Renegotiated NAFTA might help bridge Mexico-U.S. privacy issues

Privacy attorneys in Mexico insist that privacy protections for personal data should be a top priority in any digital trade discussions, because of Mexico’s stringent individual privacy laws.

“If they are going to renegotiate NAFTA, they should include a section on the protection of personal data,” Joel Gomez, a Mexico City-based internet privacy lawyer, told Bloomberg BNA. Doing so would help ameliorate perceptions “that the U.S. is less strict when it comes to protecting data privacy rights.”

Including mutually agreed upon data privacy rules in NAFTA would help push U.S. companies to follow the principles of the Mexican law, Gomez said. Mexico is dealing with the U.S.—its largest trading partner—so every privacy difference that can be resolved in a trade agreement “could be best for all the parties.”

Possible Models

As far as serving as a model, the Trans-Pacific Partnership (TPP) trade agreement has a chapter on digital trade, but stopped short of provisions that would improve individual privacy protections, Gomez said.

However, the EU-U.S. Privacy Shield data transfer program might serve as a stronger model for a NAFTA privacy provision, Gomez said.

The Privacy Shield allows U.S. companies that self-declare their compliance with EU-approved privacy and security principles to legally transfer personal data from the EU to the U.S. Some 2,000 U.S. companies are certified under the scheme, including Google and Microsoft Corp. Tens of thousands of EU companies also rely on the program to legally transfer data to certified U.S. companies.

“Mexico follows the view of Europe that there is a need for a high level of protection of personal data,” Gomez said. “The Privacy Shield has a good list of requirements for minimum protections.”

Google Mexico

A dispute between Mexico’s privacy regulator and Alphabet Inc.’s Google Mexico demonstrates how a NAFTA privacy provision would be beneficial, Gomez said.

Google Mexico has asserted that it isn’t bound by Mexican law in regard to the search engine functions carried out by its U.S. parent.

The situation with Google Mexico “is an example of the kinds of problems Mexico is running into trying to enforce its own laws on foreign companies,” Gomez said. Data privacy rules in NAFTA could be a good place for Mexico and the U.S. to address such issues, he said.

Mexico’s privacy regulator recognizes the right to be forgotten, which is the right for individuals to request that personal information be removed from online search results if individual privacy outweighs the public right to know about certain information. The INAI has sought to enforce that right against Google Mexico. But others say that the right to be removed from a data search is a flawed internal interpretation of Mexico’s privacy law, inspired by a similar interpretation in the European Union.

[Fragmento de la entrevista que Bloomberg BNA realizó a Joel Gómez Treviño, publicada el 4 de mayo de 2017. Ver nota completa en este enlace.]