Mexico's Transparency Institute Investigates Football Federation Over Improper Use of Personal Data

By Goodrich, Riquelme y Asociados

The Mexican National Institute of Transparency (INAI) has initiated a sanction process against the Mexican Football Federation (Femexfut) over its handling of personal and biometric data through its Fan ID application. The investigation centers on the opaque collection and use of sensitive information, raising concerns about privacy, consent, and compliance with federal data protection laws.

Launched in 2022, the Fan ID system was initially designed to track and penalize fans involved in discriminatory behavior, particularly homophobic chants, and later expanded to identify individuals involved in violent incidents at football matches. The app collects a range of personal data, including names, contact information, official IDs, and even biometric data such as facial recognition and retina scans. Femexfut contracted a tech company to collect and process this information, but the INAI is now scrutinizing whether the proper legal protocols for data protection were followed.

The investigation is focused on Femexfut's failure to ensure transparency and obtain explicit consent from users for the collection and use of their sensitive data, in violation of Mexico’s data protection law. The INAI determined that Femexfut remained ultimately responsible for the protection of this information.

The case has unfolded amid a controversial period for the INAI, which is in the process of being dissolved and replaced by government oversight, raising questions about the institution's ability to enforce data protection regulations effectively. 

In Mexico, there are two main laws for personal data protection:

-Federal Law on the Protection of Personal Data Held by Private Parties (FLPPDHPP) and its regulations, which govern data processing by private companies and individuals.
-General Law on the Protection of Personal Data Held by Mandated Parties, which applies to data processing by federal authorities, entities, bodies, agencies of the executive, legislative, and judicial branches, autonomous bodies, political parties, trusts, and public funds.

The INAI plays a critical role in enforcing the FLPPDHPP. Their responsibilities include:

-Conducting investigations into alleged data protection violations.
-Reviewing and potentially sanctioning organisations that fail to comply with the FLPPDHPP.
-Authorising, overseeing, and revoking the certifications of entities that help businesses comply with the law.

The INAI works alongside the Ministry of Economy, which focuses on educating businesses about their data protection obligations and issuing guidelines for the content and scope of Privacy Notices. These notices, similar to privacy policies in the EU, inform individuals about how their data is collected, used, and protected.