BrazilIn Effect Enforced: 2021-08-01Last updated: May 20, 2026

Brazil AI Regulation: LGPD and the Proposed Marco Legal da IA (PL 2338/2023)

How to comply with Brazil's AI framework: LGPD (in force), PL 2338/2023 Marco Legal da IA (proposed), ANPD oversight. Penalties up to BRL 50M per violation.

Non-compliance penalty: Up to 2% of revenue in Brazil (limited to BRL 50 million per infraction) under LGPD Article 52. Daily fines for ongoing violations. The Autoridade Nacional de Proteção de Dados (ANPD) has imposed fines since 2023. The proposed PL 2338/2023 would add high-risk AI specific obligations.

How Areebi helps you comply

Select and document lawful basis for AI processing of personal dataLGPD Article 7

Areebi: Lawful-Basis Tagging in the Policy Engine

Every AI processing flow is tagged with one of the LGPD's ten legal bases. The policy engine enforces declared-basis use and the audit log records the basis chosen for each inference, providing the ANPD with verifiable evidence on inquiry.

Provide review of decisions based solely on automated processingLGPD Article 20

Areebi: Audit Trail with HITL Review Workflow

Every AI inference is logged immutably; reviewable decisions can be flagged for human-in-the-loop routing with one-click override and reason capture. Data subjects' review requests are routed to a defined reviewer with timeline tracking.

Honour data subject rights (Article 18)LGPD Article 18

Areebi: Data Subject Rights Workflow with Portuguese-Language Templates

Workflow covering all nine titular rights: confirmation, access, correction, anonymisation, blocking, deletion, portability, information about sharing, and revocation of consent. Templates are pre-localised for the Brazilian context.

Produce a Relatório de Impacto à Proteção de Dados Pessoais for high-risk AILGPD Article 38

Areebi: RIPD Template Library Mapped to Policy Engine

Pre-built RIPD templates aligned with ANPD guidance. Templates are linked to in-platform policy enforcement so the assessment artefact and the runtime control match. The same RIPD content extends to a fundamental rights impact assessment under PL 2338/2023.

Designate and support an encarregado (DPO)LGPD Article 41

Areebi: Encarregado Dashboard with ANPD Inquiry Workflow

Dedicated dashboard for the encarregado consolidating data subject communications, ANPD inquiries, RIPD library, and dosimetry evidence. Single console for the encarregado to discharge LGPD responsibilities.

Implement security safeguards proportionate to riskLGPD Article 46

Areebi: AI DLP, Encryption, Access Control, and Audit-Grade Logging

Personal data is protected end to end: AI DLP redacts or blocks sensitive content at the prompt boundary, encryption protects data at rest and in transit, role-based access control enforces least privilege, and audit-grade logging documents the safeguards.

Notify the ANPD of personal data breaches within reasonable timeLGPD Article 48

Areebi: Incident Response Workflow with Brazil Notification Templates

Breach detection triggers an incident response workflow with pre-built ANPD notification templates aligned with the ANPD's expected format and a two-business-day timer aligned with ANPD guidance. Cooperation evidence is captured for dosimetry purposes.

Provide dosimetry-aware corrective measures evidenceResolution CD/ANPD Nº 4/2023

Areebi: Mitigating-Factor Evidence Bundle

The platform aggregates evidence of internal mechanisms, prompt detection, cooperation with the ANPD, and corrective measures into a single bundle that supports the controller's submission under the dosimetry methodology.

Classify AI use cases by risk tier (PL 2338/2023, anticipated)PL 2338/2023, proposed

Areebi: Risk-Tier Metadata for Every AI Use Case

Every AI use case is classified into the PL 2338/2023 risk tiers (excessive, high, limited, minimal). The classification drives the policy controls applied at runtime and the documentation required, ready for activation when (or if) PL 2338/2023 is enacted.

Label synthetic content and generative AI outputsANPD generative AI guidance (2024 - 2025); PL 2338/2023, proposed

Areebi: Output Watermarking and C2PA Content Credentials

Generative AI outputs are automatically labelled with provenance metadata. Synthetic content depicting identifiable individuals is flagged for lawful-basis review. Watermarks are detectable by downstream platforms, supporting downstream originator identification.

Support sector-regulator overlays (BACEN, ANS, CVM)Resolução BCB Nº 4.658/2018 and successors; ANS regulations; CVM Resolution Nº 175/2022

Areebi: Sector Control Packs

Pre-built control packs for financial services, supplementary health, and securities map specific sector obligations to in-platform controls. Customers in regulated sectors can satisfy the LGPD baseline and the sector overlay in one tenant.

What Are Brazil's AI Rules?

Brazil's AI governance framework is layered and still maturing. As of May 2026, the operational baseline is the Lei Geral de Proteção de Dados Pessoais (LGPD, Lei 13.709/2018), which has been in force since September 18, 2020 and has been actively enforced by the Autoridade Nacional de Proteção de Dados (ANPD) since the first sanctions were imposed in late 2023. The LGPD is the operative statute that already applies to AI systems that process personal data of individuals in Brazil. Alongside the LGPD, the Marco Legal da IA (PL 2338/2023) passed the Federal Senate in December 2024 and is currently being considered by the Chamber of Deputies (Câmara dos Deputados). The bill, if enacted with its current text, would introduce an EU-AI-Act-style four-tier risk framework layered on top of the LGPD's data protection baseline.

Two framings matter for AI governance leaders. First, the LGPD is in force: ANPD sanctions can be imposed today, and AI processing that touches personal data must already satisfy the LGPD's lawful basis, transparency, and Article 20 automated decision review obligations. Second, PL 2338/2023 remains proposed: the Senate approved a substitute text in December 2024, but the bill has not yet passed the Chamber of Deputies. References to PL 2338/2023 obligations in compliance documents should be framed conditionally and revisited as the legislative process advances.

Brazil's approach sits at the intersection of GDPR-style data protection (the LGPD is closely modelled on the GDPR) and EU AI Act-style risk regulation (PL 2338/2023's four-tier framework draws explicitly from the EU AI Act). Sector regulators add further layers: the Banco Central do Brasil (BACEN) for financial-services AI under Resolução 4.658/2018 and the cyber-security framework for Open Finance; the Agência Nacional de Saúde Suplementar (ANS) for clinical AI in supplementary health; and the Comissão de Valores Mobiliários (CVM) for algorithmic trading disclosures. Organisations that operate in Brazil or that process personal data of Brazilian residents should treat LGPD compliance as the operational floor and prepare an adaptable AI control plane that can absorb PL 2338/2023 obligations when (or if) they are enacted.

Areebi is designed for exactly this layered context: LGPD-aligned consent, automated-decision-review, and DPO controls operate today, and Areebi's AI control plane architecture accommodates the additional risk-tiered obligations contemplated by PL 2338/2023 as the bill matures.

Brazilian AI and Data Governance Instruments in Scope

The Brazilian AI legal landscape consists of one in-force statute, multiple ANPD regulations and pareceres (technical opinions), a Senate-passed bill awaiting Chamber consideration, and several sector-specific overlays. Each layer carries different legal weight and should be tracked separately.

LGPD (Lei 13.709/2018, in force)

The LGPD was sanctioned in August 2018 and became operational on September 18, 2020. Administrative sanctions powers (Article 52) entered force on August 1, 2021, and the ANPD imposed its first fine in November 2023. The LGPD applies to any processing of personal data carried out in Brazil, or to processing of personal data collected in Brazilian territory or relating to individuals located in Brazil at the time of collection (Article 3).

Key LGPD provisions that touch AI processing:

Article 7 (ten legal bases): Processing of personal data requires one of ten legal bases - consent, compliance with a legal or regulatory obligation, execution of public policy, research, contract execution, exercise of rights in proceedings, protection of life, protection of health, legitimate interest, or credit protection. For AI training using personal data, the operative bases are typically consent (Article 7, I), legitimate interest with a balancing test (Article 7, IX), or contract execution (Article 7, V). Re-purposing data collected for one purpose to train an AI for another typically requires a fresh legal basis.
Article 11 (sensitive personal data): Sensitive personal data (racial or ethnic origin, religious conviction, political opinion, union membership, religious or philosophical or political organisation affiliation, data concerning health or sex life, genetic or biometric data) requires either specific and prominent consent or a narrower set of legal bases. AI use cases involving sensitive data face heightened scrutiny.
Article 18 (data subject rights): Data subjects (titulares) have rights of confirmation, access, correction, anonymisation, blocking, deletion, portability, information about sharing, information about the possibility of not providing consent and its consequences, and revocation of consent. AI systems must support all nine titular rights.
Article 20 (review of automated decisions): The data subject has the right to request review of decisions taken solely on the basis of automated processing of personal data that affect their interests, including decisions intended to define their personal, professional, consumer, or credit profile, or aspects of their personality. The controller must provide clear and adequate information about the criteria and procedures used for the automated decision, observing commercial and industrial secrets. Article 20 is the LGPD's direct AI-governance provision and applies today to any AI that makes or materially assists consequential decisions about Brazilian residents.
Article 38 (Relatório de Impacto à Proteção de Dados Pessoais - RIPD): The ANPD may require the controller to prepare a Data Protection Impact Report describing the processing operations that may generate risks to civil liberties and fundamental rights, and the measures, safeguards, and risk mitigation mechanisms adopted. RIPDs are the operational equivalent of GDPR DPIAs and are increasingly expected for high-risk AI use cases.
Article 41 (Data Protection Officer - encarregado): The controller must appoint an encarregado (DPO) who serves as the point of communication with data subjects and the ANPD. ANPD Resolution CD/ANPD Nº 2/2022 confirmed that small-scale processors have proportional encarregado obligations, but enterprise AI deployments typically require a designated DPO.
Article 52 (penalties): Administrative sanctions include warning, simple fine up to 2% of revenue of the company, group, or conglomerate in Brazil in the most recent financial year (limited to BRL 50 million per infraction), daily fine, public disclosure of the violation, blocking of personal data, deletion of personal data, partial suspension of database operations for up to six months, suspension of personal data processing activities for up to six months, and partial or total prohibition of activities related to data processing.

Status: In force since September 18, 2020. Sanctions powers in force since August 1, 2021. ANPD enforcement actions began in November 2023. Statute is fully operational; AI processing of personal data must satisfy the LGPD today.

PL 2338/2023 - Marco Legal da IA (Senate-passed, awaiting Chamber)

The Marco Legal da Inteligência Artificial (PL 2338/2023) was introduced by Senator Rodrigo Pacheco in May 2023, drawing on the recommendations of the Senate's Comissão de Juristas (CJSUBIA). The Federal Senate approved a substitute text in December 2024; the bill is now in the Chamber of Deputies, where committee review is underway as of early 2026. PL 2338/2023 has not yet been enacted. References to specific PL 2338/2023 obligations in compliance documents should be framed conditionally.

Based on the Senate-approved text, PL 2338/2023 is expected to introduce:

Four-tier risk classification drawing from the EU AI Act: excessive risk (prohibited), high risk (subject to fundamental rights impact assessment and ongoing controls), limited risk (transparency obligations), and minimal risk (no additional obligation beyond the LGPD baseline).
Prohibitions (excessive risk): Social scoring systems by public authorities, real-time biometric identification in publicly accessible spaces (with limited exceptions), AI systems that exploit vulnerabilities of specific groups, and AI systems that enable subliminal manipulation. The prohibitions broadly mirror the EU AI Act's Article 5.
Fundamental rights impact assessment (avaliação de impacto algorítmico): Mandatory for high-risk AI systems. The assessment captures the system's purpose, the data it uses, the risks to fundamental rights, the mitigations, and the residual risks. Conceptually analogous to the LGPD's RIPD but with broader scope (fundamental rights generally, not just personal data).
Transparency obligations: AI systems that interact with humans must disclose their automated nature. Generative AI outputs must be labelled. Synthetic content depicting identifiable individuals requires consent or another lawful basis.
Regulatory sandbox: A formal sandbox for testing AI systems under regulator supervision, intended to accelerate responsible deployment of innovative AI.
ANPD as central authority: The Senate-approved text designates the ANPD as the central authority coordinating AI regulation, working alongside sector-specific regulators (BACEN, ANS, CVM, ANATEL) and the SIA (Sistema Nacional de Regulação e Governança da Inteligência Artificial).
Penalties: Mirroring the LGPD's penalty structure with additional caps for AI-specific violations. The Senate text contemplates fines up to BRL 50 million per infraction, with multipliers for prohibited-use violations.

Status: Senate approval December 2024. Chamber of Deputies committee review in progress as of early 2026. No definitive enactment date. Organisations should design AI governance programmes that can absorb risk-tier classification and fundamental rights impact assessment without rebuilding.

ANPD Regulations and Pareceres on AI

The ANPD has used its regulamentos (regulations) and pareceres (technical opinions) to operationalise the LGPD for AI in advance of dedicated legislation. The most consequential instruments:

Resolution CD/ANPD Nº 4/2023 (dosimetry of administrative sanctions): Published in February 2023, this resolution sets the methodology the ANPD uses to calculate fines. Factors include the seriousness and nature of the infraction, the good faith of the offender, the advantage obtained or intended, the economic condition of the offender, recidivism, the degree of damage, cooperation with the ANPD, the existence of internal mechanisms to prevent the infraction, and prompt adoption of corrective measures. The resolution makes prior LGPD investment legible as a mitigating factor.
ANPD AI Guidance (2024): The ANPD published a series of communicados and pareceres on AI starting in 2024, including the May 2024 communicado on generative AI training data and the November 2024 parecer on the interaction between LGPD Article 20 and AI-driven credit decisions. The guidance positions the ANPD as the central authority for AI processing of personal data, ahead of PL 2338/2023 enactment.
ANPD's Stance on Generative AI (2024 - 2025 series): A series of position papers and consultations on generative AI training data, output watermarking, deepfakes, and synthetic media. The series signals that the ANPD expects controllers to (a) document the legal basis for using personal data in training data, (b) implement reasonable measures to prevent generative outputs from re-identifying training subjects, and (c) label synthetic content where it depicts identifiable individuals.
Resolution CD/ANPD Nº 2/2022 (small-scale processing agents): Established proportional obligations for small businesses, microenterprises, startups, and individuals processing personal data. Confirms that even small AI operators have LGPD obligations but with proportionality applied to documentation, encarregado appointment, and impact assessments.
ANPD AI Coordination Office (2025): The ANPD established a dedicated AI coordination office in 2025 to consolidate technical opinions, guide investigations, and prepare for PL 2338/2023 implementation. The office is expected to publish further pareceres on automated decisions, generative AI, and risk-tier classification through 2026.

The ANPD's instruments carry the operational weight of administrative law: resolutions are binding regulamentos, while pareceres signal the ANPD's enforcement priorities and interpretive positions. Failure to align with published ANPD guidance is a recurrent aggravating factor in dosimetry analysis under Resolution CD/ANPD Nº 4/2023.

Sector Regulators with AI-Specific Overlays

Several Brazilian sector regulators have published AI-specific guidance that operates alongside the LGPD. Organisations in regulated sectors should track these overlays in addition to the LGPD baseline.

Banco Central do Brasil (BACEN) - financial services: Resolução BCB Nº 4.658/2018 sets the cybersecurity policy and operational requirements for financial institutions, with implications for AI-driven credit decisions, fraud detection, and Open Finance integrations. The BACEN's Open Finance AI guidance published in 2024 clarifies that AI used to score, rank, or recommend financial products through Open Finance APIs must respect LGPD Article 20 review rights and document the model's training data lineage. BACEN has signalled increased AI-focused supervisory attention through 2025 and 2026.
Agência Nacional de Saúde Suplementar (ANS) - supplementary health: Regulates AI use by health insurers and supplementary health operators, including clinical AI for prior authorisation, fraud detection, and risk stratification. The ANS expects supplementary health operators to maintain meaningful human review of AI-driven coverage decisions, aligned with LGPD Article 20 and the ANS's own obligation to provide explanations for coverage denials. See ANS.
Comissão de Valores Mobiliários (CVM) - securities: The CVM regulates algorithmic and AI-driven trading, robo-advisors, and AI in investor communications. Resolution CVM Nº 175/2022 and subsequent technical notes require disclosure of material AI use in investment recommendations and risk management of algorithmic trading systems.
Agência Nacional de Telecomunicações (ANATEL) - telecommunications: Has supervisory authority over AI-driven network management, content moderation by telecom intermediaries, and connectivity for AI services. ANATEL coordinates with the ANPD on overlapping LGPD obligations.
Conselho Nacional de Justiça (CNJ) - judiciary: Resolution CNJ Nº 332/2020 establishes principles for AI use in the Brazilian judiciary, including human-in-the-loop requirements for decisions that affect rights. While the CNJ governs the courts rather than private organisations, its framework signals expectations that influence wider AI governance norms in Brazil.

Multi-regulator interaction is the norm in Brazil: a single AI use case (for example, an AI-driven credit decision by a fintech) can attract LGPD obligations (ANPD), Open Finance cybersecurity obligations (BACEN), and securities disclosure obligations (CVM) simultaneously. Coordinated governance is essential.

Who Must Comply

The LGPD applies broadly to processing of personal data of individuals in Brazil, regardless of where the controller or processor is headquartered. The Act's extraterritorial reach is structurally similar to the GDPR's.

LGPD covered entities (Article 3)

Processing carried out in Brazilian territory: Any controller or processor (including AI vendors and integrators) whose data processing activities are conducted in Brazil.
Processing aimed at offering goods or services to individuals located in Brazil: Global SaaS AI providers that serve Brazilian enterprise customers fall within scope, even where the technical processing happens abroad.
Processing of personal data collected in Brazilian territory: Captures data collected from individuals located in Brazil at the time of collection, even if subsequently processed elsewhere.

Roles under the LGPD

Controlador (controller): The natural or legal person who makes decisions about the processing of personal data. For AI, the controller typically defines the system's purpose, the training data sources, and the operative decisions.
Operador (processor): The natural or legal person who processes personal data on behalf of the controller. AI vendors operating models on behalf of customer organisations typically sit in this category.
Encarregado (DPO): The person designated by the controller to act as the channel of communication with data subjects and the ANPD. Article 41 makes DPO designation an obligation; the ANPD has clarified that small-scale processors may discharge the role with proportionality.
Titular (data subject): The natural person to whom the personal data relates. Article 18 grants nine specific rights and Article 20 grants the right to review automated decisions.

Practical SaaS scope notes

Global SaaS AI providers that sign Brazilian enterprise customers should expect to act as operadores under their data processing agreement and should be prepared to evidence the LGPD's operational requirements (security safeguards, breach notification cooperation, data subject rights support, Article 20 review-channel support).
AI vendors that offer pre-trained models without customer-specific training should still document the legal basis used for training data acquisition, and should be prepared to answer ANPD inquiries about the provenance and lawful basis of training corpora.
AI integrators (consultancies, system integrators, and partners that deploy AI on the controller's behalf) typically sit in the operador role. The Article 39 contract (contrato pertinente) defines the operational division of responsibility.

Key LGPD Obligations Applied to AI

The LGPD does not single out AI by name, but its controller and operator obligations apply to any system that processes personal data. AI training, fine-tuning, and inference using personal data of Brazilian residents are all in scope.

1. Lawful basis selection (Article 7)

For most AI training and inference, the operative legal bases are consent (Article 7, I), legitimate interest with balancing test (Article 7, IX), or contract execution (Article 7, V). The lawful basis must be documented and revisited when the AI purpose changes. Re-purposing data collected under a generic privacy notice for new AI training typically requires a fresh basis. For sensitive personal data (Article 11), the more restrictive set of bases applies.

2. DPO (encarregado) appointment (Article 41)

The encarregado is the channel of communication with data subjects and the ANPD. Enterprise AI deployments typically require a designated DPO with knowledge of the LGPD and the technical AI stack. The encarregado's identity and contact information must be published in an accessible location on the controller's website.

3. RIPD for high-risk AI (Article 38)

The Relatório de Impacto à Proteção de Dados Pessoais documents the processing operations, the risks to fundamental rights, and the mitigation measures. The ANPD may require RIPD disclosure during an inquiry. For high-risk AI - particularly AI that makes consequential decisions, processes sensitive data, or processes large-scale personal data - the RIPD is in practice expected even where the ANPD has not specifically requested it.

4. Article 20 right to review of automated decisions

Where an AI system makes a decision solely on the basis of automated processing that affects the data subject's interests, the data subject can request review. The controller must provide clear and adequate information about the criteria and procedures used, observing commercial and industrial secrets. Article 20 has been the focus of growing ANPD attention through 2024 - 2026; the operational implication is that AI controllers must support a review channel, document the model's decision logic at a level interpretable to the data subject, and route reviewable decisions to a meaningful human review process. Automated decision-making is the LGPD's most direct AI-governance hook.

5. Data subject rights workflows (Article 18)

Controllers must operationally support all nine titular rights: confirmation of processing, access, correction, anonymisation, blocking, deletion, portability, information about sharing, and revocation of consent. AI systems that incorporate personal data into model weights face the practical challenge of honouring deletion requests; the operational response usually involves data lineage tracking, training set deletion, and (where required) model retraining.

6. Breach notification

The LGPD requires controllers to communicate the occurrence of a personal data breach that may generate relevant risk or damage to data subjects to the ANPD and to affected data subjects within a reasonable time. The LGPD does not fix a specific number of days; ANPD guidance issued in 2023 - 2024 indicates that the ANPD expects notification typically within two business days of awareness, and the dosimetry methodology treats prompt notification as a mitigating factor.

7. Article 39 DPA (contrato pertinente)

The controller-processor relationship must be formalised in a written contract that defines processing instructions, security obligations, breach notification, sub-processing, and termination. For AI deployments, the Article 39 contract should explicitly cover model training (if applicable), inference logging, model versioning, and the operational mechanics of supporting Article 18 and Article 20 requests.

Penalties and Enforcement

The LGPD's enforcement model centres on the ANPD as the federal authority. The ANPD has the power to inquire into complaints, conduct supervisory activities, and impose administrative sanctions following due process. There is no private right of action for the administrative penalties themselves, but data subjects retain civil tort remedies under the Civil Code and the Consumer Defence Code.

Penalty tiers under LGPD Article 52

Sanction type	Description
Warning (advertência)	Formal warning with a timeline for adopting corrective measures
Simple fine	Up to 2% of revenue of the controller, group, or conglomerate in Brazil in the most recent financial year (limited to BRL 50 million per infraction)
Daily fine	Daily penalty for ongoing violation, subject to the same overall cap
Public disclosure	Public statement of the infraction once due process is concluded
Blocking of personal data	Order to block the personal data to which the infraction relates until regularisation
Deletion of personal data	Order to delete the personal data to which the infraction relates
Partial suspension of database operations	Suspension of database operations affected by the infraction for up to six months, extendable for an equal period
Suspension of personal data processing activities	Suspension of the processing activity affected by the infraction for up to six months, extendable
Partial or total prohibition of activities	Prohibition of activities related to data processing

Dosimetry methodology (Resolution CD/ANPD Nº 4/2023)

The ANPD applies a structured methodology to calibrate sanctions. The methodology considers the seriousness and nature of the infraction, the good faith of the offender, the advantage obtained or intended, the economic condition of the offender, recidivism, the degree of damage, cooperation with the ANPD, the existence of internal mechanisms to prevent the infraction, and prompt adoption of corrective measures. The resolution gives clear signal that prior LGPD investment, documented controls, and cooperation are concrete mitigating factors that directly reduce calculated fines.

Enforcement procedure

A complaint, ANPD-initiated supervisory action, or referral triggers the ANPD's procedure.
A preliminary investigation determines whether to advance to a formal administrative procedure.
The ANPD issues a notice of infraction. The controller has the right to present defence and evidence.
The ANPD issues a decision applying the dosimetry methodology. The decision may impose any combination of the Article 52 sanctions.
Appeals lie within the ANPD's Conselho Diretor and ultimately to the federal judiciary.

Cumulative civil and consumer remedies

Independent of ANPD administrative sanctions, data subjects may pursue civil liability claims under the Brazilian Civil Code for moral and material damages, including collective actions through the Ministério Público (Public Prosecutor's Office) and consumer organisations. The Consumer Defence Code may also apply where the data subject is a consumer. Collective actions have produced multi-million BRL settlements in 2024 - 2025.

ANPD Enforcement Trends (2023 - 2026)

The ANPD moved from supervisory and educational activity to active enforcement starting in late 2023. Notable actions and trends:

November 2023 - first sanction (Telekall Infoservice): The ANPD imposed its first administrative fine on a telecommunications services company, totalling approximately BRL 14,000 across three infractions, for failure to comply with data subject access requests, lack of legal basis, and lack of designated encarregado. Although modest in financial terms, the sanction signalled that the ANPD had moved into the enforcement phase.
December 2023 - Serasa Experian: The ANPD sanctioned Serasa Experian approximately BRL 200,000 for sharing personal data of consumers without a valid legal basis. The decision was significant because it addressed a credit-bureau use case central to many AI-driven credit scoring deployments.
2024 - OpenAI Termo de Ajustamento de Conduta (TAC): The ANPD opened a procedure into OpenAI's compliance with the LGPD in relation to ChatGPT training and inference, resulting in commitments documented in a TAC. The procedure highlighted the ANPD's intent to actively supervise generative AI providers operating in Brazil.
2025 - generative AI training data focus: The ANPD's 2025 supervisory plan made generative AI training data a priority area, with consultations on legal basis, transparency, and data subject rights specifically applied to large language model training corpora.
2025 - establishment of AI Coordination Office: The ANPD established a dedicated AI Coordination Office in 2025 to consolidate technical opinions on AI, guide investigations, and prepare for PL 2338/2023 implementation.
2026 (year to date) - AI-driven credit and employment decisions: The ANPD's 2026 enforcement priorities have signalled focus on Article 20 reviewability of automated decisions in credit scoring and employment screening, with parecer activity expected to continue through the year.

The trend line is clear: the ANPD has moved from initial small fines into sector-specific supervisory activity, with generative AI and automated decision-making as priority focus areas. Multi-million BRL fines under Article 52 have not yet been published, but the dosimetry framework supports them, and the AI Coordination Office's 2026 - 2027 docket is expected to produce them.

PL 2338/2023 Marco Legal da IA - Detail and Status

The Marco Legal da Inteligência Artificial (PL 2338/2023) is Brazil's proposed AI-specific framework, drawing structurally from the EU AI Act while embedding Brazil-specific institutional architecture. The Federal Senate approved a substitute text on December 10, 2024; the bill is currently in the Chamber of Deputies. Enactment is not certain; the Chamber may amend the text or send it back to the Senate.

Four-tier risk classification

Tier	Description	Approximate EU AI Act analogue
Excessive risk (risco excessivo)	Prohibited uses: social scoring by public authorities, real-time biometric identification in publicly accessible spaces (limited exceptions), exploitation of group vulnerabilities, subliminal manipulation	Article 5 prohibited practices
High risk (alto risco)	Subject to fundamental rights impact assessment, transparency, human oversight, ANPD/sector-regulator coordination. Includes critical infrastructure, education and vocational training, employment, essential services, law enforcement, migration and asylum, administration of justice	Annex III high-risk systems
Limited risk (risco limitado)	Transparency obligations: disclose interaction with AI, label generative outputs, identify synthetic content depicting identifiable persons	Article 50 transparency obligations
Minimal risk (risco mínimo)	No additional AI-specific obligation beyond the LGPD baseline	Voluntary codes of conduct

Fundamental rights impact assessment (avaliação de impacto algorítmico)

Mandatory for high-risk AI systems. Captures the system's purpose, training data and its lawful basis, the populations affected, the risks to fundamental rights (privacy, non-discrimination, freedom of expression, due process, consumer protection), the mitigations implemented, and the residual risk profile. The assessment is updated when the system materially changes. Where the system also processes personal data, the assessment may be integrated with the LGPD's Article 38 RIPD to avoid duplicate work.

Regulatory sandbox

PL 2338/2023 contemplates a regulatory sandbox administered by the ANPD in coordination with sector regulators. The sandbox allows controlled testing of innovative AI systems under regulator supervision, with relaxed but defined obligations during the testing period.

ANPD as central authority with sector-regulator coordination

The Senate-approved text positions the ANPD as the central authority coordinating AI regulation, while preserving sector regulators' specific powers (BACEN for financial services, ANS for health, CVM for securities, ANATEL for telecoms). The Sistema Nacional de Regulação e Governança da Inteligência Artificial (SIA) is the coordinating mechanism.

Penalties

Mirroring the LGPD's structure with AI-specific layers. Caps up to BRL 50 million per infraction, with multipliers for prohibited-use (excessive-risk) violations. Daily fines and operational suspension powers track the LGPD's framework.

Practical readiness

Organisations that already maintain LGPD-aligned controls (Article 7 lawful basis, Article 18 rights workflows, Article 20 review channels, Article 38 RIPDs, Article 41 encarregado) have the bulk of the foundation required by PL 2338/2023. The principal new build is the risk-tier classification process and the fundamental rights impact assessment template extending the RIPD beyond personal data to broader fundamental rights.

Intersection with the EU AI Act

For multinational enterprises that operate in both the EU and Brazil, PL 2338/2023 is structurally close to the EU AI Act but not identical. The differences matter for programme design.

Similarities

Both adopt a four-tier risk classification with prohibited, high-risk, limited-risk, and minimal-risk categories.
Both prohibit social scoring by public authorities and real-time biometric identification in publicly accessible spaces (with comparable narrow exceptions).
Both require fundamental rights / conformity impact assessment for high-risk systems.
Both require transparency disclosure for AI systems that interact with humans and labelling of generative outputs.
Both contemplate regulatory sandboxes for innovative AI.

Differences

Extraterritorial scope: The EU AI Act has broader extraterritorial reach (applies to providers and deployers where AI outputs are used in the EU). PL 2338/2023's extraterritorial reach is narrower and largely tied to the LGPD's Article 3 thresholds (processing of personal data in Brazil, offering goods or services to individuals in Brazil, or collection in Brazilian territory).
Automated decision review: Brazil has a stronger individual right of review under LGPD Article 20 than the EU does under GDPR Article 22, because the LGPD does not require the decision to "produce legal effects" or "similarly significantly affect" the data subject - the LGPD threshold is decisions that "affect the data subject's interests." Brazilian data subjects can invoke Article 20 more readily than EU data subjects can invoke Article 22.
Central authority: The EU AI Act distributes enforcement among Member State authorities, the AI Office, and the European AI Board. PL 2338/2023 designates the ANPD as central authority with sector-regulator coordination through the SIA.
Generative AI / general-purpose AI: The EU AI Act introduces specific obligations for general-purpose AI models (Article 51 onwards). PL 2338/2023's Senate text addresses generative AI but is less prescriptive on general-purpose model documentation.
Penalty caps: The EU AI Act's caps are higher (up to EUR 35 million or 7% of global turnover for prohibited practices). PL 2338/2023 mirrors the LGPD's BRL 50 million per-infraction structure.

Programme design implication

A unified AI governance programme can satisfy both regimes by using the EU AI Act as the baseline (it is generally more prescriptive) and bolting on Brazil-specific layers: LGPD Article 20 review-channel implementation, ANPD operating-procedure requirements (particularly the dosimetry-aware corrective measures workflow), and Portuguese-language documentation for notice and consent. A control plane that abstracts policy from compliance regime allows the same operational controls to satisfy both.

How Areebi Covers Brazil AI Compliance

Areebi maps directly to LGPD and (anticipated) PL 2338/2023 obligations. The platform's control plane is designed so the same operational primitive can satisfy multiple LGPD articles and PL 2338/2023 risk-tier obligations once enacted.

Brazilian obligation	Areebi capability
LGPD Article 7 lawful basis selection	Policy engine with declared-purpose enforcement and lawful-basis tagging
LGPD Article 18 data subject rights	Rights workflow covering all nine titular rights with India and Brazil locale templates
LGPD Article 20 review of automated decisions	Audit trail of every AI decision with HITL routing and reason capture
LGPD Article 38 RIPD	Pre-built RIPD templates aligned to ANPD guidance and cross-mapped to NIST AI RMF
LGPD Article 41 encarregado support	Dedicated encarregado dashboard for ANPD inquiries and data subject communication
LGPD Article 52 dosimetry-aware controls	Documented internal mechanisms, prompt-detection workflow, and cooperation evidence package
ANPD breach notification expectation	Incident response workflow with Brazil-specific templates and two-business-day timer
PL 2338/2023 risk-tier classification (anticipated)	Risk-tier metadata for every AI use case, ready for fundamental rights impact assessment when required
Generative AI synthetic content labelling	Output watermarking and C2PA content credentials applied automatically
Sector regulator overlays (BACEN, ANS, CVM)	Sector-specific control packs for financial, health, and securities AI

The control plane architecture decouples policy from compliance regime, so an organisation that runs a single Areebi tenant can satisfy LGPD today, layer PL 2338/2023 obligations when enacted, and reuse the same evidence for EU AI Act, NIST AI RMF, and ISO/IEC 42001 audits.

How to Prepare: A 6-Step Brazil AI Compliance Plan

Organisations that operate in Brazil or that process personal data of Brazilian residents should treat LGPD compliance as the operational floor and stage additional controls for PL 2338/2023. A practical six-step plan:

1. LGPD baseline audit

Inventory all AI systems that process personal data of Brazilian residents, including shadow AI tools.
For each system, document the lawful basis under Article 7, the purpose, the categories of personal data processed, and the data subjects affected.
Flag any system relying on a generic privacy policy or non-specific consent for AI training or inference.

2. Appoint an encarregado (DPO) if not yet done

Designate an encarregado with knowledge of the LGPD and the technical AI stack. Publish the encarregado's identity and contact information.
Establish the channel of communication for data subjects and the ANPD. Document the response service levels.

3. Implement Article 20 automated-decision review process

For every AI system that makes consequential decisions, build the review request channel.
Define the human review path: who reviews, against what criteria, with what evidence, and within what timeframe.
Document the explainability artefacts shared with data subjects, observing commercial and industrial secrets.

4. Build the AI inventory and RIPD library (Article 38)

Maintain a current AI inventory mapping each system to lawful basis, data categories, risk profile, and Article 20 review status.
Produce RIPDs for high-risk AI use cases. Where PL 2338/2023 is enacted, extend the RIPD scope to fundamental rights impact assessment.
Cross-map the RIPD to NIST AI RMF MAP function evidence and (where applicable) ISO/IEC 42001 management system documentation.

5. Train the workforce on AI-specific LGPD obligations

Train product, engineering, data science, and customer-facing teams on LGPD Article 7 lawful basis selection for AI, Article 18 rights workflows, and Article 20 review.
Establish a clear escalation path to the encarregado for AI-specific questions.
Include LGPD content in onboarding and annual refresher training.

6. Monitor PL 2338/2023 and prepare layered controls

Track the Chamber of Deputies' review of PL 2338/2023. Subscribe to ANPD pareceres and the AI Coordination Office's outputs.
Maintain a PL 2338/2023-readiness register: risk-tier classification candidate use cases, fundamental rights impact assessment templates, regulatory sandbox candidates.
Run a tabletop exercise simulating an ANPD inquiry that combines an LGPD violation with an AI-specific aggravating factor (deepfake, denied Article 20 request, undisclosed automated decision).

Organisations seeking to accelerate Brazil AI compliance can request a demo to see how Areebi operationalises LGPD obligations alongside the broader AI control plane.

Compliance Checklist

Inventory all AI systems that process personal data of Brazilian residents, including shadow AI tools

Document the LGPD Article 7 lawful basis and purpose for each AI processing activity

Identify sensitive personal data (Article 11) flows and confirm the more restrictive legal bases

Designate an encarregado (DPO) with knowledge of the LGPD and the technical AI stack

Publish the encarregado's identity and contact information on the controller's website

Build the Article 20 automated decision review channel with HITL routing and reason capture

Document explainability artefacts shared with data subjects (observing commercial and industrial secrets)

Stand up the Article 18 data subject rights workflow covering all nine titular rights

Map data subject identity to training set, inference logs, and model versions for deletion handling

Produce RIPDs (Article 38) for high-risk AI use cases and cross-map to NIST AI RMF MAP function evidence

Implement reasonable security safeguards (Article 46) with encryption, access control, and audit-grade logging

Build the Article 48 breach notification workflow with a two-business-day ANPD timer

Formalise Article 39 contracts (contrato pertinente) with all operadores, explicitly covering AI mechanics

Maintain dosimetry-aware corrective measures evidence (Resolution CD/ANPD Nº 4/2023)

Track PL 2338/2023 progress in the Chamber of Deputies and prepare risk-tier classification readiness

Apply synthetic content labelling for generative AI outputs (ANPD 2024 - 2025 guidance series)

Run a tabletop exercise simulating an ANPD inquiry combining an LGPD violation with an AI-specific aggravating factor

Frequently Asked Questions

Is PL 2338/2023 (Marco Legal da IA) in force?

No. The Federal Senate approved a substitute text in December 2024, but PL 2338/2023 is currently in the Chamber of Deputies and has not been enacted as of May 2026. The operative AI compliance baseline is the LGPD (Lei 13.709/2018), which is in force and actively enforced by the ANPD. References to specific PL 2338/2023 obligations in compliance documents should be framed conditionally.

Does the LGPD apply to AI systems?

Yes, indirectly but extensively. The LGPD does not single out AI by name, but its controller and operator obligations apply to any system that processes personal data of individuals in Brazil. Article 7 lawful basis, Article 18 rights, Article 20 review of automated decisions, Article 38 RIPDs, and Article 41 encarregado obligations all reach AI training and inference. The ANPD has confirmed this position in pareceres issued in 2024 - 2025.

What are the LGPD penalties for AI-related violations?

Article 52 sets administrative sanctions of warning, simple fine up to 2% of revenue in Brazil (limited to BRL 50 million per infraction), daily fine, public disclosure, blocking of personal data, deletion of personal data, partial suspension of database operations for up to six months, suspension of processing activities, and partial or total prohibition of data processing activities. Resolution CD/ANPD Nº 4/2023 sets the dosimetry methodology that calibrates the calculated fine.

What is LGPD Article 20 and how does it apply to AI?

Article 20 grants data subjects the right to request review of decisions taken solely on the basis of automated processing of personal data that affect their interests, including decisions intended to define their personal, professional, consumer, or credit profile, or aspects of their personality. For AI, this is the most direct governance hook in the LGPD: any AI making consequential decisions about Brazilian residents must support a review channel, provide clear and adequate information about decision criteria (observing commercial and industrial secrets), and offer a meaningful human review path. ANPD enforcement focus on Article 20 increased through 2024 - 2026.

Does the LGPD apply to non-Brazilian companies?

Yes, where Article 3 thresholds are met. The LGPD applies to processing carried out in Brazilian territory, processing aimed at offering goods or services to individuals located in Brazil, and processing of personal data collected in Brazilian territory. Global SaaS AI providers serving Brazilian enterprise customers fall within scope. The structure of extraterritorial reach is similar to the GDPR's, although it is narrower than the EU AI Act's reach for AI providers.

How does PL 2338/2023 compare with the EU AI Act?

Structurally close but not identical. Both adopt a four-tier risk classification, prohibit comparable practices, and require fundamental rights impact assessment for high-risk systems. Key differences: PL 2338/2023's extraterritorial reach is narrower (tied to LGPD Article 3 thresholds); Brazil has a stronger individual right of automated-decision review under LGPD Article 20 than the GDPR Article 22; the ANPD is designated as central authority with sector-regulator coordination through the SIA; penalty caps mirror the LGPD's BRL 50 million per-infraction structure rather than the EU AI Act's EUR 35 million or 7% global turnover. A unified governance programme can satisfy both with the EU AI Act as baseline and Brazil-specific layers added.

What is an encarregado and is appointment mandatory?

The encarregado is the LGPD's equivalent of a DPO - the person designated by the controller to act as the channel of communication with data subjects and the ANPD (Article 41). Appointment is an obligation under the LGPD. ANPD Resolution CD/ANPD Nº 2/2022 confirmed that small-scale processing agents may discharge the role with proportional measures, but enterprise AI deployments typically require a designated encarregado with knowledge of the LGPD and the technical AI stack. The encarregado's identity and contact must be published on the controller's website.

How does Areebi help with Brazil AI compliance?

Areebi maps directly to the LGPD operating model: the policy engine tags every flow with the Article 7 lawful basis, the audit trail records every AI decision for Article 20 review, the data subject rights workflow covers all nine Article 18 titular rights, pre-built RIPD templates support Article 38 obligations, the encarregado dashboard consolidates Article 41 communication, and incident response workflows include Brazil-specific ANPD notification templates with a two-business-day timer. The control plane architecture is designed to absorb PL 2338/2023 risk-tier classification and fundamental rights impact assessment as the bill matures.

Related Resources

Ready to achieve Brazil AI Regulation: LGPD and the Proposed Marco Legal da IA (PL 2338/2023) compliance?

See how Areebi maps to Brazil AI Regulation: LGPD and the Proposed Marco Legal da IA (PL 2338/2023) requirements with a personalized demo.

Get a Demo Free AI Risk Assessment

Taking longer than expected.

Reload the page