Mexico Mexico LFPDPPP data protection platform

Mexico's Mobile Registration Extension Buys Time, Not Oversight

The CRT's 184-day delay on CURP-linked enrollment doesn't restore the independent watchdog dissolved in 2024 or close the judicial-access gap that made PANAUT unconstitutional.

People of Internet Research Team · 2026-06-29
Mexico's Mobile Registration Crisis By the Numbers People of Internet Research · Mexico 63M Lines registered so far Out of 144.6M active lines; just 4… ~82M Lines still pending Must register by Dec 31 or face 72… ~90% Extortions via VoIP GSMA data cited by R3D; VoIP is ou… peopleofinternet.com

Key Takeaways

Third Attempt, Same Accountability Gap

On June 25, 2026, Mexico's Comisión Reguladora de Telecomunicaciones (CRT) announced a staggered extension of the June 30 deadline for CURP-linked mobile registration, pushing the final cutoff to December 31, 2026 — with prepaid subscribers assigned deadlines by the last digit of their phone number. The reason was concrete: only 63 million of roughly 144.6 million active mobile lines had been registered since enrollment began on January 9, a compliance rate of barely 43 percent. The extension is an administrative response to a logistical shortfall, but it does nothing to address the structural deficits that have dogged Mexico's mobile identity programs across three separate attempts spanning fifteen years.

The Current Scheme and Its PANAUT Shadow

Mexico's third attempt at a subscriber registry is deliberately more restrained than its predecessors. The Lineamientos para la Identificación de Líneas Telefónicas Móviles, approved unanimously by the CRT on December 8, 2025 and published in the Diario Oficial de la Federación the following day, limit carriers to five data fields: full name, CURP or RFC tax ID, phone number, validation source, and outcome. Unlike PANAUT — the 2021 law that required fingerprints, facial recognition data, and iris scans — the current framework explicitly prohibits operators from retaining biometric data, photographs, or ID copies. That restraint tracks the SCJN's April 25, 2022 ruling, which voided PANAUT with nine of eleven justices finding it fully unconstitutional for failing necessity, proportionality, and prior data-protection impact assessments. The CRT has absorbed the court's proportionality lesson on collection. It has not absorbed the lesson on oversight.

The Case for Subscriber Registration — and Its Empirical Limits

The government's rationale deserves a fair reading before being dismissed. Mexico has one of the world's highest rates of telephone-mediated extortion; anonymous prepaid SIMs create accountability voids that criminals exploit at scale. The CRT notes that 166 countries require some form of subscriber identification, and compelling carriers to act as verified identity checkpoints is a defensible policy instrument where phone-based crime causes measurable harm. A registry that collects only name and national ID number is far easier to justify than one that stockpiles biometrics.

The empirical case is weaker than the policy intuition. R3D — Mexico's leading digital rights organization — has cited GSM Association research finding no evidence that mandatory subscriber registries reduce extortion or kidnapping rates. The structural explanation is straightforward: the Lineamientos cover mobile voice and data lines, but approximately 90 percent of telephone extortions in Mexico occur via VoIP services — platforms entirely outside the CRT's registration framework. A scheme that enrolls 145 million SIM cards while leaving the primary criminal channel unaddressed generates a mass identity database without meaningfully resolving the problem it was designed to fix. R3D has also documented a data vulnerability in Telcel's own system that exposed subscriber information, illustrating the security risks that accompany any large-scale identity database.

LFPDPPP's New Weight on Carriers

Under Mexico's revised Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP), reformed in March 2025 and effective from March 21, carriers collecting CURP and identity validation data are now personal data controllers with explicit statutory obligations. These include publishing compliant privacy notices detailing collection purposes, implementing data minimization and purpose-limitation controls, maintaining accurate records, and establishing ARCO (Access, Rectification, Cancellation, Opposition) channels for subscribers.

The scale is not trivial. With 63 million lines already registered and roughly 82 million more due by December 31, carriers such as Telcel and AT&T México will be managing near-total-population identity stores. Any downstream access by law-enforcement agencies triggers the LFPDPPP's purpose-limitation principles — yet under Mexico's current telecoms surveillance framework, such access can occur without judicial authorization. The data protection statute creates obligations for carriers; it does not close the executive access channel that makes those obligations insufficient.

The Oversight Vacuum Left by INAI's Dissolution

The structural problem underlying all of this is the November 28, 2024 constitutional reform that dissolved INAI — the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales. For fifteen years, INAI functioned as Mexico's independent data protection authority, empowered to investigate carriers, issue binding guidance, and impose sanctions without executive direction. The Organic Simplification reform abolished INAI along with six other autonomous agencies and transferred its functions to the Secretaría de Anticorrupción y Buen Gobierno (SABG), a ministry directly accountable to the President.

For the CURP registry, this creates a circular accountability structure. The body now charged with verifying LFPDPPP compliance is the same executive branch that authors the CRT's registration guidelines and whose law-enforcement agencies seek access to the resulting database. Law firm BASHAM observed after the reform that oversight had reverted to a model resembling the one-party opacity of the 1960s and 1970s — where the government is simultaneously the regulated entity, the regulator, and the supervisory body. A telecom carrier facing an SABG inquiry over subscriber data handling is not engaging with an independent authority; it is engaging with a political institution that also wants the data.

Three Gaps That Need Closing

The 184-day extension is an administrative adjustment to a logistical shortfall. It does not address the three structural deficits that define the registry's legitimacy problem. First, Mexican law permits authorities to access the subscriber registry without a judicial warrant — an authorization gap the SCJN signaled was constitutionally material when it voided PANAUT. Second, the Lineamientos set no maximum retention period, making indefinitely-stored identity data the practical default for carriers holding records on 145 million subscribers. Third, the body responsible for data protection oversight has no institutional independence from the executive branch that benefits most from access.

Mexico has now constructed three mobile subscriber registries in fifteen years: RENAUT (2009), voided by non-compliance and data leaks; PANAUT (2021), struck down by the Supreme Court; and the current CURP scheme. Whether this iteration earns the constitutional durability its predecessors lacked will depend not on the enrollment count the CRT announces in December, but on whether the government is willing to restore independent oversight and close the judicial-access gap it has so far chosen to ignore.

Sources & Citations

  1. CRT — Extension Calendar & Deadlines
  2. CRT — Lineamientos Approval (Dec 2025)
  3. R3D — Registry Lacks Safeguards Against Abuse
  4. Newsy Today — 184-Day Deadline Extension
  5. ECIJA — SCJN Strikes Down PANAUT (April 2022)
  6. IAPP — INAI Abolished, New Data Authority