What Brazil's ANPD expects from companies using generative AI

With Brazil's artificial intelligence bill still under discussion in Congress, its data protection authority, the Autoridade Nacional de Proteção de Dados, has taken a proactive step by releasing Technology Radar No. 3.

Issued in late 2024, the publication outlines the DPA's perspective on generative AI and its alignment with the country's General Data Protection Law. While not legally binding, the document provides important guidance organizations should not overlook.

Generative AI models, such as large language models, rely on large volumes of data for training, fine-tuning and use. The ANPD sees the data life cycle of these models as closely connected to the processing of personal data. This includes collecting, processing, sharing and deleting data. Each step involves specific privacy risks that must be managed in line with LGPD requirements.

In the data collection phase, the ANPD highlights the widespread use of web scraping tools that gather content from across the internet — often without checking whether that content includes personal or sensitive data. These datasets are often used without proper filtering or anonymization. The ANPD reminds organizations that even publicly available information is still subject to LGPD principles, especially when it comes to necessity, transparency and good faith.

During the processing stage, although training models usually hide raw data behind mathematical structures, there is still a risk of revealing personal data through techniques like model inversion or membership inference attacks. Moreover, AI models can generate synthetic content that looks very real, and in some cases, may affect individuals' reputation, privacy or rights.