Renegotiated NAFTA Might Help Bridge Mexico-U.S. Privacy Issues

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Emily Pickrell

Mexico’s top privacy regulator won’t finalize any strategy for adding privacy provisions to NAFTA until the Trump administration issues a formal proposal on the trade pact’s renegotiation, a spokeswoman for the regulator told Bloomberg BNA.

President Donald Trump has said he intends to renegotiate the North American Free Trade Agreement between Canada, Mexico and the U.S. Adding provisions on modern digital economy data transfers, and their attendant privacy and data security issues, may be possible.

Although it is too early to accurately predict what specific privacy and data security proposals may emerge, differences in the Mexican and U.S. privacy regimes might be amenable to better harmonization if mutual recognition provisions are ultimately included in a renegotiated NAFTA.

The Mexican privacy regulator, the National Institute for Information Access and Personal Data Protection (INAI), doesn’t plan to make public its plans for renegotiation of NAFTA, INAI spokewoman Olga Carranco said. Also, no decisions on privacy issues will be made until Trump’s position is announced, she said.

Privacy attorneys in Mexico insist that privacy protections for personal data should be a top priority in any digital trade discussions, because of Mexico’s stringent individual privacy laws.

“If they are going to renegotiate NAFTA, they should include a section on the protection of personal data,” Joel Gomez, a Mexico City-based internet privacy lawyer, told Bloomberg BNA. Doing so would help ameliorate perceptions “that the U.S. is less strict when it comes to protecting data privacy rights.”

Including mutually agreed upon data privacy rules in NAFTA would help push U.S. companies to follow the principles of the Mexican law, Gomez said. Mexico is dealing with the U.S.—its largest trading partner—so every privacy difference that can be resolved in a trade agreement “could be best for all the parties.”

Possible Models

As far as serving as a model, the Trans-Pacific Partnership (TPP) trade agreement has a chapter on digital trade, but stopped short of provisions that would improve individual privacy protections, Gomez said.

However, the EU-U.S. Privacy Shield data transfer program might serve as a stronger model for a NAFTA privacy provision, Gomez said.

The Privacy Shield allows U.S. companies that self-declare their compliance with EU-approved privacy and security principles to legally transfer personal data from the EU to the U.S. Some 2,000 U.S. companies are certified under the scheme, including Google and Microsoft Corp. Tens of thousands of EU companies also rely on the program to legally transfer data to certified U.S. companies.

“Mexico follows the view of Europe that there is a need for a high level of protection of personal data,” Gomez said. “The Privacy Shield has a good list of requirements for minimum protections.”

Google Mexico

A dispute between Mexico’s privacy regulator and Alphabet Inc.'s Google Mexico demonstrates how a NAFTA privacy provision would be beneficial, Gomez said.

Google Mexico has asserted that it isn’t bound by Mexican law in regard to the search engine functions carried out by its U.S. parent.

The situation with Google Mexico “is an example of the kinds of problems Mexico is running into trying to enforce its own laws on foreign companies,” Gomez said. Data privacy rules in NAFTA could be a good place for Mexico and the U.S. to address such issues, he said.

Mexico’s privacy regulator recognizes the right to be forgotten, which is the right for individuals to request that personal information be removed from online search results if individual privacy outweighs the public right to know about certain information. The INAI has sought to enforce that right against Google Mexico. But others say that the right to be removed from a data search is a flawed internal interpretation of Mexico’s privacy law, inspired by a similar interpretation in the European Union.

The privacy office is “trying to import a concept, the right to be forgotten, that was issued in Europe, but that we do not have in our own privacy legislation,” Hector Guzman, a data privacy attorney with BGBG Abogados, in Mexico City, told Bloomberg BNA.

Ricardo Zamora, a spokesman for Google Mexico, told Bloomberg BNA that “Google search services are provided by Google Inc., a company subject to the U.S. laws which at all times operates in compliance with applicable laws. Protecting users’ personal data and security is a top priority for Google.”

To contact the reporter on this story: Emily Pickrell at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security