What is AI regulation in Brazil?
AI regulation: countries and regions
Brazil does not yet have a single enacted AI Act. As of 4 June 2026, AI in Brazil is governed mainly by existing law, especially the LGPD, consumer, civil and copyright rules, while a broader national framework, PL 2338/2023, remains under review in the Chamber of Deputies after Senate approval in December 2024. Alongside that bill, the PBIA works as a federal policy and investment layer for public sector governance, infrastructure, training and controlled experimentation.
What this means
Brazil is in a transitional phase. There is no regulatory vacuum, because existing Brazilian law already reaches many AI practices, especially where personal data, automated decision-making, consumer treatment, liability, copyright or public administration are involved.
At the same time, Congress is debating a broader national framework. The Senate version of PL 2338/2023 would create a risk-based model, ban some uses, impose stronger duties for high-risk systems and organise regulatory coordination around the ANPD and sector authorities.
Separate from that bill, the PBIA is the government's policy layer. It is a national plan for capability, investment, infrastructure and public sector practice. It matters a great deal in operational terms, but it is not the same thing as an enacted AI statute for the whole private market.
Why it matters
If you build, buy, fine-tune or deploy AI in Brazil, the key challenge is not deciding whether to wait for a future AI law. It is governing AI under current law while preparing for a more explicit framework that could still change in Congress. Data training, biometric use, hiring tools, education monitoring, eligibility for essential services, health applications, synthetic content and procurement are already areas of live legal and governance risk.
For organisations, Brazil now requires two-track thinking. One track is current compliance, especially on data protection, transparency, accountability and non-discrimination. The other is readiness for the Senate bill's model, which would add formal risk classification, algorithmic impact assessment, human review, incident handling, public-facing rights and coordinated sector supervision if it advances in the Chamber.
How it works
Current legal position
As of 4 June 2026, Brazil has no enacted umbrella AI statute. The binding legal stack is still made up of existing law. The LGPD applies where AI systems collect, train on, infer from or otherwise process personal data. Consumer law still governs misleading or harmful automated services. Civil liability rules still matter for damage claims. Copyright law still matters for training material and generated material. Sector rules still continue to apply in regulated areas such as finance, health, education, telecoms and public administration.
That means AI regulation in Brazil already exists, but in a distributed form. In practice, organisations need to map which legal regime is triggered by each system, rather than waiting for one single AI code to do all the work.
From Senate approval to Chamber review
PL 2338/2023 is the centrepiece of Brazil's proposed national AI framework. The Senate approved the project in December 2024 and sent it to the Chamber of Deputies in March 2025. A special Chamber commission was created in April 2025, and Deputy Aguinaldo Ribeiro was appointed rapporteur in May 2025.
As of 4 June 2026, the project is still in Chamber review. It has accumulated a large number of attached bills, which means the Chamber is not reviewing the Senate text in isolation. In practical terms, the Senate version is the best current baseline for understanding Brazil's likely direction, but it is not yet the final law and should not be treated as settled text.
Risk classes and affected-person rights
The Senate text uses a risk-based structure. It distinguishes prohibited uses, high-risk uses and other uses that remain subject to more general duties. Any person or group affected by AI would have baseline rights to know when they are interacting with AI, to privacy and personal data protection, and to protection against unlawful or abusive discrimination.
For high-risk systems, the draft adds stronger rights. These include the right to an explanation, the right to contest and request review, and the right to human review, taking account of context, risk and technical feasibility. The bill also lists contexts that are presumptively high risk, including critical infrastructure, student admissions and monitoring, employment decisions, access to essential services and benefits, emergency service prioritisation, parts of justice and policing, some biometric and border uses, autonomous vehicles in public spaces and some health applications.
The prohibited list is also important. The Senate text would ban AI used for harmful manipulation, exploitation of vulnerabilities, personality or behaviour based crime scoring, the creation or facilitation of child sexual abuse material, illegitimate or disproportionate public social scoring, and autonomous weapons. It would also tightly restrict real-time remote biometric identification in publicly accessible spaces, allowing it only in narrow public security situations with strong conditions.
Governance duties for developers, distributors and deployers
The draft does not regulate only one actor. It applies duties across the value chain, including developers, distributors and deployers. For high-risk AI, it would require governance measures across the system life cycle, including preliminary risk assessment, technical documentation, human oversight, communication of serious incidents and sector-specific conformity procedures.
A central mechanism is the algorithmic impact assessment. Under the Senate text, this must be carried out before a high-risk system is placed on the market or put into service, then updated through the life cycle of the system. Its conclusions would be public, subject to protection for trade and industrial secrets. The draft also allows this document to be prepared together with a data protection impact report where the LGPD already requires one.
The proposal also reaches general-purpose and generative AI. Developers would need to assess expected risk, including possible systemic risk, document testing and residual risk, use lawfully governed data, publish summaries about training data and provide clear downstream instructions. The Senate text also addresses synthetic content and training-data transparency, which is one reason the Chamber debate now overlaps with separate bills on deepfakes, labelling and copyright.
Copyright is a distinctive part of the Brazilian debate. The Senate text would require developers that use protected content to publish a public summary of what protected material was used in development, preserve a narrower research-focused exception for text and data mining by certain scientific, educational and cultural institutions, allow rightsholders to forbid other uses, and provide for remuneration where protected content is used in mining, training or development outside those limited cases.
Institutions, enforcement and remedial paths
Institutionally, the Senate text authorises the federal executive to establish a System for Regulation and Governance of AI, the SIA. Within that model, the ANPD is named as the competent authority that would coordinate the system, while sector authorities would keep their own technical and sectoral powers. The model is therefore coordinated rather than fully centralised. The bill also creates a permanent regulatory cooperation council to help align guidance and practice across institutions.
If enacted in its Senate form, administrative sanctions would range from warnings to fines of up to BRL 50 million per infringement, with private legal entities exposed to fines of up to 2 percent of Brazilian turnover, subject to that cap. The proposal also allows suspension and other restrictive measures. At the same time, it does not replace existing consumer and civil liability regimes. Instead, it expressly preserves them, and it makes life easier for claimants in some disputes by allowing judges to reverse the burden of proof when system opacity makes proof excessively difficult.
The Senate text also supports supervised experimentation. It allows regulatory sandboxes to be authorised by the competent authority and sector regulators, with priority access for micro and small businesses, start-ups and research institutions. That is a flexibility tool, not an immunity tool, because sandbox participants remain responsible for harm caused during experimentation.
PBIA and the public sector policy layer
The PBIA sits on a different track from PL 2338/2023. The National Council for Science and Technology approved the PBIA proposal in November 2024, and the final version was published under MCTI coordination in June 2025. The plan is framed as a multi-year national strategy with a large investment envelope, up to BRL 23 billion over four years, focused on national capability, infrastructure, research, training and strategic use of AI.
This matters because Brazil's AI governance is moving through policy even before the Chamber finishes the bill. In federal digital government planning, PBIA-linked initiatives include AI infrastructure for the executive branch, project experimentation, publication of governance and risk good practice, guides for public servants, training tracks and annual mapping of AI adoption. These instruments are strongest inside government and in public procurement, rather than as a general private-sector code, but they still shape the national operating environment.
The public sector guidance now being published is practical rather than symbolic. Federal materials on generative AI tell public servants to avoid entering sensitive or internal information into unapproved tools, to validate content before publication, to keep human review and, where appropriate, to disclose AI assistance in institutional documents. In other words, the policy layer is already producing working rules for day-to-day use.
What could change next
The largest uncertainty is not whether Brazil is regulating AI, it is what final form that regulation will take. The Chamber can revise the Senate text substantially. Open issues include institutional design, the exact burden on smaller firms, copyright and remuneration rules, synthetic content labelling, labour and education provisions, and how public sector use should be framed.
That is why the safest reading today is this: Brazil already has enforceable AI-relevant law, the Senate has supplied a fairly detailed draft national framework, the Chamber is still reshaping that framework, and the PBIA is already pushing public policy and state capability forward in parallel.
Examples
A social platform wants to use posts and interactions from Brazilian users to train generative AI. That is not a future-only question in Brazil. In 2024, the ANPD intervened in Meta's plan to use personal data for AI training, first suspending the practice and later allowing it to resume only with restrictions, including stronger transparency, simpler objection rights and exclusion of children's and adolescents' accounts. The practical lesson is that AI training on user data can already trigger immediate LGPD scrutiny.
An employer uses an AI system to screen candidates or score workers for promotion. Under the Senate text, that sits squarely inside the listed high-risk category for employment and worker management. If PL 2338 were enacted in that form, the employer and other agents in the chain would need stronger governance, including explanation and review rights for affected people, human review, and algorithmic impact assessment tied to the actual context of use.
A ministry team wants to use generative AI to draft briefing notes or summarise documents. Federal guidance already says this should be treated as assisted drafting, not autonomous decision-making. Public servants are told to avoid putting sensitive or internal information into unapproved tools, to validate generated text before publication, and to use transparent notice where AI has helped generate institutional content. That is a good example of Brazil's policy layer creating practical guardrails before a national AI statute is enacted.
Common misunderstandings
Brazil already has a comprehensive AI Act in force. It does not. Brazil has enforceable AI-relevant rules today, but the broader national framework is still pending in the Chamber of Deputies.
PBIA and PL 2338/2023 are the same thing. They are not. PL 2338/2023 is the legislative track for a national framework. PBIA is a federal policy and investment plan.
Only model developers would be regulated. The Senate text is wider than that. It spreads duties across developers, distributors and deployers.
If a system is not classed as high risk, there is no regulation. That is wrong. Existing law still applies, especially the LGPD, consumer rules, liability rules and sector law.
A regulatory sandbox means legal immunity. It does not. Both the Senate text and ANPD practice treat sandboxing as supervised experimentation, while keeping liability for harm in place.
Risks and boundaries
The biggest boundary is legal status. The Senate text is not in force. The Chamber may amend almost every major point, including who regulates, how obligations are calibrated for smaller firms, how copyright and training-data rules work, how synthetic content must be identified, and how labour, public service and education issues are treated. Much of the bill's operational detail would then still depend on later regulation, sector rules and technical standards.
PBIA is also easy to overread. It is important, but it is not a substitute for legislation. It can shape budgets, procurement, infrastructure, federal capability and soft-law practice, yet it does not by itself create a single general compliance code for every private organisation. Likewise, ANPD enforcement under the LGPD is highly relevant, but it does not answer every AI question that falls outside personal data. The practical boundary is that Brazil currently has a layered governance picture, not one final and complete AI statute.
What to do next
Treat Brazil as a current-law-plus-pending-law jurisdiction, not as a wait-and-see market. Build your governance on what is enforceable now, while checking whether your systems would fall into the Senate draft's prohibited or high-risk buckets if that text, or something close to it, is enacted.
Map your AI estate against Brazil-specific pressure points: personal data, biometrics, hiring and worker management, education, health, essential services, synthetic content, public sector work and copyrighted training material. If a system touches one of those areas, assume it deserves heightened review.
Create an evidence trail now. That means data mapping, legal basis analysis, vendor diligence, testing records, human review rules, incident procedures, documentation for explainability and contestation, and a clear position on training data provenance and copyright. Even if the law changes, those records will travel well.
If you supply government or work inside government, follow the policy layer closely. PBIA-linked guidance, federal digital government practice and ANPD activity already affect acceptable operational behaviour. Avoid feeding sensitive or internal information into unapproved tools, keep human validation in place and make sure procurement and deployment teams are aligned on public sector guardrails.
Finally, watch the Chamber and the ANPD continuously. The fastest-changing parts of the Brazilian landscape are not abstract principles. They are legislative text, institutional design, public sector practice and the regulator's handling of AI and personal data.
FAQs
Does Brazil already have an AI law in force?
Not a comprehensive one. Brazil already regulates many AI activities through existing law, but the broader national framework in PL 2338/2023 is still pending in the Chamber of Deputies.
Is PL 2338/2023 the same as the PBIA?
No. PL 2338/2023 is the proposed national legislative framework. PBIA is the federal strategy and investment plan for AI capability, infrastructure, training and public sector practice.
Who would regulate AI if the Senate bill passed in its current form?
The Senate text places coordination with the ANPD as the competent authority, working with sector regulators inside a coordinated national system rather than replacing them.
What kinds of AI are treated as high risk in the Senate text?
The listed categories include AI used in critical infrastructure, student selection and monitoring, hiring and worker management, essential services, emergency prioritisation, parts of justice and policing, some biometric and border uses, autonomous vehicles in public spaces and some health uses.
Are some uses banned outright?
Yes, in the Senate draft. Examples include harmful manipulation, exploitation of vulnerabilities, personality or behaviour based crime scoring, certain child sexual abuse related uses, illegitimate public social scoring and autonomous weapons. Real-time remote biometric identification in public spaces is also tightly restricted.
Does Brazilian law already affect AI training on data?
Yes. The ANPD has already acted against planned AI training practices under the LGPD, which shows that data training can face enforcement even before a dedicated AI law is enacted.
Are sandboxes available in Brazil?
Yes, in a developing form. The Senate text includes AI sandboxes, and the ANPD is already running a regulatory sandbox project on AI and personal data. But sandbox participation does not remove liability for harm.
What should companies do while the bill is still pending?
Govern for today's law, but design for the likely future model. That means strong controls on data, transparency, human review, documentation, vendor management, incident handling and high-risk use cases.