Digital business in Mexico: overview by BGBG by BGBGabogados

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

Digital business in Mexico: overview by Carlos J. Diaz Sobrino and Valery Tapia, BGBG Abogados

Country Q&A | Law stated as at 01-Mar-2019 | Mexico A Q&A guide to digital business in Mexico. The Q&A gives a high level overview of matters relating to regulations and regulatory bodies for doing business online, setting up an online business, electronic contracts and signatures, data retention requirements, security of online transactions and personal data, licensing of domain names, jurisdiction and governing law, advertising, tax, liability for content online, insurance, and proposals for reform. To compare answers across multiple jurisdictions, visit the Digital Business Country Q&A tool. This Q&A is part of the global guide to digital business law. For a full list of jurisdictional Q&As visit www.practicallaw.com/ digital-business-guide.

Regulatory overview

1. What are the relevant regulations for doing business online (for business-to-business and businessto-customer)?

There is no specific legislation in Mexico that governs doing business over the internet. Mexico does not have an IT law, which means that the activities carried out on the internet are regulated in accordance with general provisions of law (civil and commercial). Regardless of the parties involved in the transaction or the venue in which it exists, when carrying out any business operation, the Commercial Code (Código de Comercio) is applicable. The Code of Commerce includes a brief section dedicated to online business transactions, which mainly focuses on establishing the dispositions related to authentication of the parties participating on the online business transaction. The Civil Code is also applicable to these transactions, in relation to the matters not covered by the Code of Commerce. In addition, there is a specific chapter in the Mexican Consumer Protection Law (Ley Federal de Protección al Consumidor) that regulates the rights of consumers in transactions carried out by electronic means. The Consumer Protection Law establishes specific obligations when performing transaction on the Internet: •

The service provider must use the information the consumer provides on a confidential basis.

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

•

The service provider must use any of the technical elements available to offer safety and confidentiality regarding the information the consumer provides.

•

Before carrying out the transaction, the service provider must provide the consumer its physical address, telephone numbers and other means where the consumer can file claims.

•

The service provider must avoid deceptive commercial practices regarding the characteristics of the products.

•

The consumer has the right to know the terms, conditions, costs, additional charges if applicable, and terms of payment of the goods and services offered by the service provider.

•

The service provider must honour the decision of the consumer on the quantity and quality of the products the consumer wishes to receive, as well as the decision not to receive any advertising.

•

The service provider must abstain from using sales or advertising strategies that do not provide the consumer with clear and enough information on the services offered.

2. What legislative bodies are responsible for passing legislation in this area? What regulatory and industry bodies are responsible for passing regulations and codes in this area?

The relevant regulatory authority responsible for telecommunications and broadcasting matters (including competition in such matters) is the Federal Telecommunications Institute (Instituto Federal de Telecomunicaciones (IFT)). The IFT was created as a constitutional independent entity, whose purpose is the efficient development of the telecommunications and broadcasting services, and the correct development of competence on these sectors. With regards to e-commerce, Mexico has the Mexican Consumer Protection Agency (PROFECO) which enforces the Mexican Consumer Protection Law. For data protection, Mexico has as Data Protection Agency, the Federal Institute for Access to Public Information and Data Protection (INAI) which is in charge of enforcing the Mexican Data Protection Laws (either applicable to individuals or to government entities).

Setting up a business online

3. What are the common steps a company must take to set up an existing/new business online?

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

To do business online, a company should be incorporated in accordance with a standard incorporation process. The general steps to incorporate a company by foreigners include: •

Requesting and obtaining the name authorisation permit from Mexican authorities for incorporation purposes.

•

Preparing special powers of attorney for foreign company members.

•

Preparing documentation of the Mexican entity (bye laws).

•

Notarisation of company members' powers of attorney before Mexican notary public.

•

Notarisation of the company documents before Mexican notary public.

Up until 2016, incorporation of a company had to be completed by two or more shareholders/partners. In 2016, the simplified joint stock company (Sociedad por Acciones Simplificada (SAS)) was introduced, which allows incorporation by a single shareholder. To incorporate a SAS the following requirements must be met: •

Shareholder(s) must each have an electronic signature.

•

Shareholders must obtain an authorisation to use the corporate name. This authorisation can be obtained online.

•

Shareholder(s) must not have annual income surpassing MXN5 million.

•

Shareholder(s) cannot be decision-making shareholders in another company at the same time.

Other advantages of SAS include the following: •

Shareholders do not need to have a minimum share capital.

•

Liability of their shareholders is strictly limited to the amount of their contributions.

•

The entire incorporation process of an SAS can be completed online (unless shareholders wish to formalise it before a notary public).

4. What are the relevant types of parties that an online business can expect to contract with?

Depending on the company's line of business, the parties involved may differ. However, in general terms, whenever a new online business sets up, agreements must be executed with the domain provider and the host of the webpage. In the case that the online business is set up in an app, an agreement must also be executed with any of the different app stores in the market. On the other hand, an online business will perform commercial relations with its suppliers, whether payment, services or goods suppliers, to carry out their business.

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

5. What are the procedures for developing and distributing an app?

The development of an app should be completed through an agreement in which the intellectual property rights are understood to be part of a work for hire relationship. It is important to draft an agreement which fully specifies who will be the owner of the commercial IP linked to such app.

Running a business online Electronic contracts

6.Is it possible to form a contract electronically? If so, what are the requirements for electronic contract formation? Please comment on the enforceability of click-wrap, browse-wrap and shrinkwrap contracts.

The Code of Commerce allows the use and validity of electronic signatures (whether simple electronic signature or advanced electronic signature) in any type of commercial transactions and consumer transactions. The Federal Civil Code also establishes that if an express consent is required, this can be expressed by electronic means or by any other technology. Therefore, electronic signatures are allowed in contracts among private parties. Further, under Article 97 of the Code of Commerce, when the law requires a signature or when the parties agree the use of a signature in connection to a data message, this requirement is met by an electronic signature if such signature is appropriate for the purposes for which the data message was generated or communicated. Therefore, by virtue of the above provisions, the general rule for electronic signatures in Mexico is that they may replace handwritten signatures. There are two types of electronic signatures in Mexico: â&#x20AC;˘

Simple electronic signatures.

â&#x20AC;˘

Advanced electronic signatures.

The usage of the simple electronic signature may not be advisable in all types of acts, agreements or contracts, as with this type of electronic signature it is difficult to have the attributability characteristic needed to enforce it, although contractually it can be accepted.

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

Click-through and click-wrap agreements, are considered standard agreements. Usually for their execution the signatory only needs to agree them in an express or tacit form, without amending or negotiating any of their terms and conditions. However, in case of any dispute regarding these types of agreement, the party seeking enforcement will most likely face the problem of attributing such consent to its counterparty. To have more elements to make the execution of these agreements attributable to the client/user, it is advisable that: •

The agreements are drafted in Spanish, with a legible font size.

•

The terms and conditions are easily visible during the acceptance and for further reviews by the client/user.

•

There is an "accept" and "deny" button accessible for the client/user.

•

There is a notification informing the client/user that through the "accept" button they will be bound by the terms and conditions of the contract.

•

An electronic registry is established where the user/client, date, hour and any other relevant data is recorded when the user/client accepts the agreement or the terms and conditions.

7. What laws govern contracting on the internet?

As mentioned in Question 1, as with any other type of business, the Mexican Code of Commerce is applicable to any business transaction. There are no specific laws relevant to the transactions on the internet. However, depending on its line of business, other regulatory provisions must be observed. See Question 1 for more information.

8. Are there any limitations in relation to electronic contracts?

In commercial transactions in the private sector, the usage of simple or advanced electronic signature can be freely agreed between the parties, as the law allows the consent to be expressed through electronic, optical or other technological means. However, there are certain requirements for electronic signatures to be enforceable. The simple electronic signature must be attributable to the parties and accessible for further review. Because of these requirements, the usage of this type of electronic signature is not advisable as the attributability requirement is very difficult to prove before a judge. Certain documents that must be executed before a notary public. Therefore, such acts must be executed with a handwritten signature in front of the notary public. Examples of the latter include some M&A documents as well as documents that transfer real estate, which cannot be signed electronically. © 2019 Thomson Reuters. All rights reserved.

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

There may also be provisions in bye-laws of the companies that may prohibit expressing consent by electronic signature or by electronic means. In the banking sector, the banking institutions have the authorisation to issue digital certificates when entering into electronic transactions with users of financial services, as well as to carry out certification service activities, such as registry and distribution of digital certificates. Electronic contracts are commonly used in this sector. In public procurement, the usage of electronic signature depends on the type of procurement. Documents related to electronic procurement can be signed electronically. In electronic procurement, the web system called Compranet is used to publish the call, present the offer and announce the award. In the presentation of the offer the bidder can execute it electronically by means of an advanced e-signature or by a simple e-signature (depending on the call). In mixed procurement, both Compranet and physical documents are used. In physical procurement all documents provided by the bidder must be delivered personally in writing to the relevant authority.

9. Are there any data retention requirements in relation to personal data collected and processed via electronic contracting?

Under the general rule in the Code of Commerce, documents or data messages that contain rights and obligations must be retained for ten years. There is no obligation for companies to make hardcopy backups of the electronic messages which will be retained, nor to make electronic backups of the hardcopy documents. Personal data cannot be stored indefinitely, unless a legal provision requires so. The amount of time for which personal data can be stored depends on the purposes of such processing. Personal data must be blocked and deleted when the purposes of the processing have been reached or after a legal retention period is over.

10. Are there any trusted site accreditations available?

Currently the Mexican Internet Association (AsociaciĂłn de Internet.mx) provides trust stamps (Sello de Confianza). After an evaluation process, the online business can insert such stamp on its webpage, and the Internet Association will redirect any person who clicks on such stamp to the information on the webpage owners.

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

To obtain the stamp, the webpage owners must submit an application and pay the corresponding fees. More information is available on https://sellosdeconfianza.org.mx/.

11. What remedies are available for breach of an electronic contract?

The same remedies applicable to any type of contract may apply to electronic contracts. These remedies may include any of the following: Any remedies related to a penalty clause mutually agreed to by the parties on the contract. Payment of liquidated damages, following a judicial or arbitral procedure. Specific performance of the contract, following a judicial or arbitral procedure. Payment of any accrued interests, in case of breach of any payment obligations. Interests can be mutually agreed by the parties in the contract. However, both the Civil and the Commercial Code establish interest rates which may be applicable if the parties did not agree to any specific rate. E-signatures

12. Does the law recognise e-signatures? To what extent and when are e-signatures used in electronic contracting? Are they required in most transactions, or very few?

Under Article 89 bis of the Code of Commerce, the information contained in a data message must be valid and enforceable. This is relevant because any electronic signature is considered a type of data included and incorporated in a data message. Likewise, under Article 93 of the Code of Commerce, written and electronic documents are equivalent, as it is expressly established that when any law requires an agreement to be executed in a written form, such requirement will be met when using data messages. However, the information contained must be kept integral and accessible for further consultations. Further, if any law requires a handwritten signature, the Code of Commerce provides that such requirement will be met if the data message where the electronic signature is contained is attributable to the signatory party. Based on the above, as a general rule under Mexican law, written signatures can be replaced by a data message with electronic signature if the following conditions are met:

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

•

Integrity of the information.

•

Accessibility for further consultations.

•

Attributability to the parties.

The equivalence of handwritten signatures with electronic signatures does not apply to commercial matters only, but also to civil matters, under Article 1834 bis of the Federal Civil Code. Advanced electronic signatures (see, Format of e-signatures) have been regulated in the law. The law provides that, in addition to the requirements set out in Article 97 of the Code of Commerce, the issuance of an advanced electronic signature is subject to certain requirements and authorisations. These include, for example, the need for a digital certificate and a private key, which are issued by a Certification Service Provider. The regulations cover in detail the use of the advanced electronic signature, and related services. Certification Service Providers must be recognised as such by the Ministry of Economy (Secretaría de Economía) and must comply with several rules and obligations for their operation and for the issuance of the digital certificates. The use of simple or advanced electronic signatures can be freely agreed by the parties, as the law allows the consent to be expressed through electronic, optical or other technological means. Therefore, under Mexican law the agreements executed by the exchange of data messages with the use of electronic signatures (whether simple or advanced) are subject to the same rules as the agreements executed with written signatures. Applicable legislation On 29 May 2000, several provisions of the Federal Civil Code (Código Civil Federal) and the Code of Commerce (Código de Comercio) were amended to recognise the validity and enforceability of agreements executed by electronic means. Likewise, on 29 August 2003, the Code of Commerce was amended to incorporate rules regarding the usage of electronic signatures. Finally, on 11 January 2012, the Law of the Advanced Electronic Signature (Ley de Firma Electrónica Avanzada) (LAES) was published in the Official Daily of the Federation (Diario Oficial de la Federación) (DOF), on 21 March 2014, the Regulations to the Law were published in the DOF (the Regulations) and on 21 October 2016, the General Dispositions regarding the Law of the Advanced Electronic Signature were issued. The provisions contained in the Code of Commerce and in the LAES and Regulations are federal. Therefore, such provisions are applicable throughout Mexico in all commercial matters. Definition of e-signatures Under Article 89 of the Code of Commerce, an electronic signature is electronically delivered data through a data message, or data attached or logically associated to the data message through any kind of technology. Such data is used to identify signatory in relation to the data message and to indicate that signatory approves the information contained on the data message and produces the same legal effects that an original signature and is admissible as evidence on any trial. Format of e-signatures The Code of Commerce distinguishes: •

Simple electronic signatures.

•

Advanced electronic signatures.

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

Under Article 97 of the Code of Commerce, simple electronic signatures are considered advanced electronic signatures if they meet the following requirements: •

The creation data of the electronic signature, within the context in which it is used, relates exclusively to the signatory.

•

The creation data of the electronic signature is, at the moment of the execution, under the sole control of the signatory.

•

It is possible to detect any alteration to the electronic signature after the execution date.

•

It is possible to detect any alteration to the integrity of the data message after the signing.

If the electronic signature meets the above requirements, it is deemed as advanced and provides a legal presumption that the electronic signature is reliable and attributable to the signatory.

13. Are there any limitations on the use of e-signatures?

Although there are is express prohibition for the use of electronic signatures for specific acts, there can be express requirements in the form/solemnity to express the consent for certain acts, agreements or contracts in order to make them valid and enforceable. Specifically, there are certain types of acts that must be executed before a notary public or certain administrative procedures which cannot be executed using electronic signatures. Despite the fact that the Code of Commerce and the Federal Civil Code establish that the public notaries and public brokers (Corredores Públicos) can authorise agreements in which electronic signatures have been used, in the practice such ability has not been developed as there is a lack of technological infrastructure that would attribute such electronic signatures to the signatory parties by the public notaries and public brokers. On the other hand, the enforceability of simple electronic signatures could be questioned in a legal proceeding as the attributability requirement would not be entirely fulfilled. Considering the above, the more evidence gathered to attribute a simple electronic signature to a specific signatory, the more chances to prove its reliability and attributability in court.

Implications of running a business online Cyber security/privacy protection/data protection

14. Are there any laws that regulate the collection or use of personal data? To whom do the data protection laws apply?

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

The protection of personal data is established in the Mexican Constitution (Constitución Política de los Estados Unidos Mexicanos) as a constitutional right, and the matter is regulated in a specific manner by: •

The Mexican Data Protection Law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares).

•

The Regulations to the Law (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares).

•

Guidelines and general criteria issued by the Ministry of Economy and the Mexican Data Protection Authority (DPA), including those related to the privacy notice, security measures to protect persona data, binding self-regulatory schemes and the implementation of compensatory measures.

•

The General Data Protection Law (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados).

The difference between the Mexican Data Protection Law and the General Data Protection Law is that the latter is applicable to the processing of personal data by authorities, entities, bodies and agencies of the executive, legislative and judicial branch, autonomous bodies, trusts and public funds and political parties on federal, state and municipal level, while the Mexican Data Protection Law is applicable for the processing of personal data by private parties (companies and individuals). Both laws regulate the protection of personal data of individuals (as opposed to entities).

15. What data is regulated?

The Mexican data protection laws define personal data as any information concerning an identified or identifiable individual. The law differentiates personal data from sensitive personal data. Sensitive personal data refers to the most intimate aspects of the data subject's life or that may imply a risk of discrimination for them. The law deems the following as sensitive personal data: •

Race or ethnicity.

•

Present and future health condition.

•

Genetic information.

•

Religion.

•

Philosophical or moral beliefs.

•

Work union affiliation.

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

•

Political opinions.

•

Sexual preference.

Biometric data is not expressly established by the law as sensitive personal data, but can be considered as such by the Mexican Data Protection Authority, when the information can disclose certain aspects, such as a person's racial or ethnic background, present and future medical condition, genetic information, religious, philosophical and moral beliefs, union membership, political opinions and sexual preference.

16. Are there any limitations on collecting or using personal data? Are there any specific limitations on storage of personal data in the cloud?

All processing of personal data is subject to the data subject's consent. The consent of the data subject for the processing of their personal data is not required when: •

The data is contained in publicly available sources.

•

The personal data is subject to a prior dissociation procedure.

•

For the purpose of fulfilling any obligations under a legal relationship between the data subject and the data controller.

•

There is an emergency that could potentially cause damages to an individual or their property.

•

The processing is required for medical attention, health care and any other related services if the data subject is unable to give his/her consent.

•

It is ordered through a resolution by a competent authority.

•

The type of personal data to be processed determines the type of consent the data controller must obtain from the data subject.

The processing of financial and economic data requires the data subject's express consent. The processing of sensitive personal data requires the data subject's express and written consent. Collection of personal data can only be considered when a relevant privacy notice is made available before the data is collected and if it contains, at least the following information related to the collection: •

The personal data which will be subject to processing.

•

The specification of any sensitive personal data to be processed.

•

The purposes of the processing of personal data.

Regarding the use of cloud-based services, the Regulations to the Mexican Data Protection Law establish certain specific requirements when processing personal data by cloud computing services.

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

The cloud-based service provider must comply with the following requirements for the data controller to be able to use such services: •

It must have policies to protect personal data similar to the ones established in the Mexican Data Protection Laws.

•

Subcontracting must be disclosed to the relevant data controller.

•

Title over the information processed in the cloud cannot be acquired.

•

The personal data processed must be preserved as confidential information.

Further, the cloud computing service provider must have mechanisms to: •

Notify changes of its applicable privacy notices and of its T&Cs.

•

Allow the data controller to limit the processing of personal data.

•

Establish and maintain proper security measures to protect the personal data.

•

Delete the personal data once the services are terminated.

•

Prevent unauthorised access to the personal data, or if properly requested by a competent authority, notify such circumstance to the data controller.

17. Is the use of cookies allowed? If so, what conditions apply to their use that impact system design?

When the data controller uses remote, electronic, optical or other technological mechanism to automatically and simultaneously collect personal data (such as cookies), in that precise moment the data controller must inform the data subject: •

Of the use of such mechanisms/technologies.

•

That through such mechanisms/technologies personal data is being collected.

•

Of the means to disable such mechanisms/technologies.

18. What measures must be taken by contracting companies or the internet providers to guarantee the security of internet transactions?

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

In general, data controllers and data processors must implement appropriate security measures to protect personal data within their responsibility. The Regulations to the Mexican Data Protection Law and the Guideline provide certain measures and mechanism to ensure the protection of data. To guarantee the proper processing of personal data, giving priority to the interests of the data subject and the reasonable expectation for privacy, the data controller can implement the following mechanisms: •

Prepare privacy policies and programmes binding and enforceable within the data controller's organisation.

•

Implement training, updating, and awareness programmes to the data controller's personnel regarding their obligations in the protection of personal data.

•

Establish an internal supervision and monitoring system, as well as external inspections or audits to verify compliance with the privacy policies.

•

Allocate resources for the implementation of privacy programs and policies.

•

Implement procedures to handle any data protection risks that may arise during the implementation of new products, services, technologies and business models, and take the appropriate measures to mitigate such risks.

•

Review, from time to time, security policies and programs to determine any required modifications.

•

Establish procedures to receive and respond the queries and complaints of data subjects.

•

Maintain mechanisms to comply with privacy policies and programmes, and establish sanctions in the event of breaches thereof.

•

Establish measures to protect personal data, such as technical and administrative actions that will allow the data controller to ensure compliance with the principles and obligations set out by the Data Protection Law and its Regulations.

•

Establish measures to trace personal data, that is, actions, measures, and technical procedures that will allow the tracing of personal data while being processed.

The data controller must maintain personal data as confidential information, even when the relationship with the data subject has concluded.

19. Is the use of encryption required or prohibited in any circumstances?

There are no specific rules regarding which type of measures must be adopted by companies or ISPs to guarantee the security of internet transactions. As mentioned above, the general rule is that the service provider must use technical elements to offer safety and confidentiality of the information that the consumer provides. The banking sector has specific rules on encryption and security means for banking transactions.

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

20.Can government bodies access or compel disclosure of personal data in certain circumstances?

Following the provisions of the Mexican Constitution, only a judge through a court order can request disclosure of personal data. The court order must be issued by a competent authority, and it must be justified and have a legal basis.

21. Are there any regulations in relation to electronic payments?

On 8 March 2018, the Law on the Regulation of Financial Technology Institutions was issued. It sets out the applicable regulation of financial services provided by those institutions, their operation and financial services offered through innovative means in Mexico, which are subject to special rules. Any institution that wishes to carry out the activities set out in the Law on the Regulation of Financial Technology Institutions.established under Article 25 of such law, must be granted authorisation by the National Banking and Securities Commission. The activities regulated by the law include: •

The issue, marketing or administration of instruments for withdrawal of electronic payment funds.

•

Provision of money transfer services.

•

Processing of any information on payment services corresponding to electronic payment funds or any other payment method.

22. If the site is aimed at children, are there any specific rules or guidance that apply?

Under the Law for the Protection of the Rights of Children and Adolescents (Ley para la Protección de los Derechos de Niñas, Niños y Adolescentes), federal authorities can verify that the mass media avoid the dissemination and publication of content prejudicial to education, promoting violence or justifying crime and the lack of values, during the hours established as suitable for all age groups. There are no specific provisions regarding posting of content online.

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

Also, the Federal Law to Prevent and Eliminate Discrimination (Ley Federal para Prevenir y Eliminar la Discriminación), grants the federal authorities the authority to verify that the mass media does not engage in discriminatory practices for any reason, including ethnic origin or nationality, sex, age, disability, social or economic status, health conditions, pregnancy, language, religion and sexual orientation. There are no specific provisions regarding the protection of children on the internet. The general rules are applicable.

Linking

23. Are there any limitations on linking to a third party website and other practices such as framing, caching, spidering and the use of metatags?

If the content is related to articles, images and comments associated with current events or news, an authorisation of the content owner is not required unless the owner expressly prohibits the use. However, the following requirements must be met: •

Citation of the source.

•

No commercial purpose.

•

No alteration of the content.

Commercial purpose will be understood as any direct economic benefit as a result of the use of the specific content (such as, commercialising the content to other parties). However, if the content is used as an additional advantage of the main or principal activity of the user, this use will be allowed under the scope of Mexican Copyright law (such as, online advertising). On the other hand, if the content owner expressly prohibits the use of its content for such purposes, a written, onerous and temporary authorisation will be required. Failure to comply with this agreement by the user is subject to a copyright infringement under the administrative, civil and criminal laws. Consequently, providing content by redirecting and inline linking/framing from third-party website without authorisation from the content holders falls within the exception provided in the Copyright Law, only if the above requirements are met and the content holder has not expressly prohibited the use of the relevant content by any third party.

Domain names

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

24. What regulations are there in relation to licensing of domain names?

In addition to a private domain name assignment agreement that must be executed between the parties, certain procedures before the relevant registrar must be carried out to modify the registry of the domain name and formally assign/transfer the domain name. Procedures may vary from registrar to registrar.

25. Do domain names confer any additional rights (in relation to trade marks or passing off) beyond the rights that are vested in domain names?

Domain names do not confer additional rights apart from the right to use such domain name. However, they may be used as evidence on the use of a trade mark or an IP right.

26. What restrictions apply to the selection of a business name, and what is the procedure for obtaining one?

A permit must be obtained from the Ministry of Economy (SecretarĂa de EconomĂa) to confirm that the intended corporate name can be used and is not already taken or if it is a registered trade mark. This happens through an online procedure using the electronic signature of the person requesting such name.

Jurisdiction and governing law

27. What rules do the courts apply to determine the jurisdiction for internet transactions (or disputes)?

Under the Code of Commerce and the Civil Code, the contracting parties in any transaction can agree on the law applicable to the legal effects arising from such transaction. Therefore, if the applicable terms and conditions dully

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

specify that a foreign law would be applicable to the relationship of the user and provider, and there is an express submission to such laws, then, the Mexican laws would not be applicable. Further, the United Nations Convention on Contracts for the International Sale of Goods (CISG) provides that express contractual provisions take precedence over the default provisions of the CISG. Therefore, the contracting parties remain free to specify whatever law or terms they wish to apply to their transaction, and can exclude the application of the CISG to their contractual relationship. In addition, the Organization for Economic Cooperation and Development (OECD) issued the Guidelines for Consumer Protection in the Electronic Commerce (OECD Guidelines) which, among other things, provide the applicable law and jurisdiction in business-to-consumer cross-border transactions carried out electronically (the OECD Guidelines, as several other provisions issued by the OECD, are not legally binding). The rules in these Guidelines establish that the applicable law and jurisdiction will be subject to the existing framework on applicable law and jurisdiction.

28. What rules do the courts apply to determine the governing law for internet transactions (or disputes)?

If an online business operator establishes a contractual domicile or contact point in Mexico, to receive any type of claims or solve questions or comments, PROFECO will have grounds to impose Mexican legal framework to the operations of the business in connection with its overall services. Also, in Mexico there is no specific regulation applicable to online transactions, therefore, the provision of services through the internet and the jurisdiction to be applied may also be ruled by Mexican civil and commercial laws. When dealing with the Mexican conflict laws, the Federal Civil Code provides that Mexican substantive law will apply to all persons located in Mexico, legal acts and facts occurred within Mexico, and when the contracting parties agree to submit to such law. The Federal Civil Code also provides that: •

The formalities of the agreements will be governed by the law of the place of their execution.

•

The legal effects arising from all legal acts and agreements will be governed by the law of the place where they are to be carried out, unless the parties validly submit to another law.

Under the Code of Commerce, the agreements executed through electronic means will be deemed to have entered into full force and effect on the reception of the acceptance of the offer. Considering that in electronic commerce transactions, the consent of the parties is declared through data messages, the execution of an agreement carried out through electronic means will be deemed completed on receipt of the acceptance sent through a data message. The Commerce Code further provides that, unless otherwise agreed, acceptance will be deemed as received in the place where the addressee of the data message has its main establishment and as issued where the issuing person has its main establishment.

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

29. Are there any alternative dispute resolution / online dispute resolution (ADR/ODR) options available to online traders and their customers? What remedies are available from the ADR/ODR methods? Are there any requirements to notify customers of the availability of these methods?

As with any other agreement in Mexico, parties can submit themselves to dispute resolution through alternative methods, such as arbitration. Several arbitration rules may be used. If parties wish to remain subject to Mexican law, then they may wish to submit themselves to arbitration following the rules of the Mexican Arbitration Centre (Centro de Arbitraje de México (CAM)). However, parties may also submit themselves to other rules and other venues for these purposes. As discussed above, whenever a consumer is involved on any business transaction, especially if the business transaction corresponds to a regulated service, such as telecommunications, then PROFECO will be the applicable venue for dispute resolution. In such case, and based on the amount of complaints submitted by the users to PROFECO, companies can request access to CONCILIANET, a non-mandatory online dispute resolution option provided and supervised by PROFECO. The provider must inform its consumers that PROFECO will know of any dispute that arises between them. However, there is no obligation to inform consumers of the possibility to resolve such disputes on CONCILIANET.

Advertising/marketing

30. What are the relevant rules on advertising goods/services online/via social media?

Certain specific obligations and/or restrictions regarding the advertisement of products or services are included in specific laws, such as: •

Federal Consumer Protection Law.

•

General Health Law.

•

Regulations to the General Health Law on Advertisement Matters.

•

Guidelines on Junk Food.

•

General Law of Control of Tabaco and its Regulations.

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

The information or advertising related to goods, products or services disclosed by any mean or form, must be accurate and verifiable. They must also be free of texts, sounds, images, brands, designations of origin or other descriptions leading to error or confusion, and cannot be deceitful or abusive. Deceitful or abusive advertising includes information referring to characteristics or data related to any good, product or service that, regardless whether it is true or not, leads consumers to error or confusion in relation to the inaccurate, false, exaggerated, or biased manner in which it was presented.

31. Are there any types of services or products that are specifically regulated when advertised/sold online (for example, financial services or medications)?

The Regulations to the General Health Law on Advertisement Matters (Reglamento de la Ley General de Salud en Materia de Publicidad) establishes certain restrictions on online advertisement. For example, tobacco adverts cannot be transmitted online, and through any other telecommunication systems which are aimed at minors, or that have educational or sportive purposes.

32. Are there any rules or limitations in relation to text messages/spam emails?

In general, there are no regulations directed to prevent or prohibit text messages or spam emails. However, specific regulation regarding telecommunication services consumers' rights (Official Mexican Standard 184, or NOM 184), does establish that any telecommunication services provider must obtain consumer's explicit authorisation to contact consumer with merchandising or advertising purposes. This explicit authorisation must be obtained even when services are provided under a sign-up contract (contrato de adhesion). Consumers can also register their telephone numbers with the Public Registry to avoid publicity. Numbers that are registered cannot be subject to any form of advertising.

33. Are there any language requirements in your jurisdiction for a website that targets your particular jurisdiction or whose target market includes your jurisdiction?

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

The website must be available in Spanish language if Mexican laws are applicable. If the processing of personal data is subject to Mexican data protection laws, the privacy notice must also be drafted in Spanish. Also, in the event of products subject to specific official standards, certain information may need to be available in Spanish, for example, in the event of specific guarantees or labels.

Tax

34. Are sales concluded online subject to taxation?

All sales within the Mexican territory are subject to VAT, which is currently 16% (with some exceptions).

35. Where and when must online companies register for VAT and other taxes? Which country's VAT rate will apply?

Under the Mexican Value Added Tax Law, any person, whether natural or legal, is subject to VAT in Mexico if they perform any of the following activities within the Mexican territory: •

Sale of goods.

•

Provision of independent services.

•

Granting temporal use of goods.

•

Import of goods or services.

In that sense, any company which wishes to perform any of the above activities in Mexico, must request a Federal Contributor's Registry number (RFC), from the Mexican Tax Administration Office to be able to perform such activities and provide invoices to their customers.

Protecting an online business Liability for content online

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

36. What laws govern liability for website content?

There are no specific regulations regarding ISP liability, nor for safe harbours, however general rules apply under Mexican laws. In some cases, the entity that provides a platform may be held liable in the event of direct damage. Regarding general rules on damages, in Mexican Federal Civil Code, damages are proven only when they arise from a direct and immediate consequence of an act. Regardless of the above, the international treaty currently identified as USMCA (United States-Mexico-Canada Agreement) does provide for specific safe harbour rules, a new concept to Mexico. These rules would limit the liability for content posted on any website to the author of such content.

37.What legal information must a website operator provide?

If personal data is collected through a website, a privacy notice must be made available on the website. If e-commerce is carried out through such website, the relevant information about the provider must be made available on the website including the name and address, as well as contact details to issue and start complaints. Other requirements may be requested if a regulated activity is carried out, for example, in the event of banking and finance and market securities.

38. Who is liable for the content a website displays (including mistakes)?

In terms of the new United States-Mexico-Canada Agreement (USMCA) regulations, which will come into force in the foreseeable future (the treaty is currently being ratified by the Congress), only the author of the content posted on a webpage will be liable for it. Therefore, the owners of the webpage will not be held responsible for information displayed as long as they do not have any "interest" in such content, meaning that they must have a direct relation to the content to be liable for it.

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

If any person deems that they own a trade mark or any information protected by intellectual property laws in Mexico used on a website, they may present a request before the Mexican Institute of Industrial Property (IMPI) for the website to be shut down or the content removed from it. Other remedies can be sought by the owner of the content, including presenting criminal charges against the person who used content owned by them. It is common for ISPs to establish in their terms and conditions, that they will be able to remove content or disable links. Such terms and conditions are deemed a valid contractual relationship, therefore any agreement for such purposes is valid.

39. Can an internet service provider (ISP) shut down a website, remove content, or disable linking due to the website's content and without permission?

An internet service provider (ISP) can shut down a website, remove content, or disable linking due to the website's content and without permission. It is common for ISPs to establish in their terms and conditions, that they will be able to remove content or disable links, even if they do not have permission of the content owner. Such terms and conditions are deemed a valid contractual relationship, therefore any agreement for such purposes is valid.

Liability for products/services supplied online

40. Are there any rules that might apply to products or services supplied online?

As any other business transaction, the person who offers or sells the goods or services is liable for any problem with such good or service. Additionally, depending on the type of products, certain guarantees may be applicable arising from relevant Mexican standards (NOMs).

Insurance

41. How should an online business be insured?

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

As any other type of business, the insurance policies available to online businesses should be verified with insurance companies. There are no specific types of insurance policies for online businesses.

Reform

42. Are there any proposals to reform digital business law in your jurisdiction?

As discussed above, Mexican law does not explicitly regulate internet or transactions completed online. Online business transactions have remained under the scope of the Code of Commerce, as any other commercial activity. The are currently no proposals to introduce any changes in this area.

Online resources Disputados W www.diputados.gob.mx/LeyesBiblio/ Description. Web Page of the Mexican Congress where you can find all Federal Laws on PDF and Word version. Spanish Language is the only official language in Mexico therefore there are no official translations of Federal Laws.

Contributor profiles Carlos J. Diaz Sobrino BGBG Abogados T +52 1 52925232 E cdiaz@bgbg.mx W www.bgbg.mx

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

Professional qualifications. Lawyer, Mexico Areas of practice. TMT; privacy; data protection; e-commerce; corporate law; M&A. Non-professional qualifications. Law degree, Universidad Panamericana, Mexico City, 2002-2007; Master's degree in IT and Telecommunications Law; Instituto de Estudios Bursátiles (IEB) and Cremades & Calvo Sotelo, Madrid, 2007-2008; Master's degree in Spanish Law; Instituto Superior de Derecho y Economía (ISDE) and Universidad de Barcelona, 2010-2012. Languages. English, Spanish Professional memberships. Vice Co-ordinator of the Telecommunications Committee – 2015 – 2016; Asociación Nacional de Abogados de Empresa (National Association of Company Lawyers), Colegio de Abogados, A.C. (ANADE) •

Publications.

•

The International Comparative Legal Guide de Global Legal Group: Mexico chapter on Telecoms, Media and Internet Laws and Regulations 2013.

•

Getting the Deal Through: Market Intelligence (Volume 4, Issue 5): "Privacy & Cybersecurity" 2017.

•

Legal 500: "Technology Country Comparative Guide, Mexico Chapter" 2017.

•

Juris Publishing Inc. International Telecommunications Law: "Mexico Chapter" 2017

•

Getting the Deal Through: e-commerce 2019.

Valery Tapia BGBG Abogados T +52 1 52925232 E vtapia@bgbg.mx W www.bgbg.mx Professional qualifications. Lawyer, Mexico Areas of practice. Telecommunications; corporate law. Languages. English, Spanish Publications. Mexico: Secondary Use of Spectrum, Mondaq

Digital business in Mexico: overview, Practical Law Country Q&A w-012-0309 (2019)

END OF DOCUMENT