AI Compliance in Latin America: Brazil, Mexico, Colombia, Argentina

Brazil's Lei Geral de Proteção de Dados (LGPD), in force since 2021 with enforcement powers since August 2021, is the primary AI compliance framework in Brazil. Brazil's national data protection authority, ANPD, has issued specific guidance on AI.

LGPD Article 20 gives data subjects the right to request review of decisions made solely through automated processing that affect them — including profiling. The right applies when the decision produces "legal effects" or "significantly affects" the person. This is materially similar to GDPR Article 22.

What LGPD requires for AI systems: - **Legal basis**: Processing personal data requires one of 10 legal bases. For commercial AI, consent or legitimate interests are most common. - **Data subject rights**: Access, correction, deletion, data portability, and the right to review automated decisions must be implemented. - **DPO (Data Protection Officer)**: Required for companies that process large volumes of personal data or process sensitive data. - **Privacy Impact Assessment**: Required for high-risk processing, including most AI systems that process personal data. - **ANPD registration**: Not currently required, but expected to expand.

ANPD enforcement has been active since 2023. Its first sanctions were issued in 2023 against a company that failed to respond to data subject requests. Fines are calculated as a percentage of Brazilian turnover, not global turnover — but the R$50M cap is per violation, and each data subject's data processed unlawfully can constitute a separate violation.

Brazil's AI Bill (PL 2338/2023) passed the Senate in December 2024 and is before the Chamber of Deputies as of early 2026. If enacted in its current form, it creates a risk-based AI framework modeled on the EU AI Act.

Key provisions of PL 2338/2023: - **High-risk AI systems**: Defined by impact on fundamental rights, safety, and critical infrastructure. Hiring AI, credit AI, and healthcare AI are expected to qualify. - **Prohibited AI**: Subliminal manipulation, social scoring, real-time biometric surveillance in public spaces. - **Transparency requirements**: High-risk AI systems must disclose AI use to affected parties. - **Human oversight**: High-risk systems must allow human intervention. - **Impact assessment**: "Technical Due Diligence Report" required before deploying high-risk AI. - **Enforcement**: ANPD is proposed as the primary AI authority, with fines up to R$50M or 2% of revenue.

The bill is expected to pass in 2026. Companies operating in Brazil should design systems now that meet the probable requirements — given that the LGPD already covers most of the data processing aspects, the AI Bill adds governance, transparency, and documentation obligations.

Mexico's Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) has been in force since 2010 and is Mexico's primary data protection law. It does not specifically address AI, but its provisions apply to AI systems that process personal data.

LFPDPPP key requirements for AI: - **Privacy notice**: Before collecting personal data used in AI, a clear privacy notice must be provided. It must explain the purpose of the processing. - **Consent**: For personal data used in sensitive processing (including profiling), explicit consent is required. - **Data subject rights**: ARCO rights — Access, Rectification, Cancellation, Opposition — must be honored. - **Security measures**: Administrative, physical, and technical security for personal data. - **Data transfers**: Cross-border transfers require consent or that the recipient country provides "adequate" protection.

INAI has taken enforcement action against companies failing to honor ARCO rights and for inadequate security. Mexico has no specific AI law as of 2026, but INAI has expressed interest in developing AI-specific guidance.

For AI systems in Mexico: the primary obligation is ensuring LFPDPPP compliance for any personal data used in training, inference, or decision-making. Given that INAI has not yet issued AI-specific guidance, the GDPR-aligned interpretation of automated decisions is a reasonable compliance baseline.

Several Mexican regulatory bodies have issued sector-specific guidance relevant to AI:

**Financial sector (CNBV)**: Mexico's banking regulator requires that credit scoring models be explainable to applicants who are denied credit. This applies to AI models used in lending decisions. The CNBV has broad authority to require model documentation and testing from regulated financial institutions.

**Telecommunications (IFT)**: The Federal Telecommunications Institute regulates algorithmic recommendation systems that are part of telecommunications services, with provisions around user consent and transparency.

**Healthcare (COFEPRIS)**: AI systems used in medical diagnosis or treatment are regulated as medical devices and require COFEPRIS clearance — similar to the FDA's SaMD framework.

**Competition (COFECE)**: Mexico's competition authority has indicated interest in algorithmic price coordination — the use of competing AI pricing systems that produce parallel pricing without explicit agreement.

Mexico's comprehensive AI legislation is expected to develop following Brazil's lead. Companies operating in Mexico should establish LGPD-equivalent practices even in the absence of an equivalent law, as this will ease future compliance requirements.

Colombia's data protection law, Ley 1581 de 2012, governs personal data processing and applies to AI systems that process personal data of Colombian residents. The Superintendencia de Industria y Comercio (SIC) enforces the law and has issued AI-specific guidance.

SIC issued "Guía para el Tratamiento de Datos Personales en el Contexto de la Inteligencia Artificial" in 2021 — one of the first AI-specific guidance documents in Latin America. Key points:

• ·Transparency: AI systems that make decisions about individuals must be explainable. The SIC guidance emphasizes that data subjects have a right to understand how AI decisions are made.
• ·Data minimisation: AI should process only the data necessary for the stated purpose.
• ·Bias prevention: Organisations are expected to test AI systems for discriminatory outcomes.
• ·Accountability: There must be a human responsible for AI decision-making outcomes.

Colombia has no dedicated AI law as of 2026, but the SIC guidance is the most detailed AI-specific regulatory document in Latin America outside of Brazil. Companies with Colombian operations should review the 2021 SIC guidance directly.

SIC enforcement has been active. The authority has issued fines for inadequate privacy notices, unauthorized data sharing, and failure to honor data subject rights. AI compliance in Colombia is primarily a data protection compliance exercise under Ley 1581, with additional guidance from the SIC AI document.

Argentina's Personal Data Protection Act (Ley 25.326, PDPA) has been in force since 2000 and is one of the oldest data protection laws in Latin America. Argentina was the first Latin American country to receive an EU adequacy decision for data transfers, which it has maintained.

PDPA applies to AI systems that process personal data of Argentine residents: - **Automated decision-making**: Article 10 provides that decisions with "legal effects" cannot be based solely on automated data processing, unless explicitly authorized by law or by the data subject. - **Data subject rights**: Access, correction, suppression, and confidentiality rights must be implemented. - **Sensitive data**: Biometric data, health data, and political opinions require explicit consent. - **Registration**: Data controllers must register databases with the AAIP.

Argentina is in the process of modernizing its data protection framework. A new draft law was circulated in 2023 that would align Argentina more closely with GDPR standards, including strengthened automated decision-making rights and higher fines (up to 2% of global turnover, similar to GDPR). The new law had not been enacted as of early 2026.

**AI Strategy**: Argentina published a National AI Strategy in 2023 with ethical principles for AI, but no binding AI law is in force as of 2026. The strategy emphasizes transparency, accountability, non-discrimination, and human oversight.