On March 20, 2025, Mexico formally extinguished one of Latin America's most consequential digital institutions. The Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) — the autonomous body that for more than two decades had policed how the Mexican state and private platforms handled personal data — ceased to exist. Its functions were redistributed, with data protection enforcement against digital platforms reassigned to the executive-branch Secretaría Anticorrupción y Buen Gobierno. Fourteen months on, the consequences for platform regulation are becoming clearer, and they are not encouraging.
The constitutional reform that abolished INAI was pushed through Congress in late 2024 by the Morena-led coalition, framed as a cost-cutting and anti-duplication measure. The substantive concern, voiced from the start by civil society groups including R3D (Red en Defensa de los Derechos Digitales) and Article 19, was never about administrative efficiency. It was about independence — the foundational design choice of every credible data protection regime since the OECD's 1980 Privacy Guidelines.
Why Independence Is Not a Luxury
For a think tank that defends innovation and proportionate regulation, the instinct is usually to view the consolidation of bureaucracies sympathetically. Fewer agencies, fewer overlapping rulebooks, lower compliance costs — these are good things. But data protection oversight is a special case, and the special case rests on a simple structural fact: the state is itself one of the largest processors of personal data, and frequently the most aggressive one. An authority that polices both Meta and the Mexican federal government cannot credibly do so if it reports to a cabinet minister appointed by, and removable by, the president.
This is not a theoretical concern. The European Court of Justice struck down national arrangements in Germany (C-518/07, 2010) and Hungary (C-288/12, 2014) on precisely this ground — that data protection authorities embedded inside executive structures lack the "complete independence" required by EU law. The GDPR codified the principle in Article 52. The Council of Europe's Convention 108+ requires it. The OECD updated Privacy Guidelines reaffirm it. Mexico, by absorbing data protection into an anticorruption ministry, has moved against a four-decade global consensus.
The Platform Regulation Angle
The implications for platform governance are sharper than they look. Mexico has roughly 100 million internet users and is among the largest single-country markets for Meta, Google, TikTok, and Mercado Libre in Latin America. INAI was the body that processed complaints against these platforms under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP, 2010), and that interacted with European and Brazilian counterparts on cross-border data flows.
Three concrete risks now arise:
- Selective enforcement. A ministry that answers to the president has structural incentives to be tougher on platforms that host government-critical speech and lighter on those that do not. Even if individual officials behave with integrity, the perception of asymmetry corrodes the rule of law that platforms — and the users who depend on them — rely on.
- Government-as-data-controller blind spots. Mexico's federal and state governments run vast biometric, fiscal, and welfare databases. INAI was empowered to investigate and sanction them. A unit sitting inside the executive will struggle to do the same with comparable rigor.
- Adequacy and cross-border data flows. Mexico has long sought closer alignment with the EU's adequacy framework and was a participant in the OECD's cross-border data flow discussions. Stripping out the independence pillar makes any future adequacy negotiation materially harder, raising compliance costs for Mexican exporters and discouraging cloud and platform investment.
What a Proportionate Path Would Have Looked Like
The honest critique of INAI was that it was occasionally slow, sometimes captured by transparency theatre, and not always technically equipped for modern platform questions like algorithmic decision-making or AI training data. None of those problems required dissolution. They required reform: tighter mandates, sunset clauses on stale rulings, technical staff upgrades, and a clearer division of labor with COFECE (the competition authority) and the IFT (the telecoms regulator, itself now being absorbed into a new digital agency).
The standard regulatory toolkit — proportionality reviews, regulatory impact assessments, independent budget lines, fixed-term commissioner appointments staggered across electoral cycles — exists for precisely this reason. Mexico chose the blunter instrument.
What Platforms and Users Should Watch
For platforms operating in Mexico, the near-term practical question is whether the Secretaría's enforcement priorities mirror INAI's, or whether new political signals reshape them. For users, the question is whether complaint mechanisms remain functional and whether decisions on government data abuse remain credible. For investors and the broader open internet, the question is whether Mexico's regulatory environment can still be described as predictable.
We have been clear at People of Internet that overzealous platform regulation — speech-restrictive rules, broad intermediary liability, mandatory traceability — does more harm than good. But proportionate regulation requires an independent regulator. A pro-innovation policy stance is not a pro-deregulation stance; it is a stance for clear, narrow, predictable rules enforced by bodies that cannot be leaned on. Mexico's INAI reform fails that test. The hope now is that Congress, civil society, and Mexico's trading partners — particularly under USMCA's digital trade provisions — find ways to rebuild the independence layer before the costs compound.