Mexico’s proposed data-collection laws raise questions about privacy and oversight

Mexico has introduced a package of bills that would expand state access to personal data and allow authorities – including the military – to gather, combine, and analyse sensitive information about the entire population. According to ARTICLE 19, the international freedom-of-expression organisation, these measures pose serious risks to privacy and civil liberties and could set a troubling precedent across the region. (This article reports on the position of ARTICLE 19)

What the new laws would do

The legislative package would give government agencies broad powers to collect and interlink multiple categories of data, including:

• biometric identifiers such as fingerprints and facial data
• financial and tax records
• health information
• telecommunications and internet-use data
• real-time geolocation

This information would be stored in centralised systems accessible to both civilian bodies and security forces.

A key element is the mandatory biometric Unique Population Registry Code (CURP). This identifier would sit in a government-run platform connected to public and private databases, effectively creating a unified national data profile for each resident.

Another measure would establish a Central Intelligence Platform. It would allow Mexico’s National Intelligence Center and National Guard to access personal data held by public agencies and private companies in real time — without requiring a court order.

Authorities would also retain powers to track individuals’ locations without judicial oversight, including through military institutions.

Implications for digital platforms

The reforms extend to online platforms and digital services. A proposal to add Article 30-B to Mexico’s Federal Tax Code would allow the tax authority to temporarily block digital platforms that it believes obstruct tax compliance. ARTICLE 19 notes that such broad discretion could be used to disrupt online services or limit access to information.

Rights groups warn of precedent

ARTICLE 19 links the legislation to a longer pattern of surveillance practices in Mexico. These include documented use of Pegasus spyware against journalists and activists, and past instances of unlawful access to communications data.

The organisation argues that instead of curbing abuse, the new framework risks normalising and legalising excessive monitoring. It emphasises that strong privacy protections and judicial oversight are core safeguards in democratic systems, particularly where security forces play a role in data access.

Regional significance

Beyond Mexico, ARTICLE 19 warns that the laws could serve as a model for other governments in Latin America seeking to expand digital-surveillance capacities. The group calls on Mexico to reconsider the reforms and prioritise human rights standards in data governance.

(This article reflects the concerns raised by ARTICLE 19 about the proposed legislation.)