Law Library Stacks

Back to Index of of Legal Reports
Back to Comparative Summary

Full Report (PDF, 2.78MB)
Map: COVID-19 Contact Tracing Apps (PDF, 550KB)

Jurisdictions Surveyed:
The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates

Mexico

As of May 22, 2020, mandatory electronic measures to combat COVID-19, such as location tracking of, and contact tracing through, mobile devices, had not been ordered by Mexico’s federal government. The government has released a voluntary mobile coronavirus application, “Covid-19MX,” aimed at assisting users to locate pertinent information on a number of matters related to the virus, including access to epidemiological health care telephone numbers and a self-diagnosis tool. Certain issues have been reported concerning the privacy policy of this app.

I. Introduction

According to data provided by the Mexican government, there were 62,527 confirmed cases of individuals who contracted COVID-19 and 6,989 deaths from the virus as of May 22, 2020.[1] However, Mexican officials have reportedly acknowledged that the number of cases is perhaps several times higher due to Mexico’s low rate of testing.[2] Mexico, which has a population of over 125 million, has conducted approximately 230,000 tests to date, one of the lowest rates in the Western Hemisphere.[3]

In 2019 there were approximately 86.5 millions of users of cellphones in the country, 90% of whom had a smartphone, according to a government survey.[4] The survey indicates that 48.3 million cell phone users installed apps on their devices in 2019.[5] Most of these apps were for social media, instant messaging, and traffic information.[6] The surveyed individuals did not report having downloaded applications for health purposes.[7]

II. Legal Framework

A. Privacy and Data Protection

“Personal data” are defined as any information pertaining to an identified or identifiable individual.[8] An individual is deemed to be identifiable when his or her identity may be directly or indirectly determined from any information.[9]

“Sensitive personal data” are those that refer to the individual’s most private information and those whose misuse may lead to discrimination against, or involve a serious risk to, the data’s owner, including his or her health status.[10] The processing of personal data must adhere to the principles of consent, lawfulness, purpose,proportionality, and responsibility.[11]

As a general rule, sensitive data may be processed provided that express consent is granted for such purpose.[12] There are a number of exceptions to this rule, however, including cases where personal data are needed to provide preventive treatment or diagnosis when providing health care, and when the data have been subject to a prior disaggregation procedure.[13] Through such procedure, personal data cannot be associated with the owner.[14]

In the absence of these exceptions, consent must be specifically granted and based on the privacy policy provided by the recipient of the data.[15] The privacy policy must inform individuals, in clear terms, of the existence and main characteristics of the processing to which their personal data will be subjected so that they can make informed decisions.[16]

B. Data Retention and Location Tracking

1. Health Law

Mexico’s health authorities have broad powers to prevent and control communicable diseases, including observation of human and animal contacts, to the extent required.[17] In places where a communicable disease acquires serious epidemic characteristics as determined by the Department of Health, as well as in adjoining places, private citizens and civil and military authorities must cooperate with health authorities in combatting such disease.[18]  

2. Telecommunications Law

In addition, telecommunications companies must cooperate with law enforcement authorities in locating, in real time, mobile communications devices.[19] Furthermore, these companies must keep records of communications that are made from any type of line that allows for the accurate identification of pertinent data, including the following:

  • Subscriber’s name or corporate name and address
  • Type of communication (voice, voicemail, conferencing, data)
  • Multimedia or messaging services employed (including short message services, multimedia, and advanced services)
  • Information needed to trace and identify the source and destination of the mobile telephone, including the destination number
  • Date, time, and duration of communications, as well as the messaging or multimedia services involved
  • Digital location of the geographic positioning of telephone lines[20]

The data retention obligation begins on the date on which the communication took place.[21] For the first 12 months telecommunications companies must store these data on systems that allow their delivery in real time to law enforcement authorities through electronic means.[22] Once this period is over, data must be retained in electronic storage systems for an additional 12 months, during which information must be delivered to the competent authorities within 48 hours from the time a pertinent request for such data is made.[23]

Telecommunications companies must take the necessary technical measures concerning the data being kept to guarantee their conservation, care, protection, and nonmanipulation, and must prevent unlawful access, destruction, alteration, or cancellation.[24]

III. Electronic Measures to Fight COVID-19 Spread

As of May 22, 2020, mandatory electronic measures to combat COVID-19, such as location tracking of, and contact tracing through, mobile devices, had not been ordered by Mexico’s federal government.[25] A high-ranking official with the National Institute for Access to Information (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, INAI), Mexico’s main authority on privacy matters, recently indicated that if the government decides to conduct geolocation tracking measures through electronic means, it should do so in consultation with INAI to ensure that private data are treated in accordance with applicable privacy requirements.[26]

The Mexican government has released a voluntary mobile coronavirus app, called “Covid-19MX,” aimed at assisting users in locating the following information related to the virus:

  • Direct access to epidemiological health care telephone numbers.
  • Self-diagnosis: In case of suspicion that the user or a family member have contracted the virus, the app offers a questionnaire to obtain pertinent recommendations, depending on the data provided.
  • Locations of healthcare providers close to the user’s location, provided that geolocation permission is activated.
  • Relevant information to understand how COVID-19 is transmitted, the most vulnerable groups and prevention measures.
  • News: Access to official information, including press conferences and statements from Mexico’s Ministry of Health.[27]

Socialtic, a nonprofit organization specialized in technology matters, reviewed this app in April 2020 and criticized its privacy policy, as it contains the following information:

  • It indicates that personal data may be provided to third parties, but does not specify with whom and for what purposes.
  • It omits the data that the app collects from the phone and other programs to which permissions are granted.
  • It reserves the right to make any update to the privacy notice without prior notice.
  • It indicates that the Ministry of Health is not responsible for the use or misuse of the content of the application.[28]

Back to Top

Prepared by Gustavo Guerra
Senior Foreign Law Specialist
June 2020


[1] Comunicado Técnico Diario COVID-19, Gobierno de México, Secretaría de Salud (May 22, 2020), https://perma.cc/PWQ2-WQNR.

[2] Mexico Hit New Virus Record of over 500 Deaths Per Day, Associated Press (May 26, 2020), https://perma.cc/64NB-B9WP?type=image.

[3] Id.

[4] Press Release, Instituto Nacional de Estadística y Geografía et al., En México hay 80.6 millones de usuarios de internet y 86.5 millones de usuarios de teléfonos celulares: ENDUTIH 2019 (Feb. 17, 2020), https://perma.cc/NNY9-35YH.

[5] Id.

[6] Id.

[7] Id.

[8] Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados art. 3-IX, Diario Oficial de la Federacion [DOF], Jan. 26, 2017, as originally enacted, https://perma.cc/R9EX-757C.

[9] Id.

[10] Id. art. 3-X.

[11] Id. art. 16.

[12] Id. art. 7.

[13] Id. art. 22(VII), (IX).

[14] Id. art. 3(XIII), (XXXI).

[15] Id. art. 20.

[16] Id. art. 26.

[17] Ley General de Salud arts. 134-XIV, 139-III, DOF, Feb. 7, 1984, as amended, https://perma.cc/A744-J9NZ.

[18] Id. arts. 140, 141, 147.

[19] Ley Federal de Telecomunicaciones y Radiodifusión art. 190-I, DOF, July 14, 2014, as amended, https://perma.cc/SAY4-JHC8

[20] Id. art. 190-II.

[21] Id.

[22] Id.

[23] Id.

[24] Id.

[25] Se Declara como Emergencia Sanitaria la Epidemia Generada por Covid-19, Gobierno de México, https://perma.cc/7VPP-B748.

[26] Press Release, INAI, Ante pandemia, la salud pública es bien prioritario, pero no se puede descuidar la privacidad de las personas: Acuña Llamas (Apr. 30, 2020), https://perma.cc/CXE2-JNX5.

[27] Descarga la app Covid-19, Gobierno de México, https://perma.cc/NRJ7-RMYM; see also Covid-19, Google Play, https://perma.cc/BVJ7-C9YD.

[28] Análisis de la App COVID-19MX – Resumen, Socialtic (Apr. 6, 2020), https://perma.cc/XGC9-JNVV.

Last Updated: 12/30/2020