Latest news

Consolidation of National Consultations “Towards a National Cybersecurity Srategy for Mexico

Sorry, this entry is only available in Español.


International Cybersecurity Summer School 2017 in the Hague (#ICSSS2017)

The #ICSSS2017 will take place in The Hague, Nederlands from Sunday 20 to Friday 25 August. #ICSSS2017 will host 60 students during a six-day programme, which will cover various aspects of cyber security. The main focus will be on technology issues but legal and policy aspects will also be included in the content of the course. In addition to lectures from NATO C&I Agency, Europol, The Netherlands Ministry of Defense Cyber Command and Leiden University, students will also receive lectures from national and international organizations.

ProtDataMx’s Director, Cristos Velasco was selected to attend this course in the Hague. In his opinion: 

“The course represents not only an excellent opportunity to grasp and learn the most advanced techniques and procedures used by information security experts and law enforcement authorities to investigate cybercrime and trace perpetrators, but particularly an excellent occasion to networking and meeting up face to face with high level experts & public officials from EU institutions and national cyber defense authorities that will enable and promote international cooperation with experts from other countries”

The full programme of the #ICSSS2017 is available at:


Council of Europe Guidelines on the protection of individuals with regard to the processing of personal data in a world of Big Data

Sorry, this entry is only available in Español.


World Data Protection Day 2017

Sorry, this entry is only available in Español.


Sanction Procedure against AT&T for non-compliance with the FLBR and the FLPPDPP

Sorry, this entry is only available in Español.

Tags: , ,

EU-US Privacy Shield Published in EU Official Journal

The EU-US Privacy Shield was officially published on August 1st in the EU Official Journal

The EU-US Privacy Shield is a mechanism that allows the transfer of personal data from any country member of the European Union to a company located in the United States. American companies are now obliged to use, store and process personal information according to a strong set of data protection rules and safeguards based on the EU Data Protection Directive 95/46/EC and the EU General Data Protection Regulation, the latter of which will be in full force from 1 May 2018.

The protection of personal data under the EU-US Privacy Shield applies regardless of whether an individual is a EU citizen or not.

Further info on the Privacy Shield:

EC Guide to the EU-U.S. Privacy Shield

Press Release from

IAPP’s Resource Center


European Parliament Adopts Directive on Security of Network and Information Systems

El pasado 6 de Julio del presente, el Pleno del Parlamento Europeo adoptó la Directiva sobre Seguridad de Redes y Sistemas de Información, mejor conocida por sus siglas en inglés como Directiva NIS. El objetivo principal de la Directiva es fomentar un alto nivel común de seguridad de redes y sistemas de información dentro de los países miembros de la UE, por medio de la mejora de las capacidades de seguridad cibernética a nivel nacional; incrementar la cooperación a nivel regional; crear reglas comunes para la gestión y manejo del riesgo y establecer obligaciones de notificación de incidentes para los operadores de servicios esenciales y proveedores de servicios digitales.

La Directiva NIS será aplicable para los siguientes sectores:  (i) Energía: electricidad, petróleo y gas; (ii) Transporte: aéreo, ferroviario, marítimo y terrestre; (iii) Bancario: instituciones de crédito; (iv) Infraestructura del mercado financiero: centros de negociación y contrapartes centrales; (v) Salud: establecimientos de salud; (vi) Agua: provisión y distribución de agua potable; (vii) Infraestructura Digital: puntos de intercambio de Internet, proveedores del servicio de sistemas de nombres de dominio y registradores de nombres de dominio de primer nivel.

Entre las disposiciones más relevantes de la Directiva NIS se encuentran:

1.  La creación de un grupo de cooperación conformado por representantes de los Estados Miembros, la Comisión Europea y ENISA, dividido a su vez en cuatro áreas principales de trabajo: (i) Planeación; (ii) Gobierno; (iii) Compartir información y mejorar las practicas acerca del manejo de riesgos, incidentes, incrementar la concientización y capacitación; y (iv) Reportar cada año y medio respecto a las experiencias y avances obtenidos a través de la cooperación entres sus miembros.

2. Fomentar e incrementar la cooperación entre los Centros de Respuesta a Emergencias de Sistemas de Cómputo (CERT’s) con instituciones, agencias y entidades de la Unión Europea para el intercambio de información relacionada con incidentes relacionados con sistemas de cómputo.

3. Gestión del riesgo y obligaciones de notificación de incidentes para los operadores de servicios esenciales y proveedores de servicios digitales. Los operadores de servicios de comunicaciones deberán adoptar medidas de seguridad adecuadas y notificar los incidentes de gravedad a las autoridades nacionales relevantes. Las medidas de seguridad podrán incluir: (i) Prevención de Riesgos: (ii) asegurar las redes de información y sistemas de seguridad; y (iii) minimizar el impacto de los incidentes.

La Directiva NIS fue publicada en el Diario Oficial de la Unión Europea el pasado 19 de Julio de 2016. Los Estados Miembros tendrán 21 meses para adoptar y transponerla en sus respectivos marcos jurídicos nacionales, así como un periodo adicional de seis meses para identificar a los operadores de infraestructura crítica y servicios esenciales, entre otras obligaciones.

Mayor información acerca de la adopción de la Directiva NIS se encuentra en:

Publicación en el Diario Oficial de la Unión Europea

Portal de la Comisión Europea

Preguntas y Respuestas sobre la Directiva NIS y timeline para su implementación a nivel nacional de la Comisión Europea

Declaración del Vicepresidente Ansip y Comisionado Oettinger acerca de la adopción de la Directiva NIS

Notas del Director de IAPP Europa


Official launch of the OECD Broadband Policy Tool-Kit for Latin America and the Caribbean

The OECD Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit a joint project of the OECD and the International Development Bank (IDB) was officially launched last June 21 during the 2016 OECD-Ministerial Meeting held in Cancun, Mexico.

As part of my expertise in the field, I was hired as a consultant to draft Chapter 14 on Digital Security Risk Management and Chapter 15 on Privacy Protection. Both chapters provide an overall situation on policies and best practices in the field of privacy and digital security management in selected countries of LAC.

Any comments or perspectives on said chapters are very welcome.

For further information on the Toolkit, see the official website of the OECD

Follow the twitter hash tag:  #OECDdigitalMX @OECDInnovation



Cyber Law in Mexico by Cristos Velasco

Wolters Kluwer Law & Business has published the third edition of my book: Cyber Law in Mexico [ISBN-978-90-411-6855-9].

This book is part of the renowned “International Encyclopaedia for Cyber Law” coordinated by Jos Dumortier, former professor at the Catholic University of Leuven in Belgium and Mr. Ruben Roex.

Like in previous years, this Monograph is now available as “print on demand” (electronic or printed format) for those interested in purchasing it separately, without having to buy all the six volumes of the “International Encyclopaedia for Cyber Law”

This edition contains a total of 416 pages and is updated until February 2016. It is currently the only available book in Mexico on the subject published in English. It contains a general introduction; statistics and background of the political system, population and geography; telecommunications infrastructure; statistics and current data on information technology, broadband and telecommunications investment; electronic commerce; domain names; competitiveness and e-government. Likewise, this book is divided into nine main areas of practice with different chapters and sub-sections, and a final section of conclusions as follows:

I. Regulation of the Information Technology and Communications Market contains the legal and regulatory framework of the telecommunications sector, which includes an exhaust analysis of the Federal Law on Telecommunications and Broadcasting and the activities of the national regulatory authority IFT; an analysis of the competition framework in telecommunications under the current laws and treaties and the activities and fines established by the Antitrust regulator Cofece. This section also includes a revision of the rules on standardization, certification and homologation of telecommunications equipment.

II. Protection of Intellectual Property in the ICT Sector includes a revision of the national rules on copyright in the area of ICT, legal protection of software, databases, computer chips, trademark and trade scheme licenses, the current legal framework of Internet domain name registration, including the domain name disputes administered by WIPO and a revision of the Anti-Counterfeiting Agreement (ACTA) and its signature by the Mexican authorities.

III. ICT Contracts incorporates an analysis of the legal framework applicable to software, government and electronic contracts.

IV. Electronic Transactions includes an analysis of the rules for the formation of electronic agreements, the regulation of electronic commerce, electronic signatures and certification service providers in the following sectors: commerce, consumers, financial & banking, administrative procedures and tax and fiscal obligations; a revision of the rules on preservation of data messages, the rules on applicable law and jurisdiction for consumers, unsolicited communications (spam) and marketing practices and a revision of the status of national digital identity cards and online banking statistics.

V. Extra-Contractual Liability incorporates an analysis of the rules on non-contractual liability, negligence damage and redress and liability of network operators and Internet service providers.

VI. Online Legal Proceedings includes an analysis of the legal and administrative framework on online trial proceedings, the national online justice system and the sanctions imposed by the Federal Tribunal of Fiscal and Administrative Justice.

VII. Privacy and Data Protection incorporates an analysis of the constitutional reforms in the area of privacy an data protection, of Federal and State legislation on data protection, including an exhaust revision of the provisions of the Federal Law on Protection of Personal Data in Possession of Private Parties (LFPDPPP) and its Regulation and each of the instruments and guidelines on data protection issued by the national data protection authority INAI; the fines and sanctions against data controllers and data processors established by INAI; analysis of the jurisprudence and case law on privacy and data protection issued by the Supreme Court of Justice and Federal Tribunals and Internet industry related studies and statistics on data protection.

VIII. Transparency and Access to Government Information includes an analysis of the constitutional reform on access to information and the Federal Law of Transparency and Access to Public Government Information and Data Protection (FLTAPGIDP), state laws, information on the electronic system for access to information requests and relevant statistics on access to information from the national authority INAI.

IX. Computer and Internet related Crime, includes an analysis of the substantive provisions of the Federal Criminal Code in the area of ICT, interception of private communications, geographic tracking of mobile equipment by law enforcement authorities and cooperation on criminal investigations, offenses related to computer systems, infringement of copyrights, offenses related against the security of the nation, use and recognition of digital evidence for criminal investigations under the new National Criminal Procedure Code, the substantive and procedural rules on criminal jurisdiction, law initiatives on cybercrime, activities on international cooperation and national statistics on cybercrime, state legislation, law enforcement activities against cybercrime; an analysis of the national strategy on cyber security of the federal government, which includes the work of the national CERT-MX of the Scientific Division of the Federal Police and awareness activities on cyber security.

X. Final Conclusions

This book contains a “Thematic Index” with keywords within 776 numbered paragraphs of the text, which enables the reader to search for specific terms related to the regulation of information technologies in Mexico.

I am very grateful to my colleague and friend Mtro. Julio César Vega Director of the Internet Mexican Association (AMIPCI) for having drafted the preface to the third edition of the book.

It is worth mentioning that I will be presenting this book in conferences and seminars related to the regulation of ICT’s, as well as in Universities and academic circles in Mexico and Europe during 2016.

The book can be now directly purchased through: Wolters Kluwer Law & Business


Rodrigo Orenday’s Article on INE’s Data Leak Scandal

Sorry, this entry is only available in Español.