AI Watch: Global Regulation Tracker – Brazil (Updated) | White & Case LLP

Applications of AI


Laws/regulations that directly regulate AI (“AI Regulations”)

Brazil plans to regulate AI through Bill No. 2,338/2023 (“Brazil's proposed AI regulations”), but there are currently no specific codification laws, statutory rules, or regulations that directly regulate AI.1

AI Regulation Status

If the AI ​​regulations proposed by Brazil are in effect and what the final text of its entails remains unknown. The U.S. Senate approved Bill 2,338/2023 in December 2024, but before it is approved by the President, the proposal still needs to be scrutinized and voted in the House of Representatives. Therefore, details are subject to change. Currently, there are no expected dates for the next development of legislative procedures.

Other laws affecting AI

There are a variety of laws that don't directly regulate AI, but can affect its development or use in Brazil. A non-exhaustive list of important examples includes:

  • Law number 13,709/2018 (General Data Protection Act) (“Brazil Data Protection Act”). This governs the processing of personal data.2
  • Legal number 8,078/1990 (Consumer Protection Act). This provides for consumer protection.3
  • Law number 9,610/1998 (Copyright Act). It provides for the rights of the authors and their associated rights.4

Intellectual Property Law can affect several aspects of AI development and use.

Definition of “AI”

As Brazil's proposed AI regulations are not yet a law, there is currently no legally recognized definition of AI in Brazil.

Nevertheless, the latest version of Brazil's proposed AI regulations enables AI systems to “enable ways of generating output or output for explicit or implicit purposes, particularly machine-based systems that may affect predictions, content, recommendations, or real-world environments.”5

Territory range

Brazil's proposed AI regulations currently have a wider territorial scope. Based on the current draft, it applies to the development, deployment and use of AI systems within the Brazilian territory without distinguishing between national and foreign entities.

Scope of department

The AI ​​regulations proposed by Brazil currently do not employ sector-specific focus. Based on the current draft, it applies to the development, deployment and use of AI systems regardless of sector.

The role of compliance

The proposed AI regulations in Brazil introduce obligations to the following AI system agents:

  • AI System Developer – “Whether public or private, it is natural or corporate, and is intended to develop AI systems directly or by fees, and apply them to services that you place in the market or under your name or brand, for consideration or free of charge.”6
  • AI System Distributor – “Whether public or private, natural or legal, we will make AI systems available for use by third parties, whether for consideration or free of charge.”7
  • AI System Operator (or Deployer) – “Whether public or private, natural or private, including supporting it through the provision of data for its operation and monitoring, whether it is public or private, as it is hiring or using AI systems independently or for its benefit.”8

Core Issues AI Regulations Are Troubled

Brazil's proposed AI regulations aim to protect fundamental rights and ensure the implementation of safe and reliable systems for human, democratic regimes and scientific technological development.

Risk classification

The AI ​​regulations proposed by Brazil classify AI systems according to different levels of risk.

  • Excessive risk AI systems (In particular) Include the following AI systems: (i) induce or manipulate actions in ways that could harm health, safety, fundamental rights, or democratic processes; (ii) exploiting the vulnerability of a particular group of people (such as age, disability or socioeconomic status) to cause harm; or (iii) implement real-time remote biometric identification in public spaces, except in circumstances that are carried out by public agencies for the purposes of illegal social scoring. Such excessive risk AI systems are prohibited, but others are subject to regulation by competent authorities.9
  • High-risk AI system Include AI systems used for specific purposes, such as (among other things). (i) Critical infrastructure security devices (such as traffic control, water, power supply networks). (ii) decision-making in education, employment, and access to critical public or private services; (iii) Specific autonomous vehicles. (iv) Applications in the healthcare sector. (v) Biometric authentication system. (vi) Criminal investigations and public safety.10

All AI systems shall undergo preliminary risk classifications implemented by the developer or deployer to determine whether they qualify as an overriding risk, high risk, or other AI system. For high-risk and general purpose AI systems, an algorithm impact assessment must be performed before the AI ​​system is placed on the market or can work.11

Key Compliance Requirements

Brazil's proposed AI regulations aim to establish a detailed approach to compliance requirements. For example, Brazil's proposed AI regulations currently require:

  • AI system developers or deployers will conduct a preliminary assessment to classify the level of risk for AI systems before entering the market. and
  • AI System Developers and Deployers: (i) Perform algorithm impact assessments for high-risk AI systems or systemic risks for systemic AI systems. (ii) Report a serious security incident to competent authorities;12

AI system developers and operators must establish governance structures and internal processes that will ensure system security and compliance with the rights of affected individuals, including at least:

  • Transparency regarding the use of AI systems in interactions with natural people, and governance measures adopted in organizations' development and use of AI systems.
  • Appropriate data management measurements to mitigate and prevent potential discriminatory biases.
  • including adopting privacy measurements from the design stage, justifying data processing in accordance with default data protection laws, and adopting techniques that minimize the use of personal data.
  • Isolation of data for training, testing, and validation of system results and adoption of appropriate parameters for organizations. and
  • Employing appropriate information security measures from the design stage to system operation.13

Additionally, AI system developers and operators of high-risk AI systems must adopt the following governance measurements and internal processes:

  • You need to document the operation of the system and the decisions related to its construction, implementation and use.
  • Automated logging tools for system operations must be used to: (i) Allows evaluation of its accuracy and robustness. (ii) Identify potential discriminatory issues; (iii) Take special attention to side effects and implement risk mitigation measures appropriately.
  • Tests should be performed to assess the appropriate level of reliability according to the application of the sector and type of AI system.
  • Data management measures should be adopted to mitigate and prevent discriminatory bias. and
  • Technical measures should be adopted to describe the results of AI systems and provide general information about the behavior of the model.14

Regulatory Authorities

Brazil's proposed AI regulations designate the National Data Protection Agency (ANPD) within the federal administration as a competent authority to be responsible for regulating artificial intelligence and coordinating national systems for artificial intelligence governance (SIA). ANPD oversees the implementation of regulations and works with departmental authorities.15

Enforcement power and punishment

In accordance with Brazil's proposed AI regulations, competent authorities will take a wide range of enforcement measures to consider. Specifically, the competent authorities are:

  • Order: (i) Reclassifying the risk level of AI systems. (ii) an AI system agent that conducts an algorithmic impact assessment to guide ongoing investigations. or (iii) an AI system agent taking steps to reverse or mitigate the impact of a serious security incident.
  • Management: (i) Warning. Or (ii) a simple fine of up to R $50,000,000.00 (50 million Brazilian Reais) per violation is up to 2% (2%) of the group's revenue for the previous fiscal year.
  • The violation will be published after the violation has been properly investigated and confirmed.
  • Prohibited or Restricted: (i) AI systems are to participate in a regulated sandbox regime provided for up to five years in the AI ​​regulations proposed by Brazil. or (ii) operations from a particular database.
  • Permanently halts the development, supply, or operation of an AI system, either partially or totally, temporarily or permanently.

Furthermore, a general Brazilian rule is that individuals and corporations who violate the law and cause harm to others, whether material or moral, may be ordered by the court to pay compensation.16

1 See the proposed AI rules for Brazil here. Approved on December 10th, 2024.
2See Brazil's Data Protection Law here.
3 See legal number 8,078/1990 here.
4 See Law No. 9,610/1998.
5 See here Article 4 of Brazil's proposed AI regulations.
6 See here Article 4, V of Brazil's proposed AI regulations.
7 See here Article 4 of Brazil's proposed AI regulations.
8 See here Article 4, VII of the proposed AI regulations in Brazil.
9 See here Article 13 of Brazil's proposed AI rules.
10 See here Article 14 of Brazil's proposed AI rules.
11Please refer to Articles 12 and 25 of the AI ​​regulations proposed by Brazil.
12Please refer to Articles 25 and 42 of the AI ​​regulations proposed by Brazil.
13 See here Article 17 of Brazil's proposed AI rules.
14 See here Article 18 of Brazil's proposed AI rules.
15 See here Article 45 of the proposed AI rules in Brazil.
16 See here Article 50 of Brazil's proposed AI regulations

Laura Bottega Eskudlark (associate, Pinheiro Neto Advogados) contributed to this publication.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *