Brazil AI Act
AI Regulatory Framework (Bill 2338/2023)
Overview
Brazil's AI Regulatory Framework (Bill 2338/2023) represents Latin America's most ambitious attempt at comprehensive AI regulation. Modeled significantly on the EU AI Act, it introduces a risk-based classification system, mandatory algorithmic impact assessments, and a broad catalog of individual rights regarding AI-driven decisions.
The bill has progressed through multiple committee reviews in the Brazilian Senate and Chamber of Deputies, with significant input from civil society, the technology industry, and academic institutions. It reflects Brazil's existing strong tradition of digital rights legislation, building on the Marco Civil da Internet (2014) and the Lei Geral de Proteção de Dados (LGPD, 2018).
If enacted, it would establish a national AI authority with enforcement powers and create sector-specific regulatory guidance for healthcare, financial services, and public administration.
Scope
The bill applies to AI systems developed or deployed in Brazil, AI systems whose outputs are used in Brazil, and AI systems that process data collected in Brazil. It covers public and private sector organizations, with special provisions for government use of AI in administrative decisions. Exemptions are provided for AI used exclusively in national defense and security contexts, and for academic research purposes.
Key Provisions
AI systems deemed to pose excessive risk are prohibited, including those used for social scoring by public authorities, real-time biometric surveillance in public spaces, and systems that exploit vulnerabilities of specific groups.
High-risk AI systems — including those used in healthcare diagnosis, credit scoring, employment decisions, and criminal justice — must undergo algorithmic impact assessments, implement human oversight mechanisms, and maintain detailed documentation.
Individuals have the right to: receive an explanation of AI-driven decisions; request human review of automated decisions; contest decisions made by AI systems; and access information about the logic and criteria used by AI systems.
Creates a national authority responsible for regulation, enforcement, issuing technical guidance, maintaining a registry of high-risk AI systems, and promoting AI literacy and innovation.
Implementation Timeline
May 2023
Bill 2338/2023 introduced in the Brazilian Senate
December 2024
Senate committee approval with amendments
2025
Chamber of Deputies review and deliberation
Expected 2026
Final passage and presidential signature (if approved)
Expected 2026-2027
Phased implementation with transition periods
Compliance Requirements
- Classify AI systems according to the risk framework (excessive, high, other)
- Conduct algorithmic impact assessments for high-risk systems
- Implement human oversight mechanisms for automated decisions
- Provide explanation mechanisms for AI-driven decisions affecting individuals
- Register high-risk AI systems with the national authority
- Maintain technical documentation and audit trails
- Establish grievance and appeal mechanisms for affected individuals
Enforcement Mechanism
Enforcement will be conducted by the national AI authority, with penalties expected to follow a tiered structure similar to the EU AI Act. The authority will have power to conduct investigations, issue administrative sanctions, order system modifications or suspensions, and impose fines. Sector-specific regulators (e.g., Central Bank, ANVISA for health) will have complementary jurisdiction for AI in their domains.
Practical Implications
Organizations operating AI systems in Brazil should monitor the bill's progress and begin preparing compliance frameworks aligned with both the Brazil AI Bill and LGPD requirements. The strong alignment with the EU AI Act means that organizations already compliant with the EU framework will have a significant head start. The individual rights provisions will require investment in explanation and appeal mechanisms. Companies should plan for algorithmic impact assessments as a core compliance activity.
Relation to EU AI Act
Brazil's bill is heavily modeled on the EU AI Act, sharing the risk-based classification approach, prohibition of certain AI practices, and emphasis on fundamental rights. Key differences include a stronger focus on individual rights of explanation and contestation, sector-specific regulatory integration, and provisions tailored to Brazil's unique digital ecosystem. Organizations complying with the EU AI Act will find significant overlap, but must address Brazil-specific requirements around the national authority and LGPD integration.