercero”) to IFAI’s resolution in the verification proceeding said data protection authority stated that “[f]rom the information in the file being acted upon it is found that as regards the services relative to the search engine and email that in their time gave rise to the opening of the file that is acted upon, as well as the statements of the Complainant in his writ of February 6, 2014, these are provided by Google, Inc., a corporation domiciled in the United States of America, over which this Institute lacks jurisdiction by territory, as it escapes the content of the LFPDPPP, as provided for in its article 1 and is not within the provisions of article 4 of its Regulations…”

Based on the foregoing, IFAI found that there had been no violations of Google to the LFPDPPP, and resolved to have the file archived without further consequence thereto.

Bearing the above in mind, now consider that the instant case was initiated by a complaint dated July 22, 2014, wherein an individual referred having exercised his rights to the cancellation of his data and opposition to the processing thereof before Google with regards to 3 URLs found through its search engine, but having had no reply thereto, whatsoever, from Google Mexico, which is in and of itself a violation of the LFPDPPP. He claims that the information which deletion he requested included his name, his brothers’ (however the record does not refer that the complainant had authority and standing to represent his siblings) and his late father’s (also no reference to standing as executor of the gentleman’s estate), as well as “…clipped and out-of-context information on my activities as a businessman and merchant, which not only affects my most intimate sphere (honor and private life), but also current commercial and financial relationships…said information entails a grave risk to my personal security and physical integrity, as it is information linked to financial, patrimonial and judicial aspects…said information was uploaded and published to the “Google” search engine without my consent”.

The above assertions by the complainant are interesting, insofar as Roman numeral II in article 5 in the Regulations to the LFPDPPP exempt information concerning individuals in their capacity as merchants from its provisions; while that poses legality issues that could lend themselves to successful challenges thereto in court, fact is that IFAI is bound by said Regulations and should therefore not have considered that information as protected under them and the LFPDPP. However it decided to move forward with the case, as per the complainant’s assertions Google failed to respond to his petition, which under the LFPDPP provides for a cause of action before said Institute under a “Rights Protection Proceeding”, whereby IFAI may find for fault on the part of the Data Controller and order for the request to be complied with, but also mediate between the parties involved.

The bold assertions by the claimant’s counsel include statements that “Google (Mexico) possesses, controls, processes, authorizes, facilitates, shares, provides, makes possible, distributes, aids and abets the undue processing of sensitive personal data of our client, by allowing for information that does not comply with the requirements of the law, and much less with the principles… that govern the processing of personal information, to be uploaded, published and displayed through its “Google” search engine…”.

Anecdotally, it seems that an inappropriately redacted public version of the file was released at some point and has been blogged and reposted by a number of commentators (just as in the Liverpool department store breach case, this blog deals in legal scholarship and not news, so it refrains from further facilitating access to information that was or is not meant to be made public by its originators and thus no hyperlinks to the leaked copy of the file are included), wherein enough information of the search results was visible to allow readers to trace the allegedly infringing URLs the complainant complained about and realize that it had to do with a transport company and allegations that it was one of many favored by the bank bailout of the mid-90s (re: “Fobaproa”). In this sense the case may have the same ironic, undesirable and unexpected collateral effect as the Costeja Case: instead of achieving oblivion, the complainant’s identity and data involved in the case will become pervasive in future discussions and comments on the case. Perhaps there are instances where a good SEO strategy yields better results than the law?

IFAI’s requests for information regarding the instant case, regarding it relationship to Google International, LLC, and Google, Inc., as well as the search engine services it provides, whether it has servers of its own, how its services are, or are not, linked to the aforesaid partners, etc., were responded much in the same way as those in the verification case previously discussed, with Google Mexico reiterating that it does not operate or provide in any way services on behalf of Google Inc., does not have servers of its own and doesn’t provide, in any way, search engine services, which are provided by Google Inc.

However IFAI departed from its criteria set in the previous case, and the Second finding in the ruling for this one established as the cornerstone for the decision to sanction Google Mexico exactly what the Third finding established as the cornerstone to absolve it: regardless that Google Mexico has no servers of its own and does not actually provide the search engine service in and of its own, as there is a provision in its bylaws whereby its corporate purpose includes the purveyance of such services it therefore does provide them and is consequently bound by the LFPDPPP with regards to them. To support this statement IFAI’s verification officers certified screenshots of searches of the complainant’s name made through, as well as of Google’s pages dealing with its Terms and Conditions, “About”, “Locations”, etc., on which grounds said Institute found that Google Mexico did provide search engine services that amount to processing of personal data, and is therefore bound by the LFPDPPP, under obligation to comply with the claimant’s petition and subject to that proceeding.

In this point one might wonder if the whole thing could have been prevented if Google Mexico had replied to the claimant’s petition; the answer, for short, is “NO”: under the LFPDPPP an individual has cause for action in a Rights Protection Proceeding not only if the Data Controller does not respond to his petition, but also if he’s in disagreement with the response. However, even if Google Mexico weren’t the Data Controller, it should have responded to the claimant, as articles 95 and 98 of the Regulations to the LFPDPPP state that all petitions by individuals must be responded by Data Controllers, whether or not they possess personal data of the petitioning individuals. IFAI further found that Google Mexico was in fact the Controller of the Data processed as concerns the instant case, and that it failed to invoke any of the exceptions in the law to the obligation to respond to an individual’s petition, or a legal impediment thereto.

It consequently ordered Google Mexico to perform the actions necessary to implement the complainants rights to have his personal data cancelled from its search results and to oppose such processing thereof, within the 10 business days following notice of the ruling, by abstaining from processing said data in such a way that after typing the complainant’s name the URLs quoted in the initial complaint no longer show up, and by having said details cancelled from its databases…although there is record from another case that Google Mexico has no such databases.

Google Mexico could not possibly (technically nor materially) comply with the foregoing; but  in addition to the above, IFAI found that Google Mexico did not comply with the complainants initial petition and carried on with the illegitimate processing of his personal data, so that there were grounds to initiate a sanctioning proceeding against Google Mexico, which the latter would appear may have ample chances of successfully challenging if it came to a fine being assessed against it.

As other privacy practitioners and commentators have remarked and underscored, this case bears an inextricable nexus with the aforementioned Costeja Case, so much so that IFAI itself quoted the ruling thereupon by the European Court of Justice (page 34 of the file). However, as the usual length for a blog entry has been exceeded by far herein, comments on that particular issue will be made tomorrow, in the next entry hereto.

Liverpool-567x425-567x400 - CopyEn un año que ha destacado por las vulneracoines a la seguridad de los sistemas de grandes cadenas comerciales en los EE.UU.A., tales como Target, Home Depot, Staples, JP Morgan Chase, y empresas como Apple (Re. “#CelebGate“), Snapchat (Re: “#Snappening“) y Sony Pictures, una pregunta en la mente de varios de quienes ejercemos en materia de protección de datos personales había sido ¿cómo es que en México no se dan casos así? Las respuestas podrían ser varias. Tal vez a pesar de ser un mercado creciente, muy aspiracional y orientado al lujo, los Responsables (del Tratamiento de Datos Personales) en nuestro país no eran un blanco atractivo para ataques como aquellos. ¿O sus sistemas son tan robustos?

Como para probar que la cuestión no es si una empresa será víctima de un ataque, sino cuándo lo será, en víspera de Nochebuena (a las 13.29 del 24 de diciembre, para ser exactos) la Bolsa Mexicana de Valores difundió a través de su página Web el comunicado de evento relevante que El Puerto de Liverpool, S.A.B., presentó en cumplimiento a sus obligaciones como emisora de valores para dar a conocer que fue “…víctima de un intento de extorsión…” que busca dañar su reputación; el ataque habría consistido en una intrusión en correos de su personal, y habrían también logrado obtener información de algunos clientes, según se indica en la misiva, que también señala que estos hechos delictivos fueron denunciados ante las autoridades correspondientes, estimando que el riesgo derivado de dicha intrusión es bajo, no obstante lo cual están tomando medidas adicionales para reforzar la protección de la información de sus clientes y fortalecer sus sistemas, prácticas y procedimientos, por ser la seguridad de la información que le confían sus clientes es una prioridad, procurando salvaguardar los datos personales y cumplir cabalmente con las leyes de protección de datos.

Dado que el evento fue difundido justo cuando casi todo México se ocupaba más de los preparativos para la cena navideña, los medios dieron cuenta del mismo con sólo la información extraída de dicho comunicado; hoy la sección de Negocios de Reforma informa al respecto con algunos comentarios del suscrito.

La vulneración a JP Morgan, que afectó a 76 millones de cuentahabientes, fue dada a conocer precisamente así, por un “filing” que dicho banco tuvo que hacer ante la Securities and Exchange Commission en EE.UU.A. En tal sentido es preciso destacar la responsabilidad con la que Liverpool ha actuado al notificar del hecho al mercado bursátil (coloca valores en los mercados de capital y deuda), en vez pretender “ocultarlo bajo el tapete” muy disimuladamente. Sin duda el manejo que Liverpool haga del caso sentará un precedente importante en la práctica de protección de datos personales y seguridad informática, por lo cual motivará la atención de todo el medio.

Con tan solo 4 renglones los términos del comunicado a la BMV llevan a pensar en varias cosas:

  1. “Los criminales lograron una intrusión en correos de nuestro personal y también obtuvieron información de algunos clientes.” Esto hace pensar en un ataque por “phishing” o “spear-phishing“; de ser el caso será importante que Liverpool revise la Política de Privacidad con la que está obligada a contar, de acuerdo con el artículo 48 del Reglamento de la Ley, y refuerce la capacitación a su personal para evitar que vuelvan a ser víctimas de este tipo de ataques de ingeniería social. Tal mención no descartaría otro tipo de ataques, como uno de “brute force“.
  2. “Liverpool lamenta informar que ha sido víctima de un intento de extorsión que busca dañar nuestra reputación”. Probablemente ésta sea la oración del comunicado que más hace pensar. Los casos en los que además del ataque mismo se lleva a cabo otra conducta delictiva como la extorsión son comunes. Hace tiempo se sabe de casos en los cuales los atacantes bloquean el acceso al equipo o sistema atacado y exigen un pago a cambio de reestablecerlo o no suprimir definitivamente la información del mismo. En el caso del ataque a Sony, hubieron reportes sobre mensajes de extorsión que ejecutivos de la empresa habrían recibido previo al ataque mismo. Sería interesante saber si la referencia al daño de la reputación de Liverpool se debe al solo hecho de haber sido víctima del ataque o a amenazas concretas sobre la información que los atacantes pudieran haber obtenido y del uso que le pretendan dar los atacantes.
  3. “La empresa ya denunció estos hechos delictivos ante las autoridades correspondientes”. Un ataque como el reportado por Liverpool podría configurar el ilícito previsto en el Capítulo II, Título IX, Libro Segundo del Código Penal Federal: “Acceso Ilícito a Sistemas y Equipos de Informática”. En términos generales sus artículos 211 bis 1 al 5 disponen penas privativas de la libertad que van de los 6 meses hasta los 8 años y diversas multas, penas y multas cuya magnitud varía dependiendo de si los sistemas atacados son o no del Estado, correspondientes a seguridad pública o de instituciones financieras, a quien(es):
  • …sin autorización modifique, destruya o provoque pérdida de información contenida en sistemas o equipos de informática protegidos por algún mecanismo de seguridad, y
  • …sin autorización conozca o copie información contenida en sistemas o equipos de informática protegidos por algún mecanismo de seguridad, se le impondrán de tres meses a un año de prisión y de cincuenta a ciento cincuenta días multa.

La estadística de la Procuraduría General de la República por tales delitos entre el 1 de septiembre del 2013 y el 30 de septiembre del presente año arroja que de 66 indagatorias iniciadas sólo 1 fue consignada ante la autoridad judicial, en tanto que 21 fueron enviadas a la reserva, en 6 se resolvió el “no-ejercicio” de la acción penal, y tiene en trámite 70, incluyendo otras iniciadas en años anteriores al periodo consultado.

Estadística PGR Acceso Ilícito2 - CopySerá muy interesante ver el empeño con el que Liverpool impulsa el perfeccionamiento de sus indagatorias y la eficacia con la que la representación social federal logra integrarlas para llevar ante la justicia a los responsables. En cualquier caso es un hecho que Liverpool deberá realizar ajustes en su Sistema de Gestión de Datos Personales y medidas de seguridad, pues el artículo 60 del Reglamento prevé entre los elementos para determinarlas a las vulnerabilidades previas ocurridas en los sistemas de tratamiento, además de que de acuerdo con la fracción III de su artículo 62 en tanto Responsable del Tratamiento de Datos Personales Liverpool deberá actualizar la relación de sus medidas de seguridad, cuando ocurran, entre otros eventos, la vulneración de sus sistemas de Tratamiento.

El citado Reglamento también ordena, en su artículo 66, que cuando ocurra una vulneración a los Datos Personales, como fue el caso, el Responsable deberá analizar las causas por las cuales se presentó e implementar las acciones correctivas, preventivas y de mejora para adecuar las medidas de seguridad correspondientes, a efecto de evitar que la vulneración se repita, lo cual es algo en lo que Liverpool manifiesta ya estar trabajando, o haber trabajado.

ReformaNeg20141612 - Copy

greetingcard - CopyComo siempre el fin del año motiva a reflexionar sobre el camino andado durante los días, semanas y meses que han transcurrido; lecciones aprendidas; éxitos alcanzados y objetivos planteados. 2013 fue el año que nos vio empezar, pero en si 2014 fue el año de arranque. Ahora miramos a 2015 como un año que será de crecimiento y consolidación.

Parte de esas reflexiones exigen ser agradecido con todos quienes han colaborado con nosotros, pero especialmente con nuestros amigos, colegas y clientes, quienes han depositado su confianza en nosotros para la debida atención de sus asuntos en un mercado cada vez más competitivo, en un nicho tan cerrado como el de regulación financiera y tan especializado como el de protección de datos personales.

A tod@s les deseamos lo mejor, hoy y siempre, personal y profesionalmente, y les estamos agradecidos por su confianza en nuestro trabajo y/o por su interés en el material publicado en este blog.

As always the end of the year call for reflection upon the road traveled over the days, weeks and months that have lapsed; lessons learned; success attained and objective put forth. 2013 was the year that saw us launch, but 2014 was really the year of starting up. Now we look to 2015 as a year of growth and consolidation.

Part of such reflections demand gratefulness with all who have collaborated with us, but specially to our friends, colleagues and clients, who have deposited their trust in us for the due care of their cases in an ever more competitive market, in a niche so closed as financial regulation and as specialized as privacy.

We wish you all the best, today and always, personally and professionally, and appreciate your trust in our work and/or interest in the materials published in this blog.


ofis - CopyEn los 18 meses de haber escrito por este medio 96 entradas sobre mis áreas de práctica han habido 4 entradas (derechos ARCO, multa a SOFOM Banamex, multa a TELCEL y reglas de CONDUSEF para despachos de cobranza) relativas tanto a los aspectos de regulación financiera como de protección de datos en la actividad de cobranza extrajudicial. El tema es complejo no sólo por aspectos jurídicos que fueron considerados en la “miscelánea de garantías” del 2003 como en la “reforma financiera” de este año, sino probablemente también por la ideosincrasia y experiencia nacionales en materia de recuperación de adeudos, de la que son parte las lamentablemente consabidas prácticas de los despachos de cobranza contratados por instituciones financieras y “gestoras de activos” que adquieren a descuento su cartera vencida.

El tema cobra relevancia de nuevo por la presentación de la Guía para orientar el debido tratamiento de datos personales en la actividad de cobranza extrajudicial del IFAI y CONDUSEF, elaborada por el primero con la opinión técnica de la segunda y concebida como “…una herramienta que permite a las entidades financieras y despachos de cobranza cumplir con los principios y deberes de la LeyFederal de Protección de Datos Personales en Posesión de los Particulares”, que “…representará un importante referente para orientar el debido tratamiento de los datos personales en laactividad de cobranza extrajudicial, sin invadir la privacidad de las personas ni violar las disposiciones en materia de datos personales vigentes en el país.”

Sin duda el documento contribuirá en gran medida al mejor entendimiento de la práctica en materia de protección de datos personales dentro del marco de la cobranza extrajudicial, facilitando discenir los casos en que un despacho trata los datos personales de los deudores de aquéllas entidades financieras que contratan sus servicios como Engargado y, por lo tanto, mediante la remisión de los mismos, de aquellos en los que dicho tratamiento deriva de la transferencia de tales datos y, por lo tanto, el despacho de cobranza o gestora de activos que hubiera adquirido la cartera de que se trate es, en si y por si, un ulterior Responsable de dichos datos (vid. pág. 37).

Para ello son particularmente importantes las siguientes indicaciones:

  • Es importante tener en cuenta que la comunicación de datos personales a Despachos de Cobranza, cuando éstos no sean dueños de la cartera, sino que presten el servicio de cobranza a nombre y por cuenta de la Entidad que otorgó el crédito, préstamo o financiamiento, no se considera transferencia, sino remisión, por lo que no existe obligación de informarla en el aviso de privacidad, ni de obtener elconsentimiento del Titular para que ésta ocurra.
  • En cambio, cuando hay una comunicación de datos personales entre la Entidad y un Despacho de Cobranza, con motivo de una venta de cartera a este último, dicha comunicación se considera una transferencia, por lo que es necesario informarla en el aviso de privacidad y cumplir con las obligacionesprevistas en esta sección (pág. 37).
  • En materia de Cobranza Extrajudicial, el tema del Encargado del tratamiento tiene especial relevancia, ya que la figura se utiliza de manera recurrente entre los acreedores y los Despachos de Cobranza, cuando éstos últimos NO son dueños de la cartera de crédito, préstamo o  financiamiento, y actúan a nombre y cuenta de la Entidad responsable de los datos personales (pág 40).

Sin embargo la Guía es sólo y precisamente eso: un documento que orienta, pero no obliga en forma alguna a las Entidades Financieras ni a sus despachos de cobranza, por lo que dista de ser una instancia de regulación por parte de la CONDUSEF armonizada con la normatividad del IFAI y la Secretaría de Economía en materia de protección de datos personales, como prevé el artículo 40 de la Ley Federal de Protección de Datos Personales, y fue presentada más de 2 meses después de la expedición de las Disposiciones de carácter general aplicables a las entidades financieras en materia de Despachos de Cobranza de dicha Comisión, que lacónicamente refieren en el último párrafo de su Disposición Sexta, que se deberá observar lo dispuesto en la Ley Federal de Protección de Datos Personales en Posesión de los Particulares y, en su caso la Ley Federal de Transparencia y Acceso a la Información Pública Gubernamentalen al convenir la cesión o venta de cartera. Lo deseable hubiera sido que ambas autoridades hubieran realizado este esfuerzo de coordinación antes de que la CONDUSEF expidiera las citadas Reglas, a fin de que dicho instrumento normativo contuviera disposiciones vinculantes para la debida protección de los datos personales de los deudores de las Entidades Financieras. Sin embargo, y sin duda, es un avance hacia la armonización normativa de la regulación general en materia de protección de datos personales con la de las múltiples materias que se relacionan con ella.

Precisamente en materia de cobranza extrajudicial, tan sólo 6 días antes de la presentación de la citada Guía el Pleno del IFAI votó la sanción impuesta a Corporativo Especializado en Recuperación de Cartera, justo por un caso derivado de ello, que asciende a un total de $2’169,460.00, por las siguientes infracciones:

  1. Contravenir los Principios de Licitud y Lealtad: $259,040.00
  2. Incumplir el deber de confidencialidad: $777,120.00
  3. Cambiar sustancialmente la finalidad del tratamiento de los datos: $679,980.00
  4. Tratamiento de datos financieros y patrimoniales: $453,320.00

Lo anterior atendiendo tanto a la intencionalidad de las conductas infractoras, como a la capacidad económica de la Integra Capital, determinada con base en sus estados financieros al 31 de diciembre y 31 de julio de 2014, que arrojaban un capital de $29’078,700.00.

El asunto se originó con la contratación de un crédito “Autoestrena Banorte” en el año de 2011 por quien parece ser (o haber sido) empleado del gobierno del Estado de Nuevo León y habría incurrido en atraso en sus pagos, lo cual motivó que empezara a recibir correos electrónicos de Integra Capital, con copia para sus compañeros de trabajo, por lo cual el Titular denunciante adujo la indebida transferencia de sus datos personales por parte de Banorte a la empresa referida, en tanto que el IFAI planteó:

  • La vulneración a su expectativa razonable de privacidad;
  • El incumplimiento al deber de confidencialidad por la divulgación del nombre, número de crédito y saldo del adeudo del Titular, violando con ello su privacidad y derecho a la autodeterminación informativa;
  • Varió sustancialmente la finalidad del tratamiento de los datos arriba mencionados, y
  • Divulgó tales datos a terceros sin consentimiento del referido Titular.

Tema importante en el caso: precisamente de acuerdo con el expediente y según la Guía, Integra Capital es un Encargado de Banorte, pero a diferencia del caso de Banamex y Revoware, el Banco Responsable no fue sancionado por los hechos y omisiones de su Encargado. ¿En qué radica la distinción que le evitó a Banorte ser multado en esta ocasión? La respuesta está en el párrafo tercero del Considerando Sexto, en donde de expone que Integra Capital adquirió el carácter de Responsable en si y por si al variar sustancialmente las finalidades de tratamiento de los datos personales que Banorte le habría remitido. Sin embargo, salvo por la cláusula de confidencialidad, en el expediente de sanción se omite analizar el texto del contrato de prestación de servicios suscrito entre Banorte en Integra Capital, de manera que no resulta del mismo un criterio sobre el cumplimiento con u omisión respecto de los requisitos que disponen los artículos 50 y 51 del Reglamento de la Ley tratándose de la relación entre el Responsable y el Encargado del tratamiento de los datos personales que interesan.




Compliance Report

Compliance and Ethics


Startup and Technology News

Xavier Ribas

Derecho de las TIC Corporate Compliance is the best place for your personal blog or business site.

Take To Task

Analyzing the Nonsense

Business & Money

The latest news and commentary on the economy, the markets, and business


Canal de difusión con los medios.

Martha Salamanca Docente

Blog de TICs, Redes Sociales y Multimedia Educativo

Devil's Advocate Crib

Just another site

Investigating Internet Crimes

An Introduction to Solving Crimes in Cyberspace


Recibe cada nueva publicación en tu buzón de correo electrónico.

Únete a otros 432 seguidores