AI Watch: Global regulatory tracker - Brazil (UPDATED)

Laws/Regulations directly regulating AI (the “AI Regulations”)

Brazil intends to regulate AI through Bill No. 2,338/2023 ("Brazil's Proposed AI Regulation"), although there are currently no specific codified laws, statutory rules or regulations in Brazil that directly regulate AI.¹

Status of the AI Regulations

When Brazil's Proposed AI Regulation will come into effect, and what its final text will entail, remains unclear. Although the Federal Senate approved Bill No. 2,338/2023 in December 2024, the proposal must still be scrutinized and voted on in the House of Representatives, before being approved by the president, and so, the details remain subject to change. There is currently no expected date for the next developments in the legislative procedure.

Other laws affecting AI

There are various laws that do not directly seek to regulate AI but may affect its development or use in Brazil. A non-exhaustive list of key examples includes:

• Law No. 13,709/2018 (General Data Protection Law) (the "Brazilian Data Protection Law"), which provides for the processing of personal data.²
• Law No. 8,078/1990 (Consumer Protection Code), which provides for consumer protection.³
• Law No. 9,610/1998 (Copyright Law), which provides for authors' rights and those related to them.⁴

Intellectual property laws may affect several aspects of AI development and use.

Definition of “AI”

Given Brazil's Proposed AI Regulation is not yet law, there is currently no legally recognized definition of AI in Brazil.

Nevertheless, the latest version of Brazil's Proposed AI Regulation defines an AI system as "a machine-based system that, with varying degrees of autonomy and for explicit or implicit objectives, infers, based on a set of input data or information it receives, how to generate outputs, in particular, predictions, content, recommendations, or decisions that may influence virtual, physical, or real environments."⁵

Territorial scope

Brazil's Proposed AI Regulation currently has a broad territorial scope. Based on the current draft, it will apply to the development, deployment, and use of AI systems within Brazilian territory, without making a distinction between national and foreign entities.

Sectoral scope

Brazil's Proposed AI Regulation does not currently adopt a sector-specific focus. Based on the current draft, it will apply to the development, deployment, and use of AI systems irrespective of sector.

Compliance roles

Brazil's Proposed AI Regulation will introduce obligations for the following AI system agents:

• AI system developer – being "a natural or legal person, whether public or private, that develops an AI system, directly or by commission, with the intention of placing it on the market or applying it in a service provided by them, under their own name or brand, for consideration or free of charge."⁶
• AI system distributor – being "a natural or legal person, whether public or private, that makes an AI system available to a third party for use, whether for consideration or free of charge."⁷
• AI system operator (or deployer) – being "a natural or legal person, whether public or private, that employs or uses an AI system on their own behalf or for their benefit, including by configuring it, maintaining it, or supporting it through the provision of data for its operation and monitoring."⁸

Core issues that the AI Regulations seek to address

Brazil's Proposed AI Regulation aims to protect fundamental rights and ensures the implementation of secure and reliable systems for the benefit of the human person, the democratic regime, and scientific and technological development.

Risk categorization

Brazil's Proposed AI Regulation categorizes AI systems according to different levels of risk:

• Excessive-risk AI systems include (among others) those AI systems that: (i) induce or manipulate behavior in ways that may result in harm to health, safety, fundamental rights, or the democratic process; (ii) exploit vulnerabilities of specific groups of persons (e.g., age, disability or socio-economic condition), to cause harm; or (iii) are implemented by public authorities for the purposes of illegitimate social scoring, or perform real-time remote biometric identification in public spaces, except in legally defined circumstances, such as criminal investigations with prior judicial authorization. Such excessive-risk AI systems will be prohibited, while others will be subject to regulation by the competent authority.⁹
• High-risk AI systems include AI systems used for certain purposes, such as (among others): (i) security devices in critical infrastructure (such as traffic control, water, and electricity supply networks); (ii) decision-making in education, employment, and access to essential public or private services; (iii) certain autonomous vehicles; (iv) applications in the healthcare sector; (v) biometric identification systems; and (vi) criminal investigation and public security.¹⁰

Every AI system shall undergo a preliminary risk classification conducted by the developer or deployer to determine whether it qualifies as an excessive-risk, high-risk, or other AI system. For high-risk and general-purpose AI systems, an algorithmic impact assessment must be undertaken prior to the AI system being placed onto the market or put into operation.¹¹

Key compliance requirements

Brazil's Proposed AI Regulation aims to establish a detailed approach to compliance requirements. By way of an example, Brazil's Proposed AI Regulation currently requires:

• AI system developers or deployers to conduct preliminary assessments to classify the risk level of the AI system before its placement on the market; and
• AI system developers and deployers : (i) to conduct algorithmic impact assessments for high-risk AI systems, or for general-purpose AI systems with systemic risks; and (ii) to report serious security incidents to the competent authority.¹²

AI system developers and operators must also establish governance structures and internal processes capable of ensuring the security of systems and compliance with the rights of affected individuals, which shall include, at least:

• transparency regarding the use of AI systems in interacting with natural persons, and the governance measures adopted in the development and use of the AI system by the organization;
• adequate data management measures for the mitigation and prevention of potential discriminatory biases;
• the legitimization of data processing in accordance with data protection legislation, including through the adoption of privacy measures from the design stage and by default, and the adoption of techniques that minimize the use of personal data;
• the adoption of appropriate parameters for the separation and organization of data for training, testing, and the validation of the system's results; and
• the adoption of appropriate information security measures from the design stage to the operation of the system.¹³

In addition, AI system developers and operators of high-risk AI systems must adopt the following governance measures and internal processes:

• the operation of the system and the decisions involved in its construction, implementation, and use must be documented;
• automatic logging tools for system operation must be used in order to: (i) allow for the evaluation of its accuracy and robustness; (ii) identify potential discriminatory issues; and (iii) appropriately implement risk mitigation measures, with special attention to adverse effects;
• tests to assess appropriate levels of reliability, according to the sector and type of application of the AI system, must be conducted;
• data management measures to mitigate and prevent discriminatory biases must be adopted; and
• technical measures to explain the results of AI systems, and to provide general information about the operation of the model, must be adopted.¹⁴

Regulators

Brazil's Proposed AI Regulation designates the National Data Protection Authority (ANPD) as the competent authority responsible for coordinating the National System for the Regulation and Governance of Artificial Intelligence (SIA), within the scope of the Federal Public Administration. The ANPD will oversee the implementation of the regulation and cooperate with sectoral authorities.¹⁵

Enforcement powers and penalties

Pursuant to Brazil's Proposed AI Regulation, the competent authority will have a range of enforcement measures to consider. Specifically, the competent authority may:

• Order: (i) the reclassification of the AI system's risk level; (ii) an AI system agent to conduct algorithmic impact assessments to guide ongoing investigations; or (iii) an AI system agent to take measures to reverse or mitigate the effects of a serious security incident.
• Administer: (i) a warning; or (ii) a simple fine of up to R$ 50,000,000.00 (fifty million Brazilian reais) per violation, being, in the case of a private legal entity, up to 2% (two percent) of the group's revenue for the preceding fiscal year.
• Publicize the violation after it has been duly investigated and confirmed.
• Prohibit or restrict: (i) the AI system from participating in the regulatory sandbox regime provided for in Brazil's Proposed AI Regulation, for up to five years; or (ii) processing from certain databases.
• Suspend the development, supply, or operation of the AI system on a partial or total, and temporary or permanent, basis.

Additionally, as a general rule in Brazil, individuals and legal entities that violate the law and cause harm to others, whether material or moral, may be ordered by a court to pay compensation.¹⁶

1 See Brazil's Proposed AI Regulation here. It was approved on December 10, 2024.
2 See the Brazilian Data Protection Law here.
3 See Law No. 8,078/1990 here.
4 See Law No. 9,610/1998 here.
5 See Article 4, I of Brazil's Proposed AI Regulation here.
6 See Article 4, V of Brazil's Proposed AI Regulation here.
7 See Article 4, VI of Brazil's Proposed AI Regulation here.
8 See Article 4, VII of Brazil's Proposed AI Regulation here.
9 See Article 13 of Brazil's Proposed AI Regulation here.
10 See Article 14 of Brazil's Proposed AI Regulation here.
11 See Articles 12 and 25 of Brazil's Proposed AI Regulation here.
12 See Articles 25 and 42 of Brazil's Proposed AI Regulation here.
13 See Article 17 of Brazil's Proposed AI Regulation here.
14 See Article 18 of Brazil's Proposed AI Regulation here.
15 See Article 45 of Brazil's Proposed AI Regulation here.
16 See Article 50 of Brazil's Proposed AI Regulation here

Laura Bottega Eskudlark (Associate, Pinheiro Neto Advogados) contributed to this publication.