Federal Law on the Protection of Personal Data (LFPDPPP) — 2025 AI Provisions

Jurisdiction:

Mexico

enforcing

Effective:

Mar 21, 2025

Authority:

Secretariat of Anti-Corruption and Good Governance

Official text Verified Mar 28, 2026

Obligations Covered

Transparency & Disclosure Human Oversight

Provisions (2)

Algorithmic Transparency and Disclosure #

Obligation:

Transparency

enforcing

Effective:

Mar 21, 2025

Risk tier:

all

Scope:

deployers, providers

sleepercross-domain

Mexico's revised data protection law requires controllers to disclose in privacy notices the use of AI, automated decision-making systems, or algorithms — including the algorithmic logic, significance of processing, and potential consequences. This catches any AI system processing personal data of Mexican residents, even if the deployer is not Mexico-based.

Requirements

Requirement	Details
Privacy notice disclosure	Controllers must disclose the use of AI, ADM systems, or algorithms for decisions affecting individuals
Algorithmic logic	Privacy notices must explain the algorithmic logic used in automated processing
Significance and consequences	Must inform data subjects of the significance and potential consequences of automated processing
Informed consent	Mandatory informed consent required for automated processing affecting individuals

Penalties

Violation	Fine
Administrative violations	100–320,000 UMA (~$1,200–$3.9M USD)
Aggravating factors	Higher fines for repeat offenses, sensitive data, large-scale processing

Human Oversight in Automated Decisions #

Obligation:

Human Oversight

enforcing

Effective:

Mar 21, 2025

Risk tier:

high

Scope:

deployers

sleepercross-domain

The revised LFPDPPP mandates human-in-the-loop processes for automated decision-making, particularly in high-risk scenarios. Combined with the right to object to ADM, this creates a dual obligation: deploy human oversight AND honor opt-out requests. Secondary regulations (pending) may further define high-risk thresholds.

Requirements

Requirement	Details
Human-in-the-loop	Mandatory human oversight for automated decision-making processes, especially high-risk cases
Right to object	Individuals have an explicit right to object to processing via automated decision-making systems
Impact assessments	High-risk ADM systems require impact assessments evaluating effects on rights, identifying safeguards, and implementing mitigations
Internal safeguards	Controllers must establish internal oversight mechanisms for agentic or semi-autonomous systems to prevent harms including discrimination

Penalties

Violation	Fine
Administrative violations	100–320,000 UMA (~$1,200–$3.9M USD)