Towards AI Regulation in Brazil:

Abstract This chapter explores the emerging AI regulatory framework of Brazil. First, it introduces the existing Brazilian AI Strategy, exposing some of its most evident limitations, which have led the federal government to propose amendments as well as a proposal for a Brazilian Plan for AI. Second, it offers some insight into the development of a new AI regulatory framework, describing recent policymaking and the resulting bills that, as at the time of writing in early 2025, are still under discussion by the Brazilian Senate and Chamber of Deputies. Third, it provides an overview of the existing data protection norms that already regulate automated processing of personal data by AI systems, highlighting several risks related to the automated processing of personal data. The chapter emphasizes the need for solid enforcement mechanisms to make sure that the data protection provisions are utilized to shape the evolution of AI systems and exposes existing shortcomings. Through the analysis of a concrete case study, the chapter discusses why ChatGPT can be considered to be in breach of the Brazilian General Data Protection Law, and illustrates why data protection enforcement is still embryonic and barely effective in Brazil. Lastly, the chapter tries to identify possible desirable regulatory developments for Brazil and discusses how they could be achieved through substantial reform of the Brazilian Data Protection Authority.