The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates
According to data provided by the Mexican government, there were 62,527 confirmed cases of individuals who contracted COVID-19 and 6,989 deaths from the virus as of May 22, 2020. However, Mexican officials have reportedly acknowledged that the number of cases is perhaps several times higher due to Mexico’s low rate of testing. Mexico, which has a population of over 125 million, has conducted approximately 230,000 tests to date, one of the lowest rates in the Western Hemisphere.
In 2019 there were approximately 86.5 millions of users of cellphones in the country, 90% of whom had a smartphone, according to a government survey. The survey indicates that 48.3 million cell phone users installed apps on their devices in 2019. Most of these apps were for social media, instant messaging, and traffic information. The surveyed individuals did not report having downloaded applications for health purposes.
II. Legal Framework
A. Privacy and Data Protection
“Personal data” are defined as any information pertaining to an identified or identifiable individual. An individual is deemed to be identifiable when his or her identity may be directly or indirectly determined from any information.
“Sensitive personal data” are those that refer to the individual’s most private information and those whose misuse may lead to discrimination against, or involve a serious risk to, the data’s owner, including his or her health status. The processing of personal data must adhere to the principles of consent, lawfulness, purpose,proportionality, and responsibility.
As a general rule, sensitive data may be processed provided that express consent is granted for such purpose. There are a number of exceptions to this rule, however, including cases where personal data are needed to provide preventive treatment or diagnosis when providing health care, and when the data have been subject to a prior disaggregation procedure. Through such procedure, personal data cannot be associated with the owner.
B. Data Retention and Location Tracking
1. Health Law
Mexico’s health authorities have broad powers to prevent and control communicable diseases, including observation of human and animal contacts, to the extent required. In places where a communicable disease acquires serious epidemic characteristics as determined by the Department of Health, as well as in adjoining places, private citizens and civil and military authorities must cooperate with health authorities in combatting such disease.
2. Telecommunications Law
In addition, telecommunications companies must cooperate with law enforcement authorities in locating, in real time, mobile communications devices. Furthermore, these companies must keep records of communications that are made from any type of line that allows for the accurate identification of pertinent data, including the following:
- Subscriber’s name or corporate name and address
- Type of communication (voice, voicemail, conferencing, data)
- Multimedia or messaging services employed (including short message services, multimedia, and advanced services)
- Information needed to trace and identify the source and destination of the mobile telephone, including the destination number
- Date, time, and duration of communications, as well as the messaging or multimedia services involved
- Digital location of the geographic positioning of telephone lines
The data retention obligation begins on the date on which the communication took place. For the first 12 months telecommunications companies must store these data on systems that allow their delivery in real time to law enforcement authorities through electronic means. Once this period is over, data must be retained in electronic storage systems for an additional 12 months, during which information must be delivered to the competent authorities within 48 hours from the time a pertinent request for such data is made.
Telecommunications companies must take the necessary technical measures concerning the data being kept to guarantee their conservation, care, protection, and nonmanipulation, and must prevent unlawful access, destruction, alteration, or cancellation.
III. Electronic Measures to Fight COVID-19 Spread
As of May 22, 2020, mandatory electronic measures to combat COVID-19, such as location tracking of, and contact tracing through, mobile devices, had not been ordered by Mexico’s federal government. A high-ranking official with the National Institute for Access to Information (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, INAI), Mexico’s main authority on privacy matters, recently indicated that if the government decides to conduct geolocation tracking measures through electronic means, it should do so in consultation with INAI to ensure that private data are treated in accordance with applicable privacy requirements.
The Mexican government has released a voluntary mobile coronavirus app, called “Covid-19MX,” aimed at assisting users in locating the following information related to the virus:
- Direct access to epidemiological health care telephone numbers.
- Self-diagnosis: In case of suspicion that the user or a family member have contracted the virus, the app offers a questionnaire to obtain pertinent recommendations, depending on the data provided.
- Locations of healthcare providers close to the user’s location, provided that geolocation permission is activated.
- Relevant information to understand how COVID-19 is transmitted, the most vulnerable groups and prevention measures.
- News: Access to official information, including press conferences and statements from Mexico’s Ministry of Health.
- It indicates that personal data may be provided to third parties, but does not specify with whom and for what purposes.
- It omits the data that the app collects from the phone and other programs to which permissions are granted.
- It reserves the right to make any update to the privacy notice without prior notice.
- It indicates that the Ministry of Health is not responsible for the use or misuse of the content of the application.
Prepared by Gustavo Guerra
Senior Foreign Law Specialist
 Press Release, Instituto Nacional de Estadística y Geografía et al., En México hay 80.6 millones de usuarios de internet y 86.5 millones de usuarios de teléfonos celulares: ENDUTIH 2019 (Feb. 17, 2020), https://perma.cc/NNY9-35YH.
 Id. art. 3-X.
 Id. art. 16.
 Id. art. 7.
 Id. art. 22(VII), (IX).
 Id. art. 3(XIII), (XXXI).
 Id. art. 20.
 Id. art. 26.
 Id. arts. 140, 141, 147.
 Id. art. 190-II.
Last Updated: 12/30/2020