Sin categoría

google-legal-240px - Copy

As mentioned in the previous post herein, the IFAI v Google case is so complex that it could not be discussed in one single post, so I divided up my ideas thereupon in two parts. Mind you, these are posts on the case itself, not on the underlying rationale of the “right to be forgotten”, on which Google’s Advisory Council just released its report.

The most obvious questions to be made about this case, other than the possible or expected outcome, are: “Was IFAI trying to follow in the European Court’s footsteps?” And if it were: “Could it and should IFAI follow in the European Court’s footsteps?” The answer to the first question is, very obviously, “YES, it was”, and it seems to be making a point out of it, prominently featuring an icon on its website that links to the public version of the case file… much like other icons therein linking to other relevant current affairs of said DPA, such as the overhauling of the freedom of information law and the novel law on privacy and data protection relative to the State.

IfaiWebsite - Copy

Clicking on that conspicuosly-placed icon will lead you to the decision in the instant case, in which page 34 of 39 you’ll read this:

“As the right to data protection, is a human right and considering the pro personae principle in article 1 of the Political Constitution of the United Mexican States, this Plenary (Council) takes as a guiding criterion and reinforcing the foregoing, the ruling of the Court of Justice of the European Union in case C-131/12, corresponding to the proceeding against Google Spain, S.L. and Google Inc., where the relevant part states:

(80) It must be pointed out at the outset that, as has been found in paragraphs 36 to 38 of the present judgment, processing of personal data, such as that at issue in the main proceedings, carried out by the operator of a search engine is liable to affect significantly the fundamental rights to privacy and to the protection of personal data when the search by means of that engine is carried out on the basis of an individual’s name, since that processing enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that can be found on the internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him.


Article 2(b) and (d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).


Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.


(Emphasis added)”

Having established that IFAI seems determined to follow the “Costeja Case”, answers the second question “could it and should it?” may vary, but I would opine: “No”, for the following reasons:

  • Not all DPAs and/or Courts the world over are following the ruling in the “Costeja Case” to the letter.

In the Costeja Case observations were submitted to the ECJ by the European Commission and the governments of Asutria, Greece, Italy, Spain and Poland; while they sided with Mr. Costeja and Spain on some issues, they did not do so across the board nor unanimously. Even national courts in Europe have not found that the Costeja Case should be followed blindly; whereas a French court sided with a Mr. Shefet on a like case where he sought to have search results on defamatory materials accusing him online of professional malpractice, fraud and even connections to the Serbian mafia removed from Google’s global search results, not just France’s, a court in Amsterdam sided with Google against a request by the owner of an escort agency in 2012 for ‘attempted incitement of contract killing’, who wanted to have links removed to online publications linking him to the crime.

In Latin America, both courts of appeals and the Supreme Court of Argentina have ruled in favor of Google and Yahoo! on cases akin to the Costeja Case, where models Virginia da Cunha and María Belén Rodríguez sought to have URLs linking to sites which associated their images to pornographic content removed, as well as damages, much in the way the Fonovisa v Cherry Auction case serves as a defense against secondary liability for online copyright infringement in certain cases. No matter how much European influence there may be in our countries’ data protection framework, the Latin American regimen and context are much different from Europe’s.

On the whole, my thoughts on why IFAI ran amiss in finding against Google in the instant case can be summed up as follows:

  • The decision is an open and abrupt departure from IFAI’s decision in a like case against the same company.

There is a principle called “Stare Decisis“, which in Mexico we call “analogy”, whereby all things remaining equal (meaning no fundamental changes in the law or regulations, for example) like cases should be decided in like ways. That is what gives us precedent, which in turn gives us guidance and certainty.

As indicated in my previous post, IFAI found no liability on the part of Google Mexico in a previous case decided in the same year (2014) also involving search results from Google, so much so that the third finding for that case stated that:

“[f]rom the information in the file being acted upon it is found that as regards the services relative to the search engine and email that in their time gave rise to the opening of the file that is acted upon, as well as the statements of the Complainant in his writ of February 6, 2014, these are provided by Google, Inc., a corporation domiciled in the United States of America, over which this Institute lacks jurisdiction by territory, as it escapes the content of the LFPDPPP, as provided for in its article 1 and is not within the provisions of article 4 of its Regulations…”

The reason I find this concerning is that in a practice as privacy and data protection, which is in its infancy in Mexico, us practitioners need clear guidance from the DPA in order to be able to advise our clients, but even more so our clients need certainty so that they can know what their businesses should expect from the DPA. Absent either or both, we are all simply at a loss and exposed to the whims of the DPA, or any other relevant authority for that matter.

As noted above, the Argentinean courts have followed precedent, whereas IFAI did not.

  • The ARCO request and Rights’ Protection Claim from which the case stems should have been dismissed.

Numeral 1) in the data subject’s complaint to IFAI, which can be read in the very first page of the decision, states that:

1) In the referred URL contain my name, that of my (late) father and of my brothers, as well as clipped and out-of-context information of my activities as a businessman and merchant, which not only affects my most intimate sphere…”

Key words there: businessman and merchant. The Regulations to the Law provide for an exception to the application of its provisions (mind you, not the Law’s provisions) relative to the information of a data subject regarding their capacities as merchants and professionals, and as per the data subject’s own claim the former would be the case as concerns him. While this exception has an issue of legality and if applied it could be successfully challenged in court, as the exception should have been provided for in the law and not in the Regulations thereto, fact is IFAI should have applied it, but didn’t.

  • The decision unduly pierces the corporate veil.

Under Mexican law there are very few and limited instances where the corporate veil can be pierced: labor, tax, anti-trust and some instances in financial laws and regulations that provide for effective control as a criteria for their application to a transaction or operation. So unless expressly provided for, a Mexican authority, whether administrative or judiciary, may not pierce a corporate veil.

However, IFAI did when it decided, on merely formalistic grounds, that Google Mexico was the data controller for the information that the data subject complained about, such formalistic grounds being that:

  1. The purveyance of search engine services was provided for under the corporate purpose in its bylaws, which it had disregarded in the preceding case on the results from
  2. Screenshots of the website, where the name of our country can be seen below the search box, there’s a reference to the location of their Mexico City office, and so and so forth. However simply slapping a thumbnail of our country’s flag on a website cannot be held as sufficient grounds for a Mexican authority to exercise its jurisdiction on a foreign corporation, even less for it to find a Mexican corporation liable for the actions of a foreign corporation. If IFAI had conducted a WhoIs search of the records of (the Registry/Registrar of the .MX ccTLD) for the domain name, it would have found that the Registrant thereof, and therefore the party that could perhaps and eventually be found to be liable for the information therein is Google, Inc., well away from IFAI’s jurisdiction in Montainview, CA:

WhoIsGoogleMX - Copy

The domain name in question is even directed to Google’s servers in the USA. As Google responded to IFAI in the instant case, it has no servers in Mexico.

If wording in bylaws and/or contracts is going to be found to be grounds for liability in privacy and data protection, things can get very complicated, very quickly, for any number of potential data controllers in this country.

  • There is no evidence in this case that the data subject took previous action relative to the allegedly infringing information.

Although, as IFAI quoted in its decision, the European Court ruled that:

“…the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.

…from the Costeja, the Dan Shefet and even the case in the Netherlands cases one can find that the complainants/plaintiffs took action prior to bringing their cases. Mario Costeja himself, for example, had settled his debt with the Spanish social security, which rendered the publication indexed by Google incorrect, irrelevant and outdated. That doesn’t appear to have happened in this case, as the data subject offers no evidence of having acted against the source of the information he complained against.

Incidentally, it seems that exercising the “right to be forgotten” may turn out to be an exercises in futility. Whereas Mario Costeja sought to have that debt stricken from his online record, he and that are constantly referred in scholarly discussions and publications on privacy and data protection the world over. In the instant case, other commentators and journalist Sergio Sarmiento published information that reveals the identity of the data subject.

  • As a matter of policy, in a struggling democracy as Mexico’s, it’s just not a good idea to enforce the right of cancellation/be forgotten to the detriment of freedom of speech, of the press and access to information.

Naturally, the “right to be forgotten” can cut against freedom of speech, of the press, access to information and what not. That is why the European Court concluded in its ruling that:

“…those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.

In the instant case the allegedly infringing information appears to deal with the data subjects alleged involvement in some case regarding the management of a transport company in Mexico, donations made thereby to a charity ran by a formers President’s First Lady, references to the bank bailout of the ’90s, and so on and so forth, which could be regarded as being of interest to the general public, whereas other information would not, even if it concerned the same data subject.

In a country such as Mexico, where current affairs are, perhaps not always better, but more actively discussed through and thanks to social networks and online media, authorities should be very wary of where and how they draw the line on what is of interest to the general public, and should therefore remain available, and what is and should not.

It will ultimately fall upon the administrative and judiciary courts to decide who is right after all, whether IFAI or Google, and to provide us with a profoundly interesting and rich precedent. Said courts will undoubtedly apply a deeper analysis and criteria, which IFAI was probably not in a position to apply, as it is after all the DPA that applies a protectionist legal framework that is heavily weighed in favor of data subjects. However, in principle my money is on Google, for the reasons outlined above and many others that Google has probably already thought about.

The case has sparked a heated debate in the privacy/data protection community in Mexico; Mr. Andrés Calero, former General Director of Verification in IFAI and myself  (@1’32”) were interviewed by CNN Mexico to opine on it:

greetingcard - CopyComo siempre el fin del año motiva a reflexionar sobre el camino andado durante los días, semanas y meses que han transcurrido; lecciones aprendidas; éxitos alcanzados y objetivos planteados. 2013 fue el año que nos vio empezar, pero en si 2014 fue el año de arranque. Ahora miramos a 2015 como un año que será de crecimiento y consolidación.

Parte de esas reflexiones exigen ser agradecido con todos quienes han colaborado con nosotros, pero especialmente con nuestros amigos, colegas y clientes, quienes han depositado su confianza en nosotros para la debida atención de sus asuntos en un mercado cada vez más competitivo, en un nicho tan cerrado como el de regulación financiera y tan especializado como el de protección de datos personales.

A tod@s les deseamos lo mejor, hoy y siempre, personal y profesionalmente, y les estamos agradecidos por su confianza en nuestro trabajo y/o por su interés en el material publicado en este blog.

As always the end of the year call for reflection upon the road traveled over the days, weeks and months that have lapsed; lessons learned; success attained and objective put forth. 2013 was the year that saw us launch, but 2014 was really the year of starting up. Now we look to 2015 as a year of growth and consolidation.

Part of such reflections demand gratefulness with all who have collaborated with us, but specially to our friends, colleagues and clients, who have deposited their trust in us for the due care of their cases in an ever more competitive market, in a niche so closed as financial regulation and as specialized as privacy.

We wish you all the best, today and always, personally and professionally, and appreciate your trust in our work and/or interest in the materials published in this blog.


El mes pasado Forbes México publicó una nota de mi autoría sobre los aspectos que se deben cubrir para implementar debidamente el cumplimiento normativo en materia de protección de datos personales que todos quienes traten tal información están obligados a observar. A lo largo de más de 4 años de trabajar con responsables en sectores de servicios financieros, de salud, educación, hospitalidad y restauración, etc., he tenido ocasión de ver el valor que se le asigna a la protección de datos, no solamente como otro requisito a cumplir para evitar una sanción onerosa, sino como medio para transmitir una imagen positiva de la empresa, lo mismo que escuchar referencias al tema como una burocracia adicional que no aporta al negocio.

Comunicar lo primero para cambiar lo segundo fue parte del objetivo de los “Roadshows” que ProSoft 3.0, el IFAI y NYCE llevaron a cabo entre noviembre y los primeros días de noviembre desde Tijuana hasta Mérida, en los que nuestro despacho fue invitado para exponer los aspectos jurídicos y prácticos de los esquemas de autorregulación vinculante que empezarán a operar el año entrante, sobre lo cual a continuación se encuentran algunas de las láminas que exponen cómo y por qué la confianza que la protección de datos personales genera es fundamental para el éxito de un negocio.


Las reformas constitucionales de 2009 en materia de privacidad, la Ley del 2010, el Reglamento del 2011 y los Lineamientos del 2013 se inscriben en un proyecto mayor y de más importancia para impulsar la competitividad de las empresas y los negocios en México, que en el beve plazo de 4.5 años de vigencia de la Ley Federal de Protección de Datos Personales ya se ha logrado colocar en el #9 del “Top 10” de países líderes en protección de datos de acuerdo con el Global Data Protection Index de EMC Corporation, lo cual es muy meritorio, considerando lo mucho que falta por hacer por parte del amplísimo universo de Responsables que hay en el país, y el desconocimiento de la materia que aún existe entre ellos, los Titulares e incluso profesionales del derecho.

Sea como fuere, tal posicionamiento de México es sumamente positivo pero todavía deja camino por andar.

stack-image 1


En la entrada inmediata anterior de este blog fue comentada la nota periodística sobre la presunción de que la Sra. Soledad Félix sería quien aparece en uno de los pictogramas que quienes comercializan productos de tabaco están obligados a incluir en el empaquetado de sus productos, pero no habría dado su consentimiento para tal uso de su imagen. También se menciona en esa nota la intención de dicha persona en el sentido de ejercer acciones con motivo del uso no autorizado de dicha imagen por parte de las empresas tabacaleras.

Como se expone en dicha entrada, tal uso no resulta de una decisión unilateral de las mencionadas empresas, sino de un requisito regulatorio derivado de la legislación y regulación sanitarias que aplica la Secretaría de Salud. Pues hoy día fue publicado en el Diario Oficial de la Federación el “Acuerdo por el que se dan a conocer la serie de leyendas, imágenes, pictogramas, mensajes sanitarios e información que deberá figurar en todos los paquetes de productos del tabaco, y en todo empaquetado y etiquetado externo de los mismos a partir del 24 de septiembre del 2014“, que reduce a 2 el número de pictogramas cuyo uso es impuesto a las mismas, omitiendo el alusivo al infarto al miocardio que contenía la imagen presuntamente infractora.

El motivo del cambio podría ser dicho caso, aunque es un hecho que las disposiciones normativas de la materia prevén la rotación de dichos pictogramas cada 12 meses. Por el período de septiembre del año en curso a marzo del siguiente, serán sólo el relativo a mortandad de recién nacidos y EPOC (Enfermedad Pulmonar Obstructiva Crónica) los que deberán figurar en los referidos empaques y etiquetas. Mientras tanto, será muy interesante dar seguimiento al caso de la Sra. Félix, y el impacto que pueda tener en dichas obligaciones de etiquetado.


Wayra Mentor WallMe complace participar que recién inicié mi primera sesión de mentoría con Wayra, la incubadora de emprendedores de Telefónica. Seré mentor de aspectos legales para Vandedroid, quienes producen apagadores de luz que permiten controlar el consumo eléctrico, intensidad de iluminación, incluso los colores de la iluminación a través de un aplicativo móvil.

Afortunadamente se ha tomado conciencia de que México no es un país de grandes empresas… sino de grandes emprendiemientos, y se está empezando a dar acceso a los emprendedores tanto a fondos como a mentoría, e idealmente a “smart money”, que es la combinación de ambos.

En cualquier caso, el tema es que los aspectos legales son fundamentales para el emprendimiento; cuando el principal activo es intangible, por tratarse de una idea, la protección de convenios de confidencialidad es fundamental. Asimismo la protección de la propiedad intelectual, derechos de autor, secretos industriales y know-how es primordial en el estado embrionario de una empresa.

Tras años de trabajo como abogado corporativo conozco los aspectos fundamentales del período de arranque de una empresa, su desarrollo y los requerimientos legales que tendrán a lo largo de su operación. Más aun, tratándose de emprendimientos intensivos en tratamiento de datos personales, el cumplimiento normativo de la materia es algo fundamental con lo cual me encuentro capacitado para apoyarles.

Sin duda será un gran proyecto.

La discusión de la “reforma laboral” fue uno de los capítulos políticos y legislativos más intensos del cierre del sexenio del Presidente Calderón, y su promulgación una de los actos de bombo y platillo con los que el Presidente Peña abrió el suyo. Dentro de los temas acaloradamente discutidos estuvo el de los intermediarios o “empresas de recursos humanos”, “de prestación de servicios” o “outsourcing”, figura que años atrás generó gran preocupación entre las autoridades laborales y recaudatorias por los casos en que a través de ella se llegaba a privar a los trabajadores de prestaciones, como fue el caso de algunas estructuradas bajo apariencia de “cooperativas”, con el consecuente menoscabo al erario y las instituciones de seguridad social.

Ahora bien, el que no se ha llevado a cabo la emisión de la regulación en materia laboral que el Artículo 40 de la LFPDPPP prevé deberá realizarse con la coadyuvancia del IFAI, pueden motivar algunas preguntas como:

  • ¿Quién sería el Responsable del Tratamiento de los Datos Personales de los empleados Titulares, y por lo tanto quién debería poner el Aviso de Privacidad a su disposición?
  • ¿Cómo debería ser categorizado el movimiento de los Datos Personales de la empresa de recursos humanos hacia la prestataria del servicio: Transferencia a un Tercero, o Remisión a un Encargado?
  • Y si fuera Transferencia a un Tercero, que por lo tanto determinaría sus propias finalidades para el Tratamiento de esos Datos Personales, ¿podría exponerlo ello a responsabilidad laboral, y el Aviso de Privacidad resultar una probanza en los procedimientos para determinarla?

Tengo idea de que posiblementeen alguna conferencia en que hubieran participado funcionarios del IFAI se podría haber dicho que el beneficiario del trabajo de los empleados debería poner a disposición de estos su propio Aviso de Privacidad, pero podría fallarme la memoria, y de ser el caso anticipo disculpas por la poca claridad de recuerdos. 

Las respuestas podrían ser más o menos claras en uno u otro sentido, pero nada estará dicho en definitiva hasta que la Secretaría del Trabajo y Previsión Social y el IFAI expidan la regulación secundaria correspondiente.





Compliance Report

Compliance and Ethics Powered by Advanced Compliance Solutions


Startup and Technology News

Xavier Ribas

Derecho de las TIC y Compliance

Marcus Kazmierczak

Take To Task

Analyzing the Nonsense

Business & Money

The latest news and commentary on the economy, the markets, and business


Canal de difusión con los medios.

Martha Salamanca Docente

Blog de TICs, Redes Sociales y Multimedia Educativo

Devil's Advocate Crib

Just another site

Investigating Internet Crimes

An Introduction to Solving Crimes in Cyberspace