MEXICO Law and Practice Contributed by: Fernando Hernández G., Elvia Ríos Saldaña, Ana Karen Inzunza Sánchez and Luis Andrés Estrada Intriago, Vázquez Aldana, Hernández Gómez & Associates (VAHG)
IP, Confidentiality and Cybersecurity A fourth exposure concerns IP, confidentiality and cybersecurity. Mexico has no enacted horizontal AI rule that comprehensively addresses ownership of AI- assisted outputs – therefore, existing copyright, indus - trial property, trade secret and contract rules continue to apply. At the same time, cyber intrusions into AI environments, unauthorised access to systems, data exfiltration and misuse of protected information may trigger both civil and criminal consequences under general information system offences and secrecy rules. Enforcement may therefore come from data pro - tection authorities, PROFECO, the National Banking and Securities Commission, shareholders and inves - tors, the civil courts, IP authorities ( Instituto Mexicano de la Propiedad Industrial – IMPI/ Instituto Nacional del Derecho de Autor – INDAUTOR) and criminal prosecu - tors. For boards and officers specifically, the practical test in Mexico is whether AI-related conduct falls within existing duties of care, loyalty, confidentiality, internal control, lawful information handling and market dis - closure. In listed companies, that link is strong and direct. In private companies, it is less codified but still real under the L.G.S.M., and general civil/commercial principles. 8.4 Key Disclosure Requirements for AI Use Mexico does not currently impose a standalone, cross-sector requirement for companies to disclose AI use, AI governance or AI incidents merely because they involve AI. There is no general Mexican equiva - lent, as of today, to a universal AI-reporting statute for annual reports or sustainability reports. Instead, disclosure turns on materiality, sector and document type.
For listed issuers, AI-related disclosure obligations are captured through the ordinary securities framework. Prospectus and offering materials must include the issuer’s risk factors and contingencies; annual report - ing under National Banking and Securities Commis - sion rules is built around risk-factor disclosure; and issuers must immediately disclose relevant events once known, together with all relevant information relating to them. Accordingly, if AI is materially linked to the issuer’s business model, internal controls, cybersecurity posture, product functionality, regula - tory exposure, litigation, reputation, or operational continuity, it may need to be disclosed even though the rulebook does not say “AI” expressly. The same applies where an issuer’s public statements about AI are incomplete, imprecise or confusing. For annual reports and sustainability-type reporting, the key point is that Mexican law presently works through general risk-disclosure logic rather than AI- specific line items. For private non-listed companies, there is generally no duty to publish AI strategy or AI incidents to the market. The Chapultepec Principles reinforce human responsibility as policy expectations, but they do not yet create a hard-law disclosure regime.
504 CHAMBERS.COM
Powered by FlippingBook