On March 20, 2025, Mexico's reformed Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) was published in the Diario Oficial de la Federación. The headline change is not in the statute's text but in its enforcer: the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) — the autonomous regulator that had overseen private-sector data protection since 2010 — has been dissolved. Its functions now sit inside the executive branch, under the new Secretaría Anticorrupción y Buen Gobierno. Throughout late 2025 and into 2026, a centralized Transparency and Personal Data Protection Platform has been rolling out, requiring private-sector controllers to register processing activities and route ARCO rights requests (Access, Rectification, Cancellation, Opposition) through a single government portal.
For a pro-innovation publication, this transition is worth taking seriously. Data protection is a legitimate public interest, and Mexico's original LFPDPPP was — by Latin American standards — a reasonably balanced instrument. But two things have changed at once: who regulates, and how compliance is operationalized. Both deserve scrutiny.
From autonomous regulator to executive branch
INAI's dissolution was part of a broader constitutional reform passed in late 2024 that eliminated several autonomous oversight bodies. The official rationale was administrative efficiency and the elimination of duplicative functions. The concern, voiced by industry groups, the OECD, and civil society alike, is structural: an independent data protection authority is a near-universal feature of mature privacy regimes. The GDPR explicitly requires it (Article 52). Brazil's LGPD created the ANPD, which has been steadily professionalizing. Even jurisdictions without omnibus laws, like the United States, lean on independent agencies such as the FTC.
Folding privacy enforcement into a ministry titled "Anti-Corruption and Good Government" — reporting up through the executive — invites a reasonable question: what happens when the data controller under investigation is itself a government-adjacent actor, a politically sensitive private firm, or a journalist's source? Independent regulators are not a luxury; they are how privacy law earns credibility with the regulated community and with foreign trading partners.
The adequacy question
This is not an abstract worry. Mexico is the European Union's second-largest trading partner in Latin America, and the modernized EU-Mexico Global Agreement contains provisions touching on data flows. While Mexico does not hold a formal EU "adequacy decision" under GDPR Article 45, Mexican firms and EU exporters have long relied on standard contractual clauses and on the perception that Mexico's regime — anchored by an independent regulator — was at least in the ballpark of European standards.
Schrems II made clear that the European Court of Justice scrutinizes not only the law on the books in third countries but the institutional independence of oversight bodies. Multinationals routing personal data through Mexican subsidiaries should expect questions from European counterparties and from their own data protection officers about whether the post-INAI regime still supports the safeguards their transfer impact assessments assumed.
SMEs and the centralized platform
The Transparency and Personal Data Protection Platform is, in principle, a sensible idea. A single portal for ARCO requests, breach notifications, and processing-activity registration could lower compliance costs — particularly for small and medium-sized enterprises that cannot afford bespoke privacy programs. Mexico's economy is overwhelmingly SME-driven; the country has several million micro and small businesses, the vast majority of which have never engaged with formal data-protection compliance.
The risk is that a centralized registration regime tips from facilitation into de facto licensing. The original 2010 LFPDPPP was deliberately principles-based and obligation-light for small operators — controllers issued privacy notices, designated a contact, and responded to ARCO requests, but did not pre-register with the state. A mandatory registration step, even a free one, changes the architecture: it creates a government inventory of who is processing what, and it gives the executive a chokepoint over the conditions of digital commerce.
Proportionality should be the watchword. The platform should:
- Maintain a clear SME threshold below which registration and processing-record obligations are simplified or waived, mirroring GDPR Article 30(5)'s sub-250-employee carveout.
- Publish response-time SLAs for the ARCO request routing function, so that centralizing the channel does not slow down individual rights.
- Offer machine-readable APIs so legitimate compliance vendors can integrate, rather than forcing every controller through a manual web form.
- Commit to transparency reporting on enforcement actions, modeled on what INAI used to publish.
Cross-border transfers and the USMCA backdrop
The other shoe yet to drop is the USMCA review scheduled for 2026. Chapter 19 of USMCA contains commitments on cross-border data flows and a prohibition on data-localization requirements, with carveouts for legitimate public policy. A data-protection regime that channels all private-sector compliance through a single government platform sits uncomfortably close to the localization line, particularly if the platform begins requiring local storage of processing records or imposes friction on outbound transfers. Washington and Ottawa will be watching the implementing regulations closely.
What good regulation looks like from here
None of this means Mexico should — or could — re-create INAI by fiat. The constitutional reform is done. But the secondary regulations and platform design choices that will define the regime in practice are still being written. A few principles would help reconcile the new architecture with Mexico's innovation interests:
- Functional independence inside the Secretaría: ring-fence the data protection unit with fixed-term appointments and budget protections, even if formal autonomy is gone.
- Risk-tiered obligations: heavier scrutiny for large processors and sensitive-data handlers; lighter touch for low-risk SMEs.
- Engagement with international adequacy frameworks: proactive dialogue with the European Commission and with Convention 108+ signatories to preserve transfer pathways.
- Open consultation on platform technical specifications, with industry, civil society, and security researchers at the table.
Mexico now has a chance to demonstrate that an enforcer inside the executive can still be a credible, proportionate steward of personal data. The platform rollout is the test. If it lowers compliance costs for legitimate businesses while preserving individual rights and international interoperability, it will be a quiet success story. If it becomes a registration chokepoint or a political tool, the cost will be measured in lost investment and lost trust.