Serious Privacy

viva México: A chat with INAI (Dr. Jonathan Mendoza)

May 17, 2023 Dr. k royal and Paul Breitbarth with Dr. Jonathan Mendoza Season 4 Episode 17
Serious Privacy
viva México: A chat with INAI (Dr. Jonathan Mendoza)
Show Notes Transcript

In this episode of #Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal turn their attention to #Mexico and the wider Latin American data protection developments. Their guest is Dr. Jonathan Mendoza, the Secretary of Personal Data Protection at the National Institute of Transparency, Access to Information, and Personal Data Protection

#INAI is the federal data protection authority in Mexico, and one of the few data protection authorities to host the Global Privacy Assembly twice. Jonathan specializes in disruptive technologies and digital ethics and has worked on industry standards, governance guidance, and collaborations with the private and public sectors regarding privacy and data management. 

As always, if you have comments or questions, let us know - LinkedIn, Twitter @podcastprivacy @euroPaulB @heartofprivacy and email Please do like and write comments on your favorite podcast app so other professionals can find us easier. 

If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

[00:00:00] Paul Breitbarth: We promised you that we would spend more time outside the European Union and the United States this season, and so we do. Today we turn our attention to Mexico and the wider Latin American data protection developments. I'm saying we, but you will be mainly hearing from me. Kay is traveling this week, but has provided some questions for our guests to answer and our guest that I have the big pleasure to welcome is Dr.

Jonathan Mendoza, the Secretary of Personal Data Protection at Dean National Institute of Transparency, access to information and personal data protection in Mexico. INAI is the Federal Data Protection Authority there and one of the few data protection authorities to host a global privacy assembly Twice.

Jonathan specializes in disruptive technologies, digital ethics, and has worked on industry standards, governance, guidance, and collaborations with the private and public sectors regarding privacy and data management. My name is Paul Breitbart and welcome to Sirius Privacy. So Jonathan, thank you so much for joining us.

It's been a long time in the making to have you on the show but we are always especially happy to have a regulator on the podcast. So welcome.

[00:01:19] Jonathan Mendoza: It's a pleasure Paul. And Kay, thank you for having me on your fantastic podcast. Congratulations on being ranked as the number one privacy podcast.

[00:01:29] Paul Breitbarth: Thank you.

[00:01:30] Jonathan Mendoza: I'm excited to be here and share my insights on this crucial topics such, such as privacy, data protection, innovation, technology, and Latin American regulation.

[00:01:41] Paul Breitbarth: Very good. And Jonathan, you know that Kay always likes to start with the unexpected questions. So let's give her the floor to ask you that. 

[00:01:44] K Royal Thank you so much. So the unexpected question this week is there are a lot of things that people like. Is there something you don't like? That seems to be very popular with other people. 

And I can start by giving an example. For example. Many people like the movie Willy Wonka. I despise it. I won't watch it. I don't even want to hear the name of it. So there's something that I don't like that a lot of other people do. 

 What about you, Jonathan? 

[00:02:27] Jonathan Mendoza: Maybe socialized. , I, I'm not a good guy related with this socializing.

[00:02:33] Paul Breitbarth: That's a very good answer. I think for me it would be it, it, it would be pop culture and then, and more specifically the, the science fiction and fantasy stuff like Game of Thrones. I've, I've never seen a single episode of Game of Thrones, and really, I also can't be better to start watching it.

[00:02:51] Jonathan Mendoza: Maybe Star wars.

[00:02:53] Paul Breitbarth: Also not really my thing. I hear it's very political, but it's just not worlds that I can relate to. So for me it's not my thing. It's okay. \

[00:03:01] K Royal Oh, that's very interesting for both of you. As Paul knows. I love star wars. But I will say I do not like the game of Thrones. So with this, let me see if I can start with our first question. This may surprise. Y'all. But it seems that a lot of people don't. I know that Mexico actually has pretty strong data. Protection or privacy laws. Especially when it comes to the employment realm. Can you speak to that? 

[00:03:36] Jonathan Mendoza: Sure, let me start by saying something unable. Data protection is critical in the digital age. As technology advances and we become more reliant on digital devices and services, the amount of personal data collected and processed has grown exponentially. For example, we have around 500,000 suites sent every minute, 150,000 messages shared by Facebook users per minute.

and more than 41 million messages shared by WhatsApp users per minute. That is a context,

[00:04:16] Paul Breitbarth: I know it was much, but I didn't know it was that much

[00:04:19] Jonathan Mendoza: definitely as much. Unfortunately, mail many, eh, high profile that bridges and cyber attacks in recent years have compromised the personal information of million of individuals. This incidents have demonstrated the urgent need for strong data protection measures to be put in place to safeguard our data and protect our privacy.

It is urgent to develop and promote preventive measures to eradicate data breaches and abuses of the right to privacy nowadays.

How about Latin America?

[00:04:57] Paul Breitbarth: Mm-hmm.

[00:04:59] Jonathan Mendoza: Latin America is our region of growing importance to the world economy. Let me give you some facts The first, it combines a G D P of almost six 6 trillion US dollars, and a market of 652 million people according to the O S D,

[00:05:19] Paul Breitbarth: Wow.

[00:05:20] Jonathan Mendoza: allow me to provide an example to illustrate this point.

According to recent estimates, 2.5 quintillion data are generated daily in 2022, and at least 1,200 petabytes are saved and extension through digital media. I have a second fact. It is possible the Latin America región comprise Argentina, Bolivia, Brazil, Chile, Colombia, Costa Rica, Cub Republic, Ecuador, El Salvador, Guatemala, Honduras, Panama, para Peru, and on this countries, Bolivia, El Salvador, Hondura, and Venezuela lack data protection.

This means five out of 20 countries lack a data protection law. I want to highlight Chile, which is regarded a pioneer in the region by being the first Latin American country to enact a personal data protection law in 1999 to make up comparison in countries such Argentina, Peru, Columbia, or Mexico. The laws in this area were developed in two thousands.

Main thanks to the influence of the European Union and its concerns for respect for private lives of its citizens. Mexico enacted its law in 2010, and since then most countries have done the same, even though. Chile has also been pioneered by modernizing its exciting personal data protection law, and having topics such as cybersecurity, artificial intelligence, and direct technology trends in its constitution.

Another example, its proposed law includes prohibition on the processing of sensitive personal data, introduces data subject drives. Sets out data protection principle and establishes proactive measures for data processing, such as privacy by design and by default, and other self-regulation mechanisms.

This is Costa Rica Paul. In Latin America, a significant majority of countries around 70% have clear and specific provisions in their constitutions related to the protection of personal data, avails data and privacy. Data protection involves creating guidelines for responsible data collection, storage and examination while considering the individual's right to privacy.

As time has passed, many regions have developed different regulatory frameworks to safeguard personal privacy and information in LatAm. This approach is known as AVAs data. AVAs data is the right of individuals to access, update, rectify, and delete personal data collected by third parties and stored in databases.

In Mexico, we call them the

To make it clear, imagine this, if we make a tri triangle, we will have the national constitutions and data protection laws. We, we just mentioned at the bottom, this triangle on the top of them at our regional level. We have the I American Data Protection Network and the Inter-American Ger Committee of the Organization of American Estate that promote data protection.

These are based on the international documents such as, for example, the AP privacy framework. They always, the guidelines on the protection of privacy and the transporter flows of personal data, the convention. For the protection of individuals regarding automatic processing of personal data and the European Union General Data Protection Regulation, the Convention 108 and the 108 plus of the Council of Europe, which UWA and Argentina has successfully ratified it.

We hope that Mexico is also on the right track

[00:09:45] Paul Breitbarth: Oh, I hope so too. It would be a big step forward.

[00:09:48] Jonathan Mendoza: yeah. And on the top of that, at the peak we have international treaties such us, the American Convention of Human Rights, article 11 and the International Covenant of Civil and Political Rights, article 17, which impose obligations on Latin American nations to respect privacy.

[00:10:07] Paul Breitbarth: Yeah, it's an impressive background. And, and look, just looking at everything that's going on in Latin America especially for, for somebody that doesn't speak Spanish is often hard to keep up. You have so many jurisdictions doing so many amazing things and trying to really keep up with all the developments in, in, in the rest of the world or becoming a front runner, and I think that's impressive.

[00:10:32] Jonathan Mendoza: definitely. And the cherry on the cake. Will be to develop a normative conversions for all. Regulation never stops. Paul.

[00:10:41] Paul Breitbarth: Oh, no

I'm well aware.

no, absolutely, absolutely true. And the, the overview you give is, is indeed very, very impressive. So looking a little bit specifically at, at Mexico what is in i's current focus, what are you working on?

[00:11:01] Jonathan Mendoza: I, I have different or, or more topics about the region, but let me talk a little bit of Mexico. In the case of Mexico, we have the US M C A. Which is a free trade agreement between Mexico, United States and Canada. This 3D includes a particular chapter on e-commerce that focuses on cybersecurity, consumer protection, and cross border data flows.

Regarding data protection, Mexico is a country that has a federal law for the protection of personal data held by private parties. Published in July, 2010 and its regulations published in December, 2011, and a General law for the protection of personal data in the possession of applied subjects published in January, 2017.

Both regulations states that the National Institute of Transparency, access to information and personal data protection in aid shall verify that the law and its regulations are correctly enforced regarding the right to privacy. Mexico recognizes the right private and family life as a fundamental right in Article 16 of its Constitution, article 16 establishes that individuals have the right to enjoy their private and family life residents.

Papers and positions regarding finding the proper adequacy. Mexico is discussing preparation for implementing the Cross-Border Privacy Rules system under the Apex system. The C V P R as you know, consists of a certification mechanism available for companies that seek to facilitate data flows while complying with data protection rules.

[00:12:55] Paul Breitbarth: Also that will be a big step for Mexico to, to join the, the C B P R mechanism after the US and Canada, possibly the UK that is now on the verge of joining and then Mexico as, as one of the key countries. That's a big step.

[00:13:09] Jonathan Mendoza: Yeah, we have these rules in US M C A right now. We have EPIC rules and O E C D rules in the treaty. , but we, we need to implement, we implementing the rules. In in in the 

[00:13:26] Paul Breitbarth: Yeah. And, and for businesses, that is a, that is very important. And of course, also if you, if you would get the, the EU adequacy decision that I know is being negotiated also that would be very important for, for cross border business.

[00:13:41] Jonathan Mendoza: definitely, because data protection. Must be considered part of the digital economy

[00:13:48] Paul Breitbarth: For sure.

[00:13:49] Jonathan Mendoza: and the e-commerce that I have more facts Paul related with the region. It, it is possible to talk about that.

[00:13:58] Paul Breitbarth: Yeah, of course,

[00:13:59] Jonathan Mendoza: Thank you.

[00:14:00] Paul Breitbarth: of course. Let's look a bit at the little, bit more at the, the wider Latin American region because obviously you have all the experience with boots on the ground. You speak to your colleagues on a very regular basis, so let's hear it. What's going on?

[00:14:15] Jonathan Mendoza: Perfect. Thank you. Brail and the European Commission, for example, have a started discussion as a possible European Union Commission at the Koi decision for this third country. As you can see, Latin Americans commitment to data governance and protection is fully taking place. However, it is essential to remember that laws should be adequately designed following the region's economic and social capabilities.

Said so we as a region cannot be adequate to the European laws or any other laws. We need to always keep in mind the situation of our region, Latin American region, and that's what I've been working with many other colleagues to implement a Latin America model, a CBPR R'S model to Latin work. This model will emphasize on ethics and privacy by design key pieces that we allow on the one hand.

Guiding the technological innovation sector to have end-to-end personal data protection infrastructure and systems that warranted the confidentiality and protection to our personal information, as well as having data protection. PO policies based of digital ethics always we. All with an approach that respects human rights with transparent and Audi algorithms that allow proper accountability of responsible, on the other hand, reinforces the frameworks of action of the personal data authorities, as well as the ization of the matter.

They hire the quality and the adherence to ethical and transparent codes of conduct, the greater the trust given to the citizens. This model will build a more robust and concise block of countries working together.

[00:16:12] Paul Breitbarth: So, Jonathan, I know that one of the key topics that, that you focus on is, is disruptive technology the game changers in today's society. So imagine that also everything we see with chat, G P T and other generative AI models and things like that, that they're also part of o of, of your field, of work, of your specialty.

How are these topics dealt with in the Latin American region? Is there any attention for those yet, or do you wait and see what Europe and the US might be doing?

[00:16:43] Jonathan Mendoza: As we mentioned, Paul regulation never stops. Our region is not pulling back. Nowadays, most data protection and privacy conversations are regarding artificial intelligence as AI becomes increasingly integrated into our daily lives. It's essential to consider how data protection and privacy regulations in Latin America keep up with disa.

Advancements. Advancements, and how deal regulations affect individual and businesses. For example, a Colombian judge used charge DT two issue a decision regarding a mean diagnosed with autism's spectrum. That's Columbia Mexican Legi. Mexican legislatures from Bot Design eight and the deputy chamber have no presented initiatives created with artificial intelligence right now.

Also, regarding the ethical use that this technology and multiple tools should have in Mexico exists an initiative with multi stakeholders to create a Mexican national alliance of in artificial intelligence. Call it . But not everything is artificial intelligence. Let me give you concrete examples of other disruptive technologies and their impulse in the region.

[00:18:00] Paul Breitbarth: Yes, please. I, I would love to hear more

[00:18:02] Jonathan Mendoza: Thank you. For example, biometrics, any Mexican who wants to attend a soccer match must now provide the biometric data according to the fan Mexico initiative.

[00:18:14] Paul Breitbarth: and that's, that's a face ID or, or fingerprints or

face id. Wow, that's no fun. If you want to go to a match anymore.

[00:18:23] Jonathan Mendoza: is a little difficult. What do you think about that?

[00:18:27] Paul Breitbarth: I mean, if you are a privacy professional and you want to go to soccer meets,

[00:18:30] Jonathan Mendoza: Yeah,

[00:18:31] Paul Breitbarth: it's choosing between one of your two loves,

[00:18:34] Jonathan Mendoza: You have a problem.


The regulator determined the implementation of a privacy impact assessment because of the big data processing as natural. Regarding the metaverse, let me tell you that Mexico, Argentina, and Colombia have been very fond of it. A member of the Mexico Parliament.

Regarding the Metaverse, let me tell you that Mexico, Argentina, and Colombia have very fond of it. A member of the Mexican Parliament was offered authority to give activity reports to the public by using Metaverse. Javier Lopez Kaine, federal Deputy of the Green Ecology Party of Mexico and President of the Science Technology and Innovation Commission delivered the his first report on legislative activities in the special and mine and Minecraft presently becoming the first legislator worldwide to carry out an accountability exercise in a virtual environment last year.

Was held in Mexico, the carers and International Congress to exchange ideas and develop innovation with digital natives. The Spanish bank, another example, the Spanish bank, B V V A launch in Mexico, the first digital economy fund they offer. Each clients the option of investing in digital projects such as FinTech, non fungible token tokens, NFTs, metaverse, and other business model related to Web 3.0.

The Argentine company go to future created Metaverse Mall, an immersive vehicle 12 shopping center that seeks to add a new experience to existing sales channels. A platform with 3D environments allows buyers and sellers to have an online shopping experience for digital products to resemble physical, last, but not list.

Columbia had its first trial in the Metaverse where, where both parts connected using its avatars.

[00:20:47] Paul Breitbarth: So yeah, digital technology is, is fully embraced, but I'm happy to see that also the data protection side is taken seriously with all the regulators also monitoring all these developments and taking action where needed. When we look at INAI specifically in recent weeks and months, I've read quite a few articles about discussions that you are having with the Mexican government, about the composition of the commission.

Can you tell our listeners a bit more about debt situation?

[00:21:20] Jonathan Mendoza: Sure Paul, that that is not politics. That this is not my specialty. But we have problems with the quorum of the plenary of the, of ai. Right now we have four commissioners and we need. Five to have sessions and to determine a process related with data protection, rights and access, public access information

[00:21:45] Paul Breitbarth: Mm-hmm. . So it is, it is more difficult now to enforce the legislation until a fifth commissioner can be named.

[00:21:53] Jonathan Mendoza: Definitely. We, we have a difficult scenario right now.

[00:21:59] Paul Breitbarth: I can't imagine, let's hope it will be resolved soon, and that the government will be willing to appoint one or multiple more commissioners. We've, we've seen of course, in the United States with the privacy and Civil Liberties Oversight Board, what it can do if a, a quorum is lacking. Then also immediately there are challenges with, with oversight, and even though, The remaining members can make public statements and can issue in their own words warnings without using their official powers.

It is, it is much more difficult.

[00:22:30] Jonathan Mendoza: respect that. , but maybe we can talk about what is next.

[00:22:36] Paul Breitbarth: Absolutely. So what, what, what will happen in the, well, maybe not the coming months, but the coming, the coming couple of years. What, how will the region evolve? Will those five remaining countries adopt their privacy laws?

[00:22:50] Jonathan Mendoza: Maybe in, in a few of countries I don’t know, Chile Costa Rica.

[00:22:57] Paul Breitbarth: So when we, when we look at what's next in the, the Latin American region in the coming years, what developments do you see?

[00:23:04] Jonathan Mendoza: as you know, what is next? What are we facing in Latin America? The first main risk with the popularization of the internet and ESR access to information. Millions of people and companies today enjoy benefits that will be impossible to think of Just a few quis ago. Now we have everything in the palm of our hands.

However, new simplifications of daily life have also generated various challenges, especially regarding the protection and the security of the personal data, of personal data. The main problem that we face is cybersecurity ethics, according to data protection collected in different reports from Fortunate and Kaspersky, about 1,600 cyber attack on companies occur every second.

Mexico and Brazil are the two most cyber attack countries in the region. And together with Columbia registered nine out of 10 attacks in Latin America. Mexico received the most attempted attacks, 107 billion followed by Brazil, 103 billion, Columbia 20 billion, and Peru 15 billion in 2022. Over the past few weeks, Chile and Costa Rica have made significant progress toward approving comprehensive data protection laws.

A potential and decision process between Brazil and the European Union may be in the works. Finally. Resent judicial activity in Brazilian and Colombian courts addresses the applicability of the data protection law and the use of generative AI to issue judicial determinations.

[00:24:52] Paul Breitbarth: It's a lot that's going on.

 So, Jonathan, maybe as a, as a final question and just out of curiosity, but how did you end up in, in privacy and data protection and at, at the, the data protection authority? At I, I.

[00:25:07] Jonathan Mendoza: I will tell you a little of my story, Paul. I started working, working at INAI on June 1st, 20, 20 14. I was 31 years old when I arrived at Dana Mexico. My first feeling open arrival was solution followed by uncertainty. I was the first time that I worked in an institution that warranted. Human rights and I felt a great responsibility.

My approach to the rise of access to information and protection of personal data had been very tangential, but there was an opportunity in front of my, of me, and I took it. A lawyer initially trained it in the private sector, now working in a constitutional autonomous body that warranties human rights a few months later.

I received another opportunity in November the ninth, plenary in November of 2014 in the disciplinary appointed. My me, general Director of investigation and verification of the personal data protection secretariat for almost four years. I had the position, which was not easy at all. I face it for the first time, the inequality of conditions and the frustration of the processes.

It was the first time I felt that problems and work stress were overtaking me. It was a time of professional suffering and personal ground. I had to demand much more of myself and stop turning to see others. I met great people on that road. I had a lot of personal satisfaction and it was right there.

Out of frustration and disadvantage, we, when I began to enjoy what I do, fighting for human rights is not an overnight process. Even more so if they are not known. It involves a process of falling in love. My passion is data protection and privacy, and I work daily to achieve the best of it. Thank you, Paul.

[00:27:38] Paul Breitbarth: Well, that's absolutely true, and as I said, the once you, once you get bitten by the buck of privacy. It never lets you go.

Well, thank you. Thank you so much for joining me, for joining us today for this episode of Serious Privacy.

[00:27:53] Jonathan Mendoza: Well, thanks Paul and Kay, and thank you listeners for turning into this discussion on privacy. I hope you have enjoyed this conversation as much as I have, especially given you a perspective tip of the Latin America region. I expect you found this podcast informative and short. Provoking. If you have any questions or want to continue this conversation, you can find me on Twitter as Johnny Manson.

Thank you for listening, and until next time, goodbye.

[00:28:25] Paul Breitbarth: That's my language actually. So indeed, if you want to follow Jonathan you'll find him as Johnny Mendoza. You'll find me as Euro pal. B. You'll find Kay as heart of privacy. And don't forget to also join the conversation on LinkedIn under Sirius Privacy. We love all our listeners. We love this conversation.

I've learned a lot. About all that is happening in the Latin American region. And it is a lot. And we'll promise to continue talking about this throughout the year. Until next week, goodbye.