A franchise is defined in Article 142 of the IPL, which establishes that a franchise exists when, with a license to use a trademark granted in writing, technical knowledge is transmitted or technical assistance is provided, for the licensee to produce or sell goods or render services in a uniform manner and with the operating, commercial and administrative methods established by the owner of the trademark, to maintain the quality, reputation and image of the products or services distinguished by the trademark.
When entering the Mexican market with a franchise system, certain legal aspects must be considered and complied with. For example, legal requirements under the Industrial Property law, such as providing a Franchise Disclosure Document 30 business days before executing the Franchise Agreement, observing the minimum provisions in the Franchise Agreement, and complying with obligations under the Data Protection Law. As in many countries now, Data Protection has gained importance in the last years in the country, and this trend is expected to continue.
Data Protection in Mexico
Following Constitutional amendments that included the right to data protection as a basic – human- right of individuals, in 2010 the Federal Law on Protection of Personal Data held by Private Parties was enacted, followed, in 2011, by its Regulations, and in 2013, by the Guidelines of the Privacy Notice (hereafter, together the “Data Protection Law”). These pieces of legislation, which are complemented by guides issued by the Data Protection Authority (“DPA”) (the National Institute of Transparency, Access to Information and Protection of Personal Data), apply at a Federal level and make up the Mexican Data Protection legal framework for the private sector.
The Data Protection Law applies to all processing of personal data by private entities or individuals, except when it is processed for personal or domestic use or by credit bureaus, which are governed by a special law. Under this law, all personal data must be processed in accordance with the data protection principles of consent, information, proportionality, purpose limitation, legality, loyalty, and accountability.
Franchisors and Franchisees will be data controllers with respect to certain personal data they process, for example, Franchisees will be controllers of their employees’ personal data, but may also be data processors in respect to other personal data and specific situations, depending on the degree of power or influence Franchisors exercise over Franchisees, such as in cases where Franchisor is data controller of customer data.
In this sense and being “personal data” any information concerning an identified or identifiable individual, both, Franchisors and Franchisees need to be aware of their obligations and responsibilities when processing such data, which are more cumbersome on data controllers. It is of the outmost importance to make sure what are the roles of the parties, that is, who is the data controller or the data processor in the various scenarios, or if responsibilities are shared, as this will be a determining factor for liability in the event of an infringement to the Data Protection Law.
Some of the general obligations of data controllers are: (i) to maintain appropriate physical, technical and organizational security measures, (ii) to provide a privacy notice to all data subjects from whom personal data is processed, (iii) to collect consent from data subjects, where necessary, (iv) to appoint a Person of Department of Data Protection, (v) to allow data subjects the exercise of their rights (access, rectification, cancellation, objection, etc.), and (vi) to notify security breaches when material.
Due to the nature of the Franchise, transfers of personal data between Franchisor and Franchisee are of the essence. It is therefore worth mentioning that personal data can be transferred to third countries regardless of the level of protection a country provides, as long as transfers are covered by an agreement that is in compliance with the Data Protection Law and with the privacy notice that was made available to data subjects. Explicit and/or written consent from data subjects for the transfer of their personal data is sometimes required. There are no localization laws and no need to register or request authorization from the DPA.
Third parties separate from the franchise normally also play an important role in the daily activities of both, Franchisor and Franchisee, as well as in the processing of personal data. When certain processing activities are carried out by these third parties, Franchisor or Franchisee, as the case may be, will remain accountable for the processing; reason why there should be agreements in place containing robust data protection obligations for the third parties.
Failure to comply with the provisions of the Data Protection Law may result in hefty fines, and, if personal data is processed deceitfully or for profit, penalties of imprisonment may be imposed.
At the moment, there have been no known cases regarding fines imposed to franchisee´s in Mexico nor franchisors, for not complying with the Data Protection Law.
Data controllers and data processors have the obligation to establish and maintain appropriate physical, organizational and technological security measures to protect personal data from unauthorized processing, access or disclosure. When determining what security measures are appropriate, the risk involved in the processing, sensitivity of the personal data, number of data subjects, and technological development shall be considered.
Franchisors must be aware that in the event of a security breach or of an investigation, the DPA, when analyzing if appropriate security measures were in place, will be prone to contemplate the degree of control Franchisor exercised upon Franchisee on the matter of selecting the security measures to be implemented, to allocate responsibility, being the logical conclusion that the more control a Franchisor exercises upon Franchisee, the more accountable will be for the processing of personal data.
Although Mexico intends to ratify the Budapest Convention on Cybercrime, it has not done so, and it is not clear when it will ratify it.
Notwithstanding this, under the Federal Criminal Code, illicit access to systems, as well as to destroy or cause the loss of information are considered crimes, along with the disclosure of trade secrets and confidential information.
Additionally, data protection legislation establishes that it is a crime to cause a security breach involving personal data to deceitfully process it for profit. Some other cybercrimes, due to the lack of specific provisions, are treated by the police, as fraud. Recently there were amendments to the Criminal Codes to include higher penalties for cyber-related crimes, however, the main problem remains having criminal conducts specifically established in the codes, that apply to the activities occurring in cyberspace, so these can be pursued and enforce accordingly.
Social Media and E-Commerce
There are no specific regulations or provisions applying to Franchises and social media as such, nor codes of conduct in this regard; however, social media activity is mainly governed by the Data Protection Law, and legislation on Consumer Protection.
In this sense, it should be clear if Franchisees are allowed to create social media profiles, and if so, in what way these should be handle, i.e. what activities or posts are to be avoided, and to what extent the Franchisee may be active on social media. As social media’s main asset is personal data, special attention should be paid to the collection and further processing of personal data via social media, as the general data protection rules will apply to this processing of personal data, even if individual’s profiles are public.
E-commerce is regulated in Mexico by several laws, including the Code of Commerce and the Federal Law on Consumer Protection, which protects consumers in Mexico, regardless of location of providers, meaning that companies offering services or goods in Mexico must comply with Mexican regulations. Advertising is also regulated by the mentioned law and complementary regulations.
The Franchise agreement must be clear as to what Franchisees are authorized to do and if they may sell or offer goods or services online and, if so, under what conditions and in what territory. Attention must also be paid to the domain names that are registered and used for such purposes.
Even though the DPA has been actively enforcing the Data Protection Law since it came into force, there are no reported cases involving a franchise or where issues inherent to a franchise have been considered, as it would be, for example, the control exercised by Franchisor upon Franchisee.
Nevertheless, there have been cases related to other issues that could also directly impact a Franchise. It is common to see disgruntle employees file complaints before the DPA, for various reasons, -from claiming not having received a privacy notice to not having consented to the processing of their personal data- and where the main objective is cause damages to the company or force a company to settle a labor case. Lack of transparency in the processing or not providing a privacy notice in terms of the Data Protection Law, have been issues constantly raised by data subjects and penalized by the DPA.
Not collecting appropriate consent for the processing and for the transfer of personal data has been a recurring issue in DPA’s resolutions; as there are specific requirements for collection of consent and three types of consent that can be collected depending on the categories of personal data being processed, complicating compliance with this obligation. In the franchise, Franchisor should pay special attention to this issue because if Franchisee does not appropriately collect consent from individuals, the whole processing of personal data, including any transfers of such data to Franchisor, could be considered illegal. It should be mentioned that the burden of proof regarding compliance with all data protection obligations always rests on the data controller.
As mentioned, fines tend to be hefty, ranging from approximately USD 4.00 to USD 1,300,000.00, with these amounts duplicating if sensitive personal data is involved in an infringement to the law or in case of recidivism. The DPA has discretion regarding the amount of the fines and so far, most of the fines have been in the millions of Mexican pesos.
Although it is possible to seek damages for the unlawful processing of personal data, there are no reported cases where damages have been obtained in connection with the processing of personal data; probably because this needs to be done via civil courts, with the standard of proof set very high.
Recommendations and Conclusions
It is important that both parties, Franchisor and Franchisee, are aware of their responsibilities when entering into a Franchise Agreement in Mexico, even when choice of law is elsewhere. Taking this into consideration, it is highly advisable to have local counsel guide and protect both parties, and to avoid any type of infringement that could produce irrevocable damage to the image of the Franchise.
It is custom in Mexico, as part of providing Technical Assistance for Franchisor to provide Franchisee with a list of legal requirements before opening and operating a Franchise. Such list should include Data Protection aspects. On the latter, reputational damage is one of the main risks associated with incompliance with the Mexican Data Protection Law and affecting both parties. Therefore, making sure and helping Franchisees comply with the law, will benefit the involved parties.
Eduardo Kleinberg, IDI Country Expert for franchising in Mexico