On 25 April – three days before the legislative summer recess – Congress introduced the long-awaited cybersecurity bill. Totalling 92 articles (and eight transitory articles), the project seeks to erect the first-ever regulatory framework for cybersecurity in the country.
Mexico is one of the most targeted countries for cyberattacks in Latin America; however, a lack of momentum means that significant progress in cybersecurity may not be achieved until after 2024.
About the Bill
The bill proposes creating a National Cybersecurity Agency (NCA) to coordinate all cybersecurity efforts, establishing a specialised ‘cyber prosecutor’ to investigate and prosecute crimes (within the Attorney General’s office), as well as specialised judges on cybersecurity. The bill acknowledges the importance of safeguarding ‘critical information infrastructures’ (CII) and lays out a framework for recognising CII, outlining corresponding responsibilities.
Legislator Javier López Casarín (Green Party), President of the Science and Technology Commission, garnered cross-party support in both chambers of Congress, bringing together different perspectives into a single text. These efforts merit recognition given the current political polarisation in Congress and the ongoing introduction of over 15 pieces of cybersecurity legislation over the past three years.
The Devil is in the Details
Notwithstanding this colossal achievement, certain items of the bill warrant caution, including (but not limited to) the following:
- NCA Jurisdiction: The NCA would directly report to the President, potentially granting it a prominent position in terms of hierarchy, which could favour coordination among government agencies and the private sector. However, this dependency may call into question the freedom of the NCA, particularly as Mexican authorities, including the military, have been accused of deploying spyware against human rights activists, reporters, government critics, and opposition members.
- Disproportionate pairing: Providers of social network platforms, online game communities, streaming, online entertainment platforms, and telecommunications, which are not ‘critical information infrastructures’, have more obligations than the ones levied on CII. While the first group has 15 obligations, the latter faces only 10, including requirements such as registering before the NCA, creating an incident response unit within the business, and abiding by potential data residency requirements. This is not proportional and seems to result from mixing cybersecurity with content-related issues.
- Data residency: Providers should prioritise retaining user information in the national territory; however, when the data involves a national security violation, storing data in the country is a must. It is imperative to note that this article could directly conflict with Article 19.11 of the US–Mexico–Canada Agreement (USMCA) on the cross-border transfer of information.
- Intervention technologies: The bill states that only public security agencies can deploy communications interception tools (respecting legal formalities and human rights); however, it fails to reference Constitutional Article 16 on the right of inviolability of communications (a relevant aspect given the aforementioned precedent on state-sponsored espionage). Further, military forces may request the NCA to provide them with access to information, which may lead to an infringement of privacy and security.
- Content moderation: The bill raises intermediary liability concerns as it is unclear whether it will penalise ‘those who record digital content that incites harm or hate’. It remains uncertain if platforms may be subject to moderating content. In addition, the lines are blurred between what constitutes ‘freedom of expression’ and terrorism, hate speech, or similar content. Blending content issues with cybersecurity issues can be dangerous. If the intention is to work towards deepfakes or fake news, it is essential to extract this from cybersecurity.
- Digital rights: The bill proposes a set of 19 digital rights (e.g., digital inclusion, net neutrality, digital identity, online consumer protection); however, the project fails to provide definitions for these concepts or establish mechanisms for their enforcement regarding cybersecurity. Further, rights such as digital inclusion, net neutrality, and network equality (to cite a few) could conflict with existing legislation.
- Funding and implementation: The bill establishes a 36-month deadline to create the NCA and the specialised cyber attorney. With President Andres Manuel Lopez Obrador (AMLO) concluding his term in 2024, it will most likely fall on the new administration to implement the bill should it pass into law. But beyond these specifics, funding also remains unclear. To succeed, the NCA, the cyber prosecutor, and other entities must secure political backing and resources for its implementation. This includes hiring cybersecurity-specialised judges and upskilling cyber professionals, where the law fails to indicate how to fund these efforts or how to introduce the proposed experts. In this context, it is imperative to note that the lack of resources for implementing the law may determine its invalidity.
Moving forward: Timing is key
The elements listed above cast doubt on the proposed law’s effectiveness, cohesiveness, and implementation plans. However, the most pressing issue at hand is the lack of momentum. With Mexico gearing up for elections, cybersecurity legislation will likely be placed on the backseat. On 4 June, the ruling party, Morena, will seek to secure the last remaining governorships of the Institutional Revolutionary Party (PRI) in the State of Mexico and Coahuila. These elections will serve as a prelude to the 2024 presidential election, where voters will elect a candidate to replace President Lopez Obrador. With only 13 months until the general elections, the political agenda in Mexico is shifting towards full-on election mode.
Access Partnership closely monitors all development regarding cybersecurity in Latin America. For more insights on how this may impact your organisation, please contact Fernando Borjon at [email protected], Yamel Sarquis at [email protected], and Rodrigo Serrallonga at [email protected].
