MEXICO Law and Practice Contributed by: Ricardo García Giorgana, Carlos Chavez Alanis and Xavier Careaga Franco, Galicia Abogados
Cybersecurity Companies must provide device security; secur - ing IoT devices is paramount. Many devices have limited processing power and memory, making it difficult to implement strong security measures. Companies need to address vulnerabilities such as default passwords, lack of firmware updates, insecure communications protocols and physi - cal tampering. Concerning network security, companies need to implement measures to prevent unauthorised access, data breaches and denial-of-service attacks. Concerning data security, protect - ing data in transit and at rest is essential. This includes using encryption, access controls and data loss prevention measures. Finally, concern - ing incident response, having a plan to respond to security incidents and data breaches is cru - cial, including providing proper notification to Concerning product safety, companies must comply with safety standards and regulations to prevent harm to users. Concerning transparency and information, companies must provide clear and accurate information to consumers about the functionalities of IoT devices, data collection practices and potential risks. Finally, determining liability in case of accidents or damages caused by IoT devices can be complex. Companies need to consider product liability, negligence and other legal issues. Interoperability and Standardization Companies must comply with national and inter - national interoperability and standardisation regulations to avoid interoperability and safety issues. Proper risk assessments are crucial for IoT companies, encompassing compliance with general and sector-specific regulations, best users and regulators. Consumer Protection
practices and a thorough evaluation of their sup - ply chains, components and products. 4.3 Data Sharing Domestic and international transfers of personal data in Mexico require the data owner’s informed consent. The privacy notice of the IoT company must specify the transferees (or their category) and the purpose of the transfer. Additionally, the IoT company must provide the transferee with its privacy notice to ensure they process and transfer data only for the consented purposes. The Privacy Law applies uniformly to all compa - nies handling personal data, including IoT com - panies, with exceptions for transfers within the same corporate group. In such cases, consent is not required but must be disclosed, and bind - ing internal rules for data protection must be in place. Sensitive personal data, including financial, pat - rimonial and biometric data, is subject to stricter regulations under the Privacy Law. This includes express and written consent, restricted databas - ing and doubled administrative liabilities. How - ever, no additional requirements specifically govern the transfer of sensitive data beyond these general provisions. 5. Audiovisual Media Services 5.1 Requirements and Authorisation Procedures In telecommunications and broadcasting, a licence is mandatory for providing public ser - vices. These licences, issued under the Federal Telecommunications and Broadcasting Law (FTBL), are granted for up to 30 years and may be renewed. Free-to-air TV, broadcast radio and other services requiring spectrum frequencies
285 CHAMBERS.COM
Powered by FlippingBook