Mexico's Interior Ministry (SEGOB) has published a 343-million-peso (~US$19.9 million) tender through RENAPO, the national population registry, to outsource administration, storage and secure handling of the country's biometric CURP infrastructure to a private contractor through the end of 2028. The winning bidder will manage roughly 112.9 terabytes of population data generated annually, hosted in a data center outside Mexico City chosen for low seismic risk (Biometric Update).
A Second Attempt, Not a First
This is not SEGOB's first try. An August 2025 tender for the same cloud infrastructure, with a ceiling of 520 million pesos, was declared void on September 3, 2025, after both bidders — a consortium led by Triara.Com and a competing offer from B Drive It — failed to meet the government's own technical and security requirements (Infobae). That the state's own procurement process rejected both bids on security grounds is worth sitting with: this is not a hypothetical risk raised by critics outside government, it is SEGOB's own evaluators concluding the market couldn't yet meet the bar for handling a centralized biometric database.
The Regulator That Isn't There
The re-tender lands in a materially different oversight environment than the one that existed when the CURP biometric program was first designed. A December 2024 constitutional reform dissolved seven autonomous regulators, including the National Institute for Transparency, Access to Information and Personal Data Protection (INAI). INAI's commissioners formally transferred their functions on May 9, 2025; personal data protection oversight now sits inside the Secretaría Anticorrupción y Buen Gobierno (SABG), an executive-branch ministry whose own press materials describe its mandate in terms of "strengthening" data security but make no reference to LFPDPPP obligations or independent audit mechanisms (SABG). LFPDPPP's 2025 overhaul is itself still incomplete: implementing regulations had not been published as of early 2026, leaving the private-sector data protection law that would govern a contractor's obligations only partially specified even as SEGOB moves to sign one.
R3D (Red en Defensa de los Derechos Digitales), Mexico's leading digital rights organization, has been warning about the structural risk since April 2025: a mandatory, centralized biometric database tied to a single national identifier creates "incentives for being breached" that don't exist when identity data is fragmented across agencies, and — crucially — the underlying legislative package would grant prosecutors, the National Intelligence Center and other security bodies "unrestricted access and immediate consultation" of CURP records without judicial oversight (R3D).
Steelmanning the Outsourcing Decision
The case for what SEGOB is doing is genuinely defensible on its own terms. Mexico's population registry has long been a patchwork of state-level civil registries with inconsistent digitization, duplicate CURPs, and identity fraud that undermines everything from voter rolls to social benefit disbursement. Biometric deduplication is a real fix for a real problem, and outsourcing the cloud layer to a specialized contractor — rather than building and securing that infrastructure in-house — is not inherently reckless. Government IT shops are frequently the weaker link in cybersecurity, not the stronger one; a vetted commercial data center with dedicated security staff can plausibly outperform an in-house RENAPO server room. Outsourcing infrastructure is standard practice in mature data-protection regimes, provided it comes with contractual liability, independent audit rights and a regulator empowered to enforce them.
Where Proportionality Breaks Down
That proviso is exactly what's missing here. The problem with this tender isn't that SEGOB is hiring a contractor — it's that it is doing so without the institutional infrastructure that would make outsourcing safe. There is no independent data protection authority left to compel a security audit of the winning bidder, publish a data protection impact assessment, or investigate a breach without also investigating its own executive branch. SABG answers to the same government that controls RENAPO and set the CURP's mandatory-use policy; asking it to police itself on the sensitivity of biometric data is a structural conflict of interest, not a personnel question. Pair that with R3D's consent critique — that a CURP required for virtually all public and private transactions cannot generate freely given consent to biometric processing — and the tender looks less like ordinary IT procurement and more like the state building surveillance-capable infrastructure faster than it is building the guardrails around it.
What Should Happen Before Signature
Proportionate regulation doesn't mean blocking the tender. It means SEGOB should publish a data protection impact assessment before award, disclose the specific security requirements that felled the 2025 bid so outside experts can verify this round actually fixes them, and Congress — which has 90 days of post-reform housekeeping obligations already on its plate — should finish LFPDPPP's implementing regulations before, not after, a contractor gains custody of biometric records on 130 million people. Modernizing identity infrastructure is worth doing. Doing it without anyone empowered to say no is not.