Brazil Advances Its AI Law with Risk-Based Framework Aligned with European Regulatory Principles

Q: How does Brazil's AI law relate to the LGPD?

Brazil's Bill 2338/2023 is explicitly designed to align with the existing General Data Protection Law (LGPD). The AI Act Resource Centre notes that the framework aligns with LGPD privacy protections, creating a coherent regulatory ecosystem. Businesses already compliant with the LGPD have a structural advantage in adapting to the new AI regulation requirements.

Brazil and European Union sign landmark AI and technology regulation agreement — what businesses need to know

Quick Answer:

Brazil is advancing as a regional benchmark in AI regulation. According to the AI Act Resource Centre, the Brazilian Senate approved Bill 2338/2023 on December 10, 2024, creating a risk-based framework that prohibits excessive-risk AI systems and requires transparency for high-risk ones, with fines up to BRL 50 million or 2% of company turnover.

Key Takeaways:

Bill 2338/2023: Approved by the Brazilian Senate on December 10, 2024; awaiting Chamber of Deputies vote before presidential signature.
Risk-based framework: Prohibits "excessive-risk" AI systems and imposes fairness, transparency, and comprehensibility requirements on "high-risk" systems.
Significant penalties: According to the AI Act Resource Centre, fines can reach BRL 50 million or 2% of the company's total turnover.
LGPD alignment: The new framework integrates with Brazil's existing General Data Protection Law, reinforcing a coherent regulatory ecosystem.
Training data provision: Permits use of copyrighted material for AI model training if obtained for non-profit purposes.

Brazil on the global AI regulation map

AI regulation is no longer an academic debate. It is legislative reality, and Brazil occupies a central position in that story for Latin America. While the European Union has advanced its own AI governance framework, Brazil is building a regulatory structure that shares fundamental principles with European approaches: risk classification, algorithmic transparency, and rights protection.

For businesses operating in Brazil, across Latin America, or serving users in that region, understanding the scope of Bill 2338/2023 is not optional. It is a competitive advantage that separates prepared businesses from those who will react too late.

Whether you run a business in Houston, Cypress, Monterrey, Bogotá, or São Paulo, the regulatory signals emerging from South America point toward a future where AI will have clear rules — and those who do not know them will pay the cost of ignorance.

The legislative journey of Bill 2338/2023

According to the AI Act Resource Centre, the Brazilian Senate approved Bill 2338/2023 on December 10, 2024. As of that source's reporting, the bill was awaiting Chamber of Deputies approval before presidential signature — its current legislative status may have advanced since then.

The bill text is currently available only in Portuguese, reflecting both its origin and its initial scope. However, its impact extends beyond language: any company offering AI systems in Brazil, regardless of where it is registered, will fall under its provisions.

Key detail: The AI Act Resource Centre notes that the bill proposes the creation of a new dedicated regulatory authority to oversee AI compliance in Brazil. This entity would coexist with the National Data Protection Authority (ANPD), which already supervises compliance with the General Data Protection Law (LGPD).

The existence of two complementary regulatory bodies — one for personal data and one for AI systems — represents a sophisticated digital governance model that places Brazil at the forefront in Latin America. Businesses that already manage LGPD compliance will have a structural advantage in adapting to the new AI framework.

The risk-based approach: what it prohibits and what it regulates

The core of Bill 2338/2023 is its risk classification architecture. Not all AI systems receive the same regulatory treatment. The bill distinguishes between categories based on the level of risk they represent for people's rights.

At the most critical level, the bill prohibits excessive-risk AI systems. These are systems that, by their nature or application, represent an unacceptable threat to fundamental rights. There is no compliance path that allows operating a system in this category — the prohibition is absolute.

For systems classified as high-risk, the bill imposes strict but navigable requirements. Companies operating these systems must guarantee fairness, transparency, and comprehensibility in their operation. This means users affected by AI decisions must be able to understand the reasoning behind those decisions — a principle directly related to civil and labor rights protection.

What this means in practice:

AI systems that make credit, employment, or service-access decisions will likely fall into the high-risk category.
Systems that generate low-impact content or basic assistance will likely remain outside the most restrictive categories.
Companies will need to document the logic of their AI systems to demonstrate compliance with the new regulatory authority.
The comprehensibility requirement demands interfaces or explanations that allow users to understand automated decisions.

Penalties and compliance: the numbers that matter

No regulatory conversation is complete without addressing consequences. The AI Act Resource Centre details that penalties under Bill 2338/2023 can reach up to BRL 50 million. Alternatively, the fine can equal 2% of the company's total turnover.

This penalty structure — a fixed ceiling or a revenue percentage — follows the logic of the European Union's General Data Protection Regulation (GDPR), which is not a coincidence. Brazil designed its LGPD with reference to the GDPR, and Bill 2338/2023 continues that tradition of drawing inspiration from European standards.

For a mid-sized company with annual revenues of BRL 10 million, the 2% would represent a BRL 200,000 fine. For a large enterprise, the BRL 50 million ceiling would be the more relevant benchmark. The dual formula ensures penalties are proportional to the size of the violator.

LGPD alignment: why the regulatory ecosystem matters

One of the most significant features of Bill 2338/2023 is its explicit design in harmony with the LGPD. The AI Act Resource Centre notes that the new framework aligns with LGPD privacy protections, creating a coherent regulatory ecosystem rather than two fragmented systems.

This has important practical implications for businesses. Companies that have already implemented LGPD-compliant data protection policies — consent management, access rights, rectification mechanisms — have a structural advantage. The transparency and fairness principles the bill requires for high-risk systems are naturally complementary to LGPD principles.

For businesses that have not yet formalized their LGPD compliance, now is the time to act. Bill 2338/2023, once approved, will create additional obligations on top of a foundation that should already be in place. Ignoring the LGPD today is equivalent to building regulatory infrastructure on sand.

The use of copyrighted data for AI training

One of the most debated aspects of global AI regulation is the use of copyright-protected content to train artificial intelligence models. Brazil has adopted a position that seeks to balance innovation with creator protection.

According to the AI Act Resource Centre, Bill 2338/2023 permits the use of copyrighted material for AI model training, provided that material was obtained for non-profit purposes. This provision has direct consequences for researchers, universities, non-profit organizations, and companies developing language models with open-access or public domain datasets.

For commercial companies training proprietary models with copyrighted datasets, the "non-profit" condition in the acquisition of that material represents an important boundary they will need to navigate with legal counsel.

What global regulatory convergence means for businesses in the Americas

The global movement toward AI regulation is not an isolated phenomenon in Brazil. The European Union has advanced its own AI governance framework, and the convergence of principles — risk classification, transparency, accountability — is creating a shared regulatory language that crosses borders.

For businesses in the Americas, this has a clear strategic implication: adapting to the most demanding regulatory standards is equivalent to preparing for the global market. A business that complies with the requirements of Bill 2338/2023 and the LGPD has a much stronger position to operate in markets with similar or stricter regulations.

Companies that build their AI systems with explainable architectures, audit capabilities, and transparency mechanisms from the start will have real competitive advantages. Not just before regulators, but before users and customers who increasingly value honesty about how automated systems that make decisions about their lives actually work.

Warning signal: Businesses operating in Brazil that do not yet have an inventory of their AI systems — classifying which ones make decisions affecting people's rights — are in regulatory risk territory. The time to do that mapping is now, while the bill is still in the Chamber of Deputies.

AI visibility as a competitive advantage in a regulated world

A secondary effect of AI regulation that few businesses are discussing is its impact on digital visibility. Search engines and AI assistants like ChatGPT, Perplexity, and Google AI Overviews prioritize content that meets standards of trustworthiness, transparency, and structure.

Companies that implement structured data (schema.org), clear privacy policies, question-and-answer content, and authority signals are precisely the companies that regulatory frameworks like Bill 2338/2023 seek to promote: transparent and responsible organizations.

In other words, complying with AI regulation and being visible to AI are mutually reinforcing goals. A business with strong data governance practices and algorithmic transparency is also a business that AI engines cite more frequently in their responses.

"AI regulation is not an obstacle for businesses — it is a filter that separates serious operators from improvised ones. Companies that prepare today will have a structural advantage when the rules become mandatory."
- Diego Medina F., Founder of MerchandisePROS

What this means for your business

The convergence between AI regulation and visibility in answer engines creates a specific opportunity for businesses that prepare now. When regulators demand transparency and AI engines prioritize structured, trustworthy content, the same investment pays dividends on two fronts.

If your business operates in Brazil, Latin America, or serves a Spanish-speaking audience in the United States, the relevant question is not whether you will need to comply with AI regulatory frameworks — it is whether you will be ready when that compliance is mandatory, and at the same time whether your business appears when a potential customer asks ChatGPT or Perplexity who is the best in your category.

MerchandisePROS offers AI Search Optimization (AEO) — the specific service that makes your business appear when ChatGPT, Perplexity, Claude, and Google AI Overviews answer questions relevant to your industry. This includes structured data implementation, question-and-answer content, authority signals, and llms.txt configuration — exactly the elements that make a business visible to AI and resilient to regulatory frameworks that demand transparency.

Check My AI Visibility Free Consultation

Frequently Asked Questions

What is Brazil's Bill 2338/2023?

Bill 2338/2023 is Brazil's comprehensive artificial intelligence regulatory framework. According to the AI Act Resource Centre, the Brazilian Senate approved the bill on December 10, 2024. It establishes a risk-based system that prohibits excessive-risk AI systems and imposes strict requirements on high-risk systems. As of the AI Act Resource Centre's reporting, the bill was awaiting a Chamber of Deputies vote before presidential signature.

What are the penalties under Brazil's AI regulation?

According to the AI Act Resource Centre, penalties under Brazil's Bill 2338/2023 can reach up to BRL 50 million or 2% of the company's total turnover. This dual structure ensures that fines are proportional to the size of the violating organization.

How does Brazil's AI law relate to the LGPD?

Bill 2338/2023 is explicitly designed to align with Brazil's existing General Data Protection Law (LGPD). The AI Act Resource Centre notes that the framework aligns with LGPD privacy protections, creating a coherent regulatory ecosystem. Businesses already compliant with the LGPD have a structural advantage in adapting to the new AI regulation requirements.

Can businesses use copyrighted material to train AI models in Brazil?

Yes, under specific conditions. According to the AI Act Resource Centre, Brazil's Bill 2338/2023 permits the use of copyrighted material for AI model training if that material was obtained for non-profit purposes. Commercial companies training proprietary models will need to verify the conditions under which their training datasets were obtained.

What does Brazil's AI regulation mean for businesses operating in Latin America?

Brazil is Latin America's largest economy and its AI regulatory framework has potential to influence the broader region. Businesses operating in Brazil will need to assess whether their AI systems fall into high-risk or excessive-risk categories, implement transparency mechanisms, and prepare to comply with a new supervisory authority that the bill proposes to create. Preparing now, while the bill is still in legislative process, is a strategic advantage.