The enactment of Brazil's proposed AI Regulation remains uncertain with compliance requirements pending review.

Laws/Regulations directly regulating AI (the “AI Regulations”)

Brazil intends to regulate AI through Bill No. 2,338/2023 ("Brazil's Proposed AI Regulation"), although there are currently no specific codified laws, statutory rules or regulations in Brazil that directly regulate AI.

Status of the AI Regulations

When Brazil's Proposed AI Regulation will come into effect, and what its final text will entail, remains unclear. It must yet be scrutinized and voted on in both the Federal Senate and the House of Representatives, before being approved by the president, and so the details remain subject to change. There is currently no expected date for the next developments in the legislative procedure.

Other laws affecting AI

There are various laws that do not directly seek to regulate AI but may affect its development or use in Brazil. A non-exhaustive list of key examples includes:

• Law No. 13,709/2018 (General Data Protection Law) (the "Brazilian Data Protection Law"), which provides for the processing of personal data.²
• Law No. 8,078/1990 (Consumer Protection Code), which provides for consumer protection.³
• Law No. 9,610/1998 (Copyright Law), which provides for authors' rights and those related to them.⁴

Intellectual property laws may affect several aspects of AI development and use.

Definition of “AI”

Given Brazil's Proposed AI Regulation is not yet law, there is currently no legally recognized definition of AI in Brazil. Nevertheless, at the time of publication, Brazil's Proposed AI Regulation defines an AI system as "a computational system, with varying degrees of autonomy, designed to infer how to achieve a given set of objectives, using approaches based on machine learning and/or logic and knowledge representation, through input data from machines or humans, with the aim of producing predictions, recommendations, or decisions that may influence the virtual or real environment."⁵

Territorial scope

Brazil's Proposed AI Regulation currently has a broad territorial scope. Based on the current draft, it will apply to the development, implementation, and use of AI systems within Brazilian territory, without making a distinction between national and foreign entities.

Sectoral scope

Brazil's Proposed AI Regulation does not currently adopt a sector-specific focus. Based on the current draft, it will apply to the development, implementation, and use of AI systems irrespective of sector.

Compliance roles

Brazil's Proposed AI Regulation will introduce obligations for the following AI system agents:

• AI system provider – being "a natural or legal person, whether public or private, that develops an AI system, directly or by commission, with the intention of placing it on the market or applying it in a service provided by them, under their own name or brand, for consideration or free of charge."⁶
• AI system operator – being "a natural or legal person, whether public or private, that employs or uses an AI system on their own behalf or for their benefit, unless the said system is used within the scope of a non-professional personal activity."⁷

Core issues that the AI Regulations seek to address

Brazil's Proposed AI Regulation aims to protect fundamental rights and ensures the implementation of secure and reliable systems for the benefit of the human person, the democratic regime, and scientific and technological development.

Risk categorization

Brazil's Proposed AI Regulation categorizes AI systems according to different levels of risk:

• Excessive-risk AI systems include (among others) those AI systems that: (i) employ subliminal techniques to induce behavior in others that is detrimental or dangerous to their health or safety, or against the principles of Brazil's Proposed AI Regulation; (ii) exploit vulnerabilities of specific groups of persons (e.g., age, or physical or mental disability), to induce behavior that is detrimental to their health or safety, or against the principles of Brazil's Proposed AI Regulation; or (iii) are implemented by the government for the purposes of social scoring. Such excessive-risk AI systems will be prohibited, while others will be subject to regulation by the competent authority.
• High-risk AI systems include AI systems used for certain purposes, such as (among others): (i) security devices in critical infrastructures (such as traffic control, water, and electricity supply networks); (ii) credit assessments; (iii) certain autonomous vehicles; (iv) applications in the healthcare sector; (v) biometric identification systems; and (vi) criminal investigation and public security.

Every AI system shall undergo a preliminary assessment conducted by the supplier to classify its degree of risk, and risk assessments must be undertaken prior to the AI system being placed onto the market or used in service.⁸

Key compliance requirements

Brazil's Proposed AI Regulation aims to establish a detailed approach to compliance requirements. By way of an example, Brazil's Proposed AI Regulation currently requires:

• AI system providers to conduct preliminary assessments to classify the risk level of the AI system before its placement on the market; and
• AI system providers and operators: (i) to conduct algorithmic impact assessments when requested by the competent authority, or whenever the AI system is deemed high-risk by the preliminary assessment; and (ii) to report serious security incidents to the competent authority.⁹

AI system providers and operators must also establish governance structures and internal processes capable of ensuring the security of systems and compliance with the rights of affected individuals, which shall include, at least:

• transparency regarding the use of AI systems in interacting with natural persons, and the governance measures adopted in the development and use of the AI system by the organization;
• adequate data management measures for the mitigation and prevention of potential discriminatory biases;
• the legitimization of data processing in accordance with data protection legislation, including through the adoption of privacy measures from the design stage and by default, and the adoption of techniques that minimize the use of personal data;
• the adoption of appropriate parameters for the separation and organization of data for training, testing, and the validation of the system's results; and
• the adoption of appropriate information security measures from the design stage to the operation of the system.¹⁰

In addition, AI system providers and operators of high-risk AI systems must adopt the following governance measures and internal processes:

• the operation of the system and the decisions involved in its construction, implementation, and use must be documented;
• automatic logging tools for system operation must be used in order to: (i) allow for the evaluation of its accuracy and robustness; (ii) identify potential discriminatory issues; and (iii) appropriately implement risk mitigation measures, with special attention to adverse effects;
• tests to assess appropriate levels of reliability, according to the sector and type of application of the AI system, must be conducted;
• data management measures to mitigate and prevent discriminatory biases must be adopted; and
• technical measures to enable explainability of the results of AI systems, and to provide general information about the operation of the model, must be adopted.¹¹

Regulators

The Executive Branch is expected to designate a competent authority, which will be the agency or entity of the Federal Public Administration responsible for implementing and overseeing Brazil's Proposed AI Regulation.¹² It is still unclear whether this authority will be a new or existing agency, such as the National Data Protection Authority.

Enforcement powers and penalties

Pursuant to Brazil's Proposed AI Regulation, the competent authority will have a range of enforcement measures to consider. Specifically, the competent authority may:

• Order: (i) the reclassification of the AI system's risk level; (ii) an AI system agent to conduct algorithmic impact assessments to guide ongoing investigations; or (iii) an AI system agent to take measures to reverse or mitigate the effects of a serious security incident.
• Administer: (i) a warning; or (ii) a simple fine of up to R$ 50,000,000.00 (fifty million Brazilian reais) per violation, being, in the case of a private legal entity, up to 2% (two percent) of the group's revenue for the preceding fiscal year.
• Publicize the violation after it has been duly investigated and confirmed.
• Prohibit or restrict: (i) the AI system from participating in the regulatory sandbox regime provided for in Brazil's Proposed AI Regulation, for up to five years; or (ii) processing from certain databases.
• Suspend the development, supply, or operation of the AI system on a partial or total, and temporary or permanent, basis.

Additionally, as a general rule in Brazil, individuals and legal entities that violate the law and cause harm to others, whether material or moral, may be ordered by a court to pay compensation.

1 See Brazil's Proposed AI Regulation here. It was proposed on May 3, 2023 before the Federal Senate.
2 See the Brazilian Data Protection Law here.
3 See Law No. 8,078/1990 here.
4 See Law No. 9,610/1998 here.
5 See Article 4, I of Brazil's Proposed AI Regulation.
6 See Article 4, II of Brazil's Proposed AI Regulation here.
7 See Article 4, III of Brazil's Proposed AI Regulation here.
8 See Article 13 of Brazil's Proposed AI Regulation here.
9 See Article 31 of Brazil's Proposed AI Regulation here. "Serious security incidents" include, for example, when there is a risk to the life and physical integrity of individuals, disruption of critical infrastructure operations, serious damage to property or the environment, as well as serious violations of fundamental rights.
10 See Article 19 of Brazil's Proposed AI Regulation here.
11 See Articles 19 and 20 of Brazil's Proposed AI Regulation here. Certain further information must also be provided upon request, while respecting industrial and commercial confidentiality.
12 See Articles 4, V, 32 and 33 of Brazil's Proposed AI Regulation here.

Daniel Mair (Trainee Solicitor, White & Case, Paris) contributed to this publication.

Pinheiro Neto Advogados contributors - Ciro Torres Freita sand André Zonaro Giacchetta

[View source.]