When Mexico's constitutional reform dissolving the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) took effect in March 2025, the country lost more than an acronym. It lost the independent referee that for over a decade enforced the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) and adjudicated freedom-of-information requests against the federal government. Fourteen months on, with enforcement now housed inside the executive branch's Anti-Corruption and Good Governance Secretariat, the consequences for Mexico's digital economy and its international standing are coming into focus — and they are not encouraging.
What the reform actually changed
The constitutional amendment, part of a broader package eliminating seven autonomous constitutional bodies, transferred INAI's two distinct mandates to different parts of the federal government. Transparency and access-to-information functions migrated to the Anti-Corruption and Good Governance Secretariat. Data protection enforcement — including investigations, sanctions, and guidance under the LFPDPPP and its public-sector counterpart, the LGPDPPSO — landed in the same executive ministry, with some functions split across the Interior Secretariat (Segob).
On paper, the reform was sold as an efficiency measure: fewer bureaucracies, consolidated functions, lower payroll. In practice, the change collapses a decade of careful institutional design. INAI was created precisely because data protection regulators — like competition authorities, central banks, and electoral commissions — work best when they are insulated from the political incentives of the government of the day. A ministry that answers to the president cannot credibly sanction federal agencies, ruling-party-aligned firms, or politically connected data controllers without raising suspicion of either capture or weaponisation. Both outcomes are bad for businesses trying to invest under stable rules.
The EU adequacy question
Mexico has long aspired to a European Commission adequacy decision under Article 45 of the GDPR — the legal finding that would let personal data flow freely from the EU to Mexican processors without standard contractual clauses or transfer impact assessments. Adequacy is a commercial prize: it lowers compliance overhead for every European company that touches a Mexican supplier, BPO, cloud customer, or subsidiary.
The Commission's adequacy criteria, as elaborated in its 2017 communication and reinforced by the Court of Justice's Schrems II judgment (Case C-311/18), explicitly require an "independent supervisory authority" with effective enforcement powers. Folding the regulator into a ministry headed by a presidential appointee is, on its face, the opposite of that. The European Data Protection Board's 2018 "essential guarantees" referential — still the touchstone document for adequacy assessments — treats supervisory independence as non-negotiable, not as a nice-to-have. Mexico can argue that day-to-day enforcement remains technocratic, but adequacy reviewers look at structures, not assurances.
Beyond the EU, Mexico is also a party to the modernised Council of Europe Convention 108+, whose Article 15 requires that supervisory authorities "exercise their functions and powers… with complete independence." Compliance with that obligation is now genuinely contested.
Why this is bad for innovation, not just civil liberties
The reflexive response to losing an independent regulator is to assume enforcement will weaken — and that businesses will quietly cheer lighter touch. That gets the economics backwards. Predictable, depoliticised enforcement is what data-driven sectors actually want. Mexican fintechs, health-tech startups, and the nearshoring boom in Monterrey and Guadalajara depend on cross-border data flows from US and European partners. Every general counsel signing a data processing agreement now has to price in two new risks:
- Selective enforcement. A regulator inside the executive can ignore politically friendly firms and aggressively target competitors or critics. Investors notice.
- Transfer friction. Without EU adequacy — and with growing doubt about Mexico's continued recognition under various bilateral arrangements — European counterparties will demand more expensive contractual machinery, or simply choose suppliers in adequacy-recognised jurisdictions like Japan, South Korea, or the UK.
That is a tax on Mexico's most promising export industries, paid in legal fees and lost contracts rather than tariffs.
What proportionate reform would have looked like
If the goal was genuinely to reduce bureaucratic overhead, the federal government had options that did not require eliminating institutional independence. INAI's budget could have been trimmed without dissolving it; functions could have been shared with state-level transparency bodies; the public-sector and private-sector data protection mandates could have been consolidated under a single, slimmer authority that retained constitutional autonomy. Several Latin American peers — including Brazil's ANPD and Argentina's AAIP — have shown that an authority can be lean, modern, and structurally independent at the same time.
Instead, Mexico chose the option that minimises short-run cost and maximises long-run risk. The LFPDPPP is still on the books, and the underlying obligations on data controllers — consent, purpose limitation, ARCO rights, breach notification — remain unchanged. What has changed is the answer to the most important question any compliance officer asks: "Who will police this, and can they be trusted to do so impartially?"
What to watch next
Three signposts will tell us whether the damage is containable. First, the European Commission's posture: any formal opening of an adequacy dialogue with Mexico is now extremely unlikely until structural independence is restored. Second, the pattern of enforcement actions out of the new Secretariat — particularly whether federal agencies and politically connected firms face the same scrutiny as foreign multinationals. Third, judicial pushback: amparo challenges and constitutional litigation from civil society groups, including R3D and Article 19 Mexico, are working their way through the courts and could yet narrow how the reform is implemented in practice.
Until those questions are resolved, the prudent assumption for any company processing Mexican personal data is that the rules are the same but the umpire has changed teams. That is not a position any maturing digital economy should want to be in.