On April 25, 2022, Mexico’s Supreme Court announced that it had declared unconstitutional a law ordering the creation of a national registry of cell phone users (abbreviated and known as PANAUT) for the collection of their personal and biometric data by telecommunications companies and preservation by the Mexican government.
According to the bill that proposed this law, cell phones are used by criminals in Mexico to commit extortion and kidnapping. The struck-down law was aimed at combating such crimes by making the registry readily available to authorities to track cell phones used in committing crimes. In addition to biometric information, the registry would have included a variety of personal information, such as users’ addresses and identification documents. Providing these personal data would have been mandatory for all individuals at the time that they bought a data plan from telecommunications companies, which had to collect this information and make it available to the government.
The Supreme Court struck down the law on the grounds that it violated the right to privacy, because the personal data of cell phone users would have been available to law enforcement authorities without the need to obtain a warrant from judicial authorities. In addition, the court decision indicated that the law did not specify the specific conditions and parameters under which law enforcement authorities could access the data in the registry, nor did it specify any time limits for authorities to access such information.
The court thus indicated that such broad access to personal information by law enforcement authorities contradicted privacy, data protection, and criminal procedure rules under Mexican law, which provides that access to personal information of individuals who are suspects in criminal proceedings can be obtained by relevant authorities only subject to adequate limits, depending on the specifics of the case.
Specifically, articles 291 and 292 of Mexico’s national Code of Criminal Procedure provide that prosecutors who deem it necessary to monitor private communications during an investigation have the authority to make a pertinent request for permission from a judge. Judicial authorization may also be requested for information extraction, which consists of obtaining private communications, identification data concerning communications, and information contained in any device that may contain incriminating information. The request must indicate the individuals subject to this measure, types of communications targeted, period the surveillance should last, specific devices or line numbers to be monitored, and communications company providing connectivity to the targets. Surveillance may not last longer than six months.
The court concluded that law enforcement authorities already have appropriate powers to obtain access to data on the personal devices of individuals who are suspects in criminal proceedings, provided that applicable requirements are met.