NEWS

Client Alert

Jul 25, 2025

Legal Alert

Client Alert - Mexico Enacts a New Public Security Law and Creates a Super Powered National Information Database: Implications for Data Privacy, Cross Border Operations, and Compliance

Overview

On July 16, 2025, Mexico enacted the “Ley General del Sistema Nacional de Seguridad Pública” (General Law of the National Public Security System), a sweeping legislative reform that reshapes the country’s public security architecture. While the law aims to enhance coordination and efficiency across federal, state, and municipal security forces, it introduces concerning obligations around data sharing and transparency that may significantly impact individuals, domestic entities, and foreign companies operating in or serving customers in Mexico.

The System: Centralized Power and Broad Data Access

A core component of the law is the creation of an expansive “Sistema Nacional de Información” (National Information System), operated by the Executive Secretariat of the Public Security System. This platform will aggregate data from all levels of government and private stakeholders, including individuals and companies.

Entities subject to the law must provide ongoing and timely data contributions to the system, including information relevant to security, justice, and public order—regardless of whether such entities operate physically within Mexican territory or provide services remotely to Mexican customers.

Critically, the law grants extensive access to this data to a wide range of institutions, including:

- Local police forces, - Municipal and state governments,

- Federal agencies,

- State-owned companies, and

- Other undefined “authorized entities.”

This broad and potentially unrestrained access to sensitive information raises significant concerns around data protection, competitive confidentiality, and the misuse of information—particularly in a country where cybersecurity, law enforcement integrity, and institutional safeguards remain uneven.

Key Compliance Risks for Businesses

1. Data Sharing Obligations: The law requires all sectors to contribute data continuously to the National Information System, potentially including employee information, geolocation, internal investigations, communications, or user metadata.

2. Scope of Application: The obligations extend not only to Mexican companies but also to foreign businesses with remote operations or digital services targeting Mexican users, potentially triggering extraterritorial exposure.

3. Privacy and Security Vulnerabilities: With more than a dozen government bodies granted access to the system—and no clear technical safeguards defined—the risk of data leaks, cybercrime, espionage, or illicit access by organized crime is materially heightened.

4. Lack of Recourse or Transparency: Individuals and businesses may not be notified of the use or access to their data, and legal remedies to contest unlawful access or sharing remain uncertain under the new framework.

Strategic Recommendations

Businesses—especially those in technology, telecommunications, fintech, e-commerce, hospitality, retail education, healthcare and logistics—should take immediate steps to evaluate their exposure:

- Conduct a legal audit of any interaction with Mexican users or regulators.

- Review existing data processing and retention policies to ensure compliance with potential reporting mandates.

- Assess cross-border data transfer protocols in light of broader access by Mexican authorities. - Reinforce cybersecurity protocols to guard against potential breaches due to widened information sharing.

- Consider geo-fencing or data segregation strategies to mitigate extraterritorial regulatory reach.

Conclusion

While the General Law of the National Public Security System seeks to modernize Mexico’s security infrastructure, the breadth of its data-sharing mandates and the permissiveness of access to the National Information System present novel challenges to personal privacy, corporate confidentiality, and due process.

Companies operating in or serving Mexico should be proactive in reviewing their legal obligations and technical safeguards. Failure to act could expose them to significant regulatory, reputational, and criminal risk.

We Can Help

If your company is uncertain about the scope of its obligations under the new law or wishes to proactively manage risk, please contact us.

For additional information, please contact any of the following: Sergio Legorreta at sergio.legorreta@fisherbroyles.com, Jair Bravo at jair.bravo@fisherbroyles.com, with any questions or more specific situations.

Client Alert - Mexico Enacts a New Public Security Law and Creates a Super Powered National Information Database: Implications for Data Privacy, Cross Border Operations, and Compliance

Overview

On July 16, 2025, Mexico enacted the “Ley General del Sistema Nacional de Seguridad Pública” (General Law of the National Public Security System), a sweeping legislative reform that reshapes the country’s public security architecture. While the law aims to enhance coordination and efficiency across federal, state, and municipal security forces, it introduces concerning obligations around data sharing and transparency that may significantly impact individuals, domestic entities, and foreign companies operating in or serving customers in Mexico.

The System: Centralized Power and Broad Data Access

A core component of the law is the creation of an expansive “Sistema Nacional de Información” (National Information System), operated by the Executive Secretariat of the Public Security System. This platform will aggregate data from all levels of government and private stakeholders, including individuals and companies.

Entities subject to the law must provide ongoing and timely data contributions to the system, including information relevant to security, justice, and public order—regardless of whether such entities operate physically within Mexican territory or provide services remotely to Mexican customers.

Critically, the law grants extensive access to this data to a wide range of institutions, including:

- Local police forces, - Municipal and state governments,

- Federal agencies,

- State-owned companies, and

- Other undefined “authorized entities.”

This broad and potentially unrestrained access to sensitive information raises significant concerns around data protection, competitive confidentiality, and the misuse of information—particularly in a country where cybersecurity, law enforcement integrity, and institutional safeguards remain uneven.

Key Compliance Risks for Businesses

1. Data Sharing Obligations: The law requires all sectors to contribute data continuously to the National Information System, potentially including employee information, geolocation, internal investigations, communications, or user metadata.

2. Scope of Application: The obligations extend not only to Mexican companies but also to foreign businesses with remote operations or digital services targeting Mexican users, potentially triggering extraterritorial exposure.

3. Privacy and Security Vulnerabilities: With more than a dozen government bodies granted access to the system—and no clear technical safeguards defined—the risk of data leaks, cybercrime, espionage, or illicit access by organized crime is materially heightened.

4. Lack of Recourse or Transparency: Individuals and businesses may not be notified of the use or access to their data, and legal remedies to contest unlawful access or sharing remain uncertain under the new framework.

Strategic Recommendations

Businesses—especially those in technology, telecommunications, fintech, e-commerce, hospitality, retail education, healthcare and logistics—should take immediate steps to evaluate their exposure:

- Conduct a legal audit of any interaction with Mexican users or regulators.

- Review existing data processing and retention policies to ensure compliance with potential reporting mandates.

- Assess cross-border data transfer protocols in light of broader access by Mexican authorities. - Reinforce cybersecurity protocols to guard against potential breaches due to widened information sharing.

- Consider geo-fencing or data segregation strategies to mitigate extraterritorial regulatory reach.

Conclusion

While the General Law of the National Public Security System seeks to modernize Mexico’s security infrastructure, the breadth of its data-sharing mandates and the permissiveness of access to the National Information System present novel challenges to personal privacy, corporate confidentiality, and due process.

Companies operating in or serving Mexico should be proactive in reviewing their legal obligations and technical safeguards. Failure to act could expose them to significant regulatory, reputational, and criminal risk.

We Can Help

If your company is uncertain about the scope of its obligations under the new law or wishes to proactively manage risk, please contact us.

For additional information, please contact any of the following: Sergio Legorreta at sergio.legorreta@fisherbroyles.com, Jair Bravo at jair.bravo@fisherbroyles.com, with any questions or more specific situations.

About

FisherBroyles, LLP Founded in 2002, FisherBroyles, LLP is the first and one of the world’s largest distributed law firm partnerships. The Next Generation Law Firm® has grown to hundreds of partners practicing in 29 markets globally. The FisherBroyles’ efficient and cost-effective Law Firm 2.0® model leverages talent and technology instead of unnecessary overhead that does not add value to our clients, all without sacrificing BigLaw quality. Visit our website at www.fisherbroyles.com to learn more about our firm’s unique approach and how we can best meet your legal needs.

These materials have been prepared for informational purposes only, do not constitute legal advice, and under applicable rules of professional conduct governing attorneys in various jurisdictions, may be considered advertising materials. This information is not intended to and does not create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials and information alone.

© 2025 FisherBroyles, LLP

FisherBroyles is an international law firm practicing in a number of jurisdictions both in the United States and overseas through affiliated legal entities and branch offices of those entities. Legal services in Mexico are provided through Bravo Gutierrez & Münch, S.C., a member of FisherBroyles (the “Contracting Member”), with offices located in Mexico City, at Parque Lincoln, 5th Floor, Aristoteles 77, Polanco, Mexico City, Ciudad de Mexico 11560 and in Monterrey, at Blvd. Antonio L. Rodriguez 3000-5to piso Interior, 501 Torre Albia, Col. Santa Maria 64650 Monterrey, N.L. The FisherBroyles Members engage in coordinated international legal practice and may share certain support services but are separate legal entities, each of which is solely responsible for its own work and is not responsible for the work of any other FisherBroyles Member. Each FisherBroyles Member is subject to the laws and regulations of the particular jurisdiction or jurisdictions in which it operates. Full details of the legal and regulatory status of each FisherBroyles Member are available on the FisherBroyles website. The use of the name FisherBroyles is for description purposes only and does not imply that the Member Firms are in a partnership or are part of an LLP.

The use of the word "partner" on any Member Firm’s website or in any other Member Firm materials refers to a partner or member of a FisherBroyles Member or an employee or consultant with equivalent standing and qualifications. You agree that your relationship is with the Contracting Member and not with another FisherBroyles Member unless otherwise confirmed in writing to you. You also agree that your relationship is not with any individual who is a member, employee, or consultant (including anyone we call a partner) of the Contracting Firm Member, who will therefore assume, to the extent permitted by law, no personal liability to you. Absent the explicit agreement and consent of both entities involved, no FisherBroyles Member is responsible for the acts or omissions of, nor has any authority to obligate or otherwise bind, any other FisherBroyles Member.

2025 Bravo Gutiérrez & Münch, S.C. | All Rights Reserved Worldwide | Privacy Policy | Legal Notices | Contact | Attorney Advertising. Prior results do not guarantee a similar outcome.

English

2025 Bravo Gutiérrez & Münch, S.C. | All Rights Reserved Worldwide | Privacy Policy | Legal Notices | Contact | Attorney Advertising. Prior results do not guarantee a similar outcome.

English